The Illinois Supreme Court has ruled that separate claims under the state’s Biometric Information Privacy Act (BIPA) accrue “with every scan or transmission” of a person’s biometric information—rejecting the idea that only a single claim accrues at the start of a series of similar scans or disclosures.

The decision, Cothron v. White Castle, substantially increases potential damages exposure for BIPA defendants.  The potential for large monetary awards is likely to spur more BIPA lawsuits in Illinois—and potentially beyond, as several other States have similar privacy laws taking effect in 2023.  At the same time, however, Cothron establishes that trial courts have discretion to determine the appropriate amount of statutory damages (subject to a $5,000-per-violation cap), and suggests that it would be an abuse of discretion for a trial court to permit such a sizeable award that a company’s financial viability would be threatened. 

Continue Reading New BIPA Claims Accrue “With Every Scan or Transmission” of Biometric Information, Says the Illinois Supreme Court  

A federal district court recently dismissed with prejudice a putative class action against the cryptocurrency exchange Coinbase, where the plaintiffs sought to hold the exchange liable for the sale of unregistered securities on behalf a nationwide class.  The court held that Coinbase neither directly sold the accused tokens to plaintiffs nor actively solicited their sale, and thus plaintiffs’ federal claims must be dismissed.  This decision has important implications for digital asset exchanges, which have faced a significant increase in class actions alleging the exchanges are themselves liable for the sale of unregistered securities.

Continue Reading Court Dismisses Class Action Seeking to Hold Cryptocurrency Exchange Coinbase Liable for Sale of Unregistered Securities

The Illinois Supreme Court recently held that all claims brought under the Biometric Information Privacy Act (“BIPA”) are subject to a five-year statute of limitations, partly overturning a lower court decision that had applied a one-year limitations period to some claims brought under the law.  See Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023).

The plaintiff, Jorome Tims, filed a putative class action against his former employer, alleging that the trucking and logistics company violated BIPA by requiring its employees to use a time clock with a fingerprint scanner without (i) implementing a publicly available data retention and destruction policy; (ii) notifying employees and obtaining their consent when collecting their biometrics; and (iii) obtaining employee consent before disclosing their biometric information to third parties.  The defendant moved to dismiss the complaint, arguing that the plaintiff’s claims were barred by the one-year statute of limitations under the Illinois Code of Civil Procedure that governs actions for the “publication of matter[s] violating the right of privacy.”

Continue Reading Illinois Supreme Court Holds Five-Year Statute of Limitations Applies to All Claims under BIPA

A U.S. District Court Judge in California dismissed a putative class action asserting claims under section 637.7 of the California Invasion of Privacy Act (CIPA) in a case that could have useful implications for automotive and other device manufacturers whose products have the ability to track location.  Plaintiff claimed that a third-party company, Otonomo Inc., partnered with automobile manufacturers to use the telematics control units (TCUs) installed in their vehicles to track a driver’s location via GPS without the driver’s knowledge.  The Court rejected the claim, holding that because the TCU devices were built-in, rather than devices added to a vehicle, they were not “attached” to the car and thus did not fall within the statute’s definition of “electronic tracking device.”

Continue Reading Class Action Suit Brought Under CIPA Section 637.7 for Alleged Location-Based Tracking of Vehicles Is Dismissed

The Ninth Circuit recently held that the Children’s Online Privacy Protection Act, which gives the Federal Trade Commission  authority to regulate the online collection of personal information from children under the age of 13, does not preempt consistent state law, potentially increasing the risk of class action litigation based on alleged COPPA violations.  See Jones

An Alabama district court recently granted dismissal of a class action asserting Illinois Biometric Information Privacy Act (“BIPA”) claims brought by Illinois residents against ProctorU, Inc. in Thakkar v. ProctorU Inc., No. 2:21-cv-01565 (N.D. Ala.).  The district court concluded that a choice-of-law provision contained in the terms of service and which required the application of Alabama law precluded the application of BIPA to the conduct alleged.

Continue Reading Alabama Federal Court Finds Choice-of-Law Provision Bars BIPA Privacy Lawsuit Against Online Examination Company

In a recent decision, a federal judge granted summary judgment for the Securities and Exchange Commission (SEC) finding that the LBC cryptocurrency token qualifies as a security.  While the ruling is confined to this specific token, it represents a victory for the SEC’s assertions that many cryptocurrencies, including so called “utility tokens,” represent securities that need to be registered with the agency.  The Court also held that the makers of the LBC token, LBRY, Inc., had fair notice that the token was subject to the securities laws.  Considering the ongoing class actions and enforcement proceedings litigating this issue across several cases, companies operating in the cryptocurrency space, including cryptocurrency exchanges, should follow this development to assess any possible impact on their businesses.

Continue Reading S.E.C. Wins Summary Judgment Determination That Cryptocurrency Token Qualifies as a Security

On October 17, the District of Massachusetts added to the growing line of federal courts that have held a mere data breach, without additional harm, is insufficient to grant customers Article III standing.  See Webb v. Injured Workers Pharmacy, LLC, 2022 WL 10483751, at *1 (D. Mass. Oct. 17, 2022).  In February 2022, a home delivery pharmacy notified over 75,000 affected customers that hackers broke through its defenses and accessed patients’ personal data.  Two of these customers filed a putative class action against the pharmacy, alleging various tort and contract theories.  The court dismissed their claims for lack of standing, holding that plaintiffs had failed to allege any actionable harm stemming from the data breach despite their allegations that the breach caused them significant emotional harm.

Continue Reading Data Breach, Without Allegations of Misuse, Isn’t Enough for Article III Standing

Following a week-long trial, a jury in Illinois awarded a plaintiff class of truck drivers a $228 million verdict against BNSF Railways for violations of the Illinois Biometric Information Privacy Act (“BIPA”).  The large verdict, arising from the first case to go to trial under the 2008 law, highlights the potential impact of class actions brought under this statute.

Continue Reading Illinois BIPA jury verdict highlights rising prominence of class actions based on state privacy statutes

On Monday, the Supreme Court granted certiorari in Gonzalez v. Google LLC, 2 F.4th 871 (9th Cir. 2021) on the following question presented:  “Does section 230(c)(1) immunize interactive computer services when they make targeted recommendations of information provided by another information content provider, or only limit the liability of interactive computer services when they engage in traditional editorial functions (such as deciding whether to display or withdraw) with regard to such information?”  This is the first opportunity the Court has taken to interpret 47 U.S.C. § 230 (“Section 230”) since the law was enacted in 1996.

Continue Reading Supreme Court Grants Certiorari in Gonzalez v. Google, Marking First Time Court Will Review Section 230