By Gerald L. Maatman, Jr. and Jennifer A. Riley
Duane Morris Takeaway: Continuing with the top trends in class action litigation over the past year as we recognized in the Duane Morris Class Action Review – 2024, today we are discussing Trend #2. Trend # 2 focuses on class action litigation in the privacy space, which has generated a multitude of filings as it continues its reign as the hottest area of growth in terms of activity by the plaintiffs’ class action bar.
In today’s video blog, Duane Morris partner Jennifer Riley discusses the rise in privacy class actions under the Illinois Biometric Information Privacy Act (BIPA) in 2023, the impact of two seminal Illinois Supreme Court rulings on the application of the BIPA, and other privacy areas heating up in the class action arena.
Trend #2 – Privacy Class Actions Gained Momentum, Increasing In Number And Sophistication
1. Illinois Biometric Information Privacy Act Claims
In 2023, the Illinois Biometric Privacy Act (BIPA) continued to fuel a swell of class action litigation. Its technical requirements, coupled with stiff statutory penalties and fee-shifting, provided a recipe for increased filings and hefty settlement demands from the plaintiffs’ class action bar.
Enacted in 2008, the BIPA regulates the collection, use, and handling of biometric identifiers and information by private entities. Subject to limited exceptions, the BIPA generally prohibits the collection or use of an individual’s biometric identifiers and biometric information without notice, written consent, and a publicly-available retention and destruction schedule.
In terms of lawsuit filings, for nearly a decade following enactment of the BIPA, activity under the statute was largely dormant.
Plaintiffs filed an average of approximately two total lawsuits filed per year from 2008 through 2016. Those numbers grew exponentially in 2017 and 2018 and then spiked as the plaintiffs’ class action bar filed a surge of class action lawsuits.
In 2022, companies saw more than five times as many class action lawsuit filings for alleged violations of the BIPA than they saw in 2018, and more than the number of class action lawsuit filings that they saw from 2008 through 2018 combined.
Filings continued to accelerate in 2023, prompted by two rulings from the Illinois Supreme Court that increased the opportunity for recovery of damages under the BIPA.
In 2023, the Illinois Supreme Court issued two seminal decisions that increased the opportunity for recovery of damages under the BIPA. On February 2, 2023, the Illinois Supreme Court issued its ruling in Tims v. Black Horse Carriers, 2023 IL 127801 (Feb. 2, 2023), and held that a five-year statute of limitations applies to claims under the BIPA. Perhaps even more significantly, on February 17, 2023, the Illinois Supreme Court issued its ruling in Cothron, et al. v. White Castle System, Inc., 2023 IL 1280004 (Feb. 17, 2023), and held that a claim accrues under the BIPA each time a company collects or discloses biometric information.
These rulings have far-reaching implications. Together, they have the potential to increase monetary damages in BIPA class actions in an exponential manner, especially in the employment context, where employees might scan in and out of work multiple times per day across more than 200 workdays days per year.
In the wake of these rulings, class action filings more than doubled. From January 1, 2023, to the ruling in Cothron, plaintiffs filed approximately 61 lawsuits in Illinois state and federal courts alleging violations of the BIPA.
By contrast, in the same period of time following the ruling, plaintiffs filed 150 lawsuits in Illinois state and federal courts, representing an increase of 71%.
Below is a chart outlining this litigation spike:
Throughout the remainder of 2023, lawsuit filings continued to grow in number and sophistication as they targeted more advanced and innovative technologies. Given the five-year statute of limitations, and the potential for enhanced monetary penalties, we anticipate that filings and settlement numbers in BIPA litigation will continue to expand.
2. Other Sources Of Privacy Class Actions
Various provisions of state privacy, anti-surveillance, and wiretap statutes have had a similar impact, fueling creativity by the plaintiffs’ class action bar as it looks to apply many pre-existing laws to challenge the use of innovative and novel technologies that companies use to collect information about consumers and their online activities.
Over the past year, plaintiffs have filed a barrage of class action lawsuits under the federal Video Privacy Protection Act (VPPA). Congress originally passed the VPPA in 1988 to prevent the wrongful disclosure of video tape sale and rental records. Plaintiffs have filed lawsuits under the VPPA against companies that offer video content on their websites.
The VPPA prohibits a “video tape service provider” from knowingly disclosing personally identifiable information concerning any consumer of such provider.” 18 U.S.C. § 2710(b)(1). The statute defines a “video tape service provider” to include any person “engaged in business, or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio-visual materials.” 18 U.S.C. § 2710(a)(4).
Some courts have construed “similar audio-visual materials” broadly, generally concluding that its definition encompasses streaming video delivered electronically. Plaintiffs allege that companies that maintain videos on their websites and deploy pixel tracking tools violate the VPPA because their websites track the videos that visitors watch and share the viewing data with third parties.
The VPPA provides for damages up to $2,500 per violation in addition to costs and attorneys’ fees for successful litigants, making it an attractive source of filings for the plaintiffs’ class action bar. Indeed, plaintiffs have initiated more than 137 class actions under the VPPA over the past year.
Similarly, state wiretapping and anti-surveillance laws are continuing to generate filings by enterprising plaintiffs’ lawyers. Plaintiffs have initiated class actions against companies that use third-party software to track user activity on their webpages, or to create and record transcripts of conversations conducted via chat features, based on the theory that such practices potentially violate electronic interception provisions of various state laws.
The plaintiffs’ bar grounded these claims in the electronic interception provisions of wiretap statutes like the California Invasion of Privacy Act, the Pennsylvania Wiretapping and Electronic Surveillance Act, and the Florida Security of Communications Act, among other laws, which generally prohibit the unauthorized interception of communications transmitted electronically.
The plaintiffs’ bar has targeted technologies that track a user’s interactions with the website (e.g., clicking, scrolling, swiping, hovering and typing) and create a recording of those interactions and inputs through session replay software.
It also has attacked coding tools that create and store transcripts of conversations with users in a website’s chat feature. Plaintiffs generally allege that recording users’ interactions with a website and sending that recording to a third party for analysis without their consent is an illegal invasion of their privacy. Over the past year, these lawsuits met mixed results.
During 2023, federal district courts in California ruled on the initial round of “chatbot” cases filed under the California Invasion of Privacy Act (CIPA) and several responded with skepticism. Courts granted motions to dismiss on various grounds finding, among other things, that the statutory provisions at issue do not apply to communications over the internet, see, e.g., Licea, et al. v. American Eagle Outfitters, Inc., 2023 WL 2469630, at *5-6 (C.D. Cal. Mar. 7, 2023); a party cannot “eavesdrop” on its own conversation, see id. at *7-8; Licea, et al. v. Cinmar, LLC, 2023 WL 2415592, at *7-8 (C.D. Cal. Mar. 7, 2023); or that allegations that a defendant used the code embedded in a chat program to “harvest valuable data” were too vague and conclusory to state a claim. See, e.g., Cody, et al. v. Boscov’s, Inc., 2023 WL 2338302, at *2 (C.D. Cal. Mar. 2, 2023).
Other courts denied motions to dismiss similar claims. See, e.g., Valenzuela, et al. v. Nationwide Mutual Insurance Co., 2023 WL 5266033, at *4-10 (C.D. Cal. Aug. 14, 2023); D’Angelo, et al. v. Penny OpCo, LLC, 2023 WL 7006793, at *2-4, *8-9 (S.D. Cal. Oct. 24, 2023).
These rulings contribute to a patchwork quilt of decisions in this space. Given the stakes, we do not anticipate that this initial round of decisions will spell the death knell for suits attacking session replay or chatbot suits, many of which remain in the pipeline before various courts. Instead, we anticipate that plaintiffs will respond with additional creativity as they attempt to plead around these potential issues and identify new technologies at which to target their claims.