Data Privacy

A Pennsylvania federal district court overseeing a multi-district litigation recently dismissed various privacy and wiretapping claims against two online retailers, finding that allegations of interception and disclosure of mere “browsing activity” on those retailers’ websites is not “sufficiently personal or private” to confer Article III standing. 

In In re: BPS Direct, LLC, and Cabela’s, LLC, Wiretapping Litigation, 2:23-cv-04008-MAK (E.D. Pa. Dec. 5, 2023), the district court consolidated six proposed class actions involving eight plaintiffs, with each alleging that BPS Direct, LLC and Cabela’s, LLC, who operate retail stores known as Bass Pro Shops and Cabela’s, unlawfully intercepted and disclosed their private information through the use of session replay software on their websites.  The district court dismissed most of the plaintiffs’ claims, holding that they failed to adequately allege a concrete harm sufficient to support Article III standing.Continue Reading Pennsylvania Multi-District Wiretapping Litigation Finds Website Users Lack Article III Standing

The Ninth Circuit recently upheld a California district court’s dismissal of a proposed class action against Shopify for lack of personal jurisdiction, cautioning that subjecting web-based platforms to jurisdiction in every forum in which they are accessible would lead to the “eventual demise of all restrictions” on personal jurisdiction.

In Briskin v. Shopify, Inc., 2022 WL 1427324 (N.D. Cal. May 5, 2022), the plaintiff alleged that Shopify, a Canadian-based company that provides online merchants throughout the United States with an e-commerce payment platform, violated California privacy and consumer protection laws by allegedly collecting his sensitive personal information while using a California-based retailer’s website.  The district court in the Northern District of California dismissed the action, finding that it lacked both general and specific personal jurisdiction over Shopify. 

A panel of the Ninth Circuit affirmed the district court’s dismissal of the complaint for lack of personal jurisdiction, holding that Shopify could not be subjected to jurisdiction in California where it did not expressly aim the alleged conduct implicated by the lawsuit toward California.  Briskin v. Shopify, Inc., 2023 WL 8225346 (9th Cir. Nov. 28, 2023).  Briskin confirms the Ninth Circuit’s view that for interactive websites and other web-based services and platforms that operate nationwide, “something more” is needed to satisfy the express aiming requirement for personal jurisdiction.Continue Reading Ninth Circuit Finds No Personal Jurisdiction in California Over Website

A California Superior Court recently certified a putative class action of California residents “who have used mobile devices running the Android operating system to access the internet through cellular data plans provided by mobile carriers.” See Order Concerning: (1) The Parties’ Expert Exclusion Motions; and (2) Plaintiffs’ Class Certification Motion, Csupo, et al. v. Alphabet

Only one claim survived dismissal in a recent putative class action lawsuit alleging that a pathology laboratory failed to safeguard patient data in a cyberattack.  See Order Granting Motion to Dismiss in Part, Thai v. Molecular Pathology Laboratory Network, Inc., No. 3:22-CV-315-KAC-DCP (E.D. Tenn. Sep. 29, 2023), ECF 38.Continue Reading All but One Claim in Pathology Lab Data Breach Class Action Tossed on Motion to Dismiss

A federal district court in the Northern District of California granted in part a motion to dismiss putative class action claims filed against Western Digital, a hard drive manufacturer whose older devices experienced a cyber-attack, where the plaintiffs alleged that their stored data was deleted but not that it was stolen.  While plaintiffs will be permitted to maintain claims related to the data loss, they lack standing to assert claims based on future data misuse.Continue Reading Federal Court Partially Dismisses Hacked Hard Drive Claims Where Plaintiffs Could Only Show Data Deletion, Not Theft

A significant recent decision by the Fourth Circuit confirms that arbitration agreements that contain class-action waiver provisions can be a powerful tool to defeat class certification.  In In re Marriott International, Inc., the Fourth Circuit observed that while “no court has had occasion to expressly hold as much,” the “consensus practice” of courts is to “resolve the import of waivers at the certification stage—before they certify a class, and usually as the first order of business.”  2023 WL 5313006, at *6 (4th Cir. Aug. 18, 2023).  The Fourth Circuit held that courts must address the implication of an arbitration clause containing a class-action waiver before, not after, a class is certified.  And because the district court in this case did not do so, the Fourth Circuit vacated the district court’s class certification ruling.  Id. at *1.Continue Reading Fourth Circuit Holds that the Enforceability of Arbitration Agreements Containing Class Waivers Must Be Resolved Before Class Certification

Last week, the Eleventh Circuit reversed in part and remanded an order certifying a class in a case arising from a data breach of Chili’s restaurants, Green-Cooper v. Brinker International, Inc., No. 21-13146, 2023 WL 4446420 (11th Cir. July 11, 2023).  The opinion clarifies the Eleventh Circuit’s view of when data breaches give rise to Article III standing.Continue Reading Eleventh Circuit Holds Having Payment Information Posted to Dark Web Establishes Standing in Data Breach Case, Remands Class Certification Order

A federal district court recently denied remand of a proposed class action against Twitter, Inc., rejecting plaintiff’s arguments, including that the removal was improper because his claim was limited to a “statutory damages remedy” that does not confer Article III standing under TransUnion LLC v. RamirezSee Order Denying Plaintiff’s Motion to Remand, Morgan v. Twitter, Inc., No. 2:22-cv-00122-MKD (E.D. Wash. May 5, 2023).Continue Reading Court Denies Remand of Privacy Suit, Finding Article III Standing Under TransUnion

A procedural violation of a state’s privacy statute is not alone enough to establish Article III standing—a plaintiff must suffer a concrete injury, such as an increased risk of identity theft.  The Fourth Circuit’s decision in O’Leary v. TrustedID, Inc., 2023 WL 2125996 (4th Cir. Feb. 21, 2023) confirms this—but also illustrates how Article III standing is a two-edged sword that may allow a plaintiff to defeat a defendant’s attempt to remove a case to federal court. 

The plaintiff in O’Leary filed a class action against TrustedID in South Carolina state court for allegedly violating South Carolina’s Financial Identity Fraud and Identity Theft Protection Act, S.C. Code Ann. § 37-20-180.  The statute prohibits requiring consumers to use six or more digits of their Social Security numbers to access a website without also requiring some other authentication measure.  The plaintiff alleged that TrustedID’s website required him to provide six digits of his Social Security number and did not have any other safety precautions, such as a password requirement.Continue Reading Fourth Circuit Remands Class Action to State Court After Plaintiff Questions His Own Standing

The Illinois Supreme Court recently held that all claims brought under the Biometric Information Privacy Act (“BIPA”) are subject to a five-year statute of limitations, partly overturning a lower court decision that had applied a one-year limitations period to some claims brought under the law.  See Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023).

The plaintiff, Jorome Tims, filed a putative class action against his former employer, alleging that the trucking and logistics company violated BIPA by requiring its employees to use a time clock with a fingerprint scanner without (i) implementing a publicly available data retention and destruction policy; (ii) notifying employees and obtaining their consent when collecting their biometrics; and (iii) obtaining employee consent before disclosing their biometric information to third parties.  The defendant moved to dismiss the complaint, arguing that the plaintiff’s claims were barred by the one-year statute of limitations under the Illinois Code of Civil Procedure that governs actions for the “publication of matter[s] violating the right of privacy.”Continue Reading Illinois Supreme Court Holds Five-Year Statute of Limitations Applies to All Claims under BIPA