Trend #3 – Privacy Class Actions Continue To Proliferate As Plaintiffs Search For Winning Theories

By Jennifer A. Riley

Duane Morris Takeaway: The plaintiffs’ class action bar has continued to invest in the privacy class action space and, over the past year, has generated a multitude of filings, making privacy one of the hottest areas of growth in terms of activity by the plaintiffs’ class action bar. As technology continues to infiltrate our everyday lives, it provides ongoing inspiration for novel claims. Two of the most active areas of privacy litigation over the past year include: (1) litigation regarding “biometric” technologies under the Illinois Biometric Privacy Act (BIPA); and (2) claims regarding website advertising technologies (adtech) asserted under a variety of federal and state statutory and common laws.

Watch DMCAR co-editor Jennifer Riley explain this trend in the following video:

Additionally, in the absence of a federal comprehensive privacy law, states have been enacting their own patchwork of laws. There are currently 19 states that have passed comprehensive privacy laws. The following chart shows new laws that will become effective in 2025:

  1. Illinois Biometric Information Privacy Act Claims

On August 2, 2024, the Illinois Governor signed a long-awaited amendment to the BIPA, the most popular and heavily litigated privacy law in the U.S. The amendments eliminated per-scan damages, granting defendants a reprieve from potentially crushing penalties allowed under pre-amendment version of the law that inspired thousands of class action lawsuits over the past seven years.

Enacted in 2008, the BIPA regulates the collection, use, and handling of biometric information and biometric identifiers by private entities. Subject to certain exceptions, the BIPA prohibits collection or use of an individual’s biometric information and biometric identifiers without notice, written consent, and a publicly available retention and destruction schedule.

In terms of lawsuit filings, for nearly a decade following enactment of the BIPA, activity under the statute remained largely dormant. The plaintiffs’ bar filed approximately two total lawsuits per year from 2008 through 2016 before filings increased in 2017 and then skyrocketed in 2019. In 2020, plaintiffs filed more than six times as many class action lawsuits for alleged violations of the BIPA than they filed in 2017 and more than the number of class action lawsuits they filed from 2008 through 2016 combined.

Filings continued to accelerate in 2023, prompted by two rulings from the Illinois Supreme Court that increased the opportunity for recovery of damages under the BIPA. On February 2, 2023, the Illinois Supreme Court held that a five-year statute of limitations applies to claims under the BIPA, and, on February 17, 2023, the Illinois Supreme Court held that a claim accrues under the BIPA each time a company collects or discloses biometric information. See Tims v. Black Horse Carriers, 2023 IL 127801 (Feb. 2, 2023); Cothron, et al. v. White Castle System, Inc., 2023 IL 1280004 (Feb. 17, 2023).

In 2024, the Illinois General Assembly dealt a significant blow to plaintiffs’ pursuit of these claims. On August 2, 2024, the Illinois Governor signed SB 2979 into law, amending the BIPA and limiting plaintiffs to one recovery per person under §§ 15(b) and 15(d). In other words, a private entity that, in more than one instance, collects, captures, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection “has committed a single violation” for which an aggrieved person is entitled, at most, to one recovery. See 740 ILCS 14/20 (b), (c). Courts to date have disagreed as to whether the amendment and its new “per person” damages regime applies retroactively, see Edwards v. Central Transport LLC, No. 24-CV-1925 (N.D. Ill. Nov. 13, 2024), or whether it applies only on a go-forward basis. We anticipate that parties will continue to litigate this question in 2025.

While a welcome relief to defendants, the BIPA’s new “per person” damages regime remains sizable and on a par with other privacy statutes that remain popular with the plaintiffs’ class action bar, such as the Electronic Communications Privacy Act (ECPA), which provides for damages up to $10,000 per claimant, or the Video Privacy Protection Act (VPPA), which provides for damages up to $2,500 per claimant.

Thus, whereas their rate of growth slowed in 2024, BIPA filings remained robust in comparison with prior years. Indeed, plaintiffs filed 427 lawsuits invoking the BIPA in 2024, compared with 417 in 2023, and 362 in 2022. The graphic shows the year over year growth in BIPA filings over the past eight years:

In terms of substance, 2024 saw the emergence of two significant trends in BIPA litigation that illustrate plaintiffs’ continued creativity when it comes to applying the BIPA to new technologies.

First, plaintiffs filed a significant number of BIPA cases targeting technologies that perform functions other than biometric identification. These include virtual try-on technologies, efforts to measure affects or emotions, attempts to verify conformance with pornography restrictions or passport photo requirements, and other functions. Basically, if a company’s technology performs any function at all involving a face, the company was a potential target of BIPA litigation in 2024. Although no courts have ruled definitively as to whether such technologies obtain “biometric identifiers” or “biometric information” within the meaning of the BIPA, some courts have found allegations regarding their use sufficiently plausible to survive motions to dismiss.

In Davis v. e.l.f. Cosmetics, Inc., 2024 U.S. Dist. LEXIS 94318 (N.D. Ill. May 28, 2024), for example, plaintiffs filed a class action alleging that the defendant’s virtual try-on technology used facial recognition technology without proper consent in violation of § 15(b). The defendant moved to dismiss on the ground that virtual try-on involves only facial detection (i.e., whether there is a face), not facial recognition or identification. The court rejected the argument, concluding that the plaintiffs’ allegations that the virtual try-on tool obtained biometric identifiers was “enough” at the pleading stage to overcome a motion to dismiss. Id. at *2.

In Martell, et al. v. X Corp., 2024 U.S. Dist. LEXIS 105610 (N.D. Ill. June 13, 2024), by contrast, plaintiff alleged that he uploaded a photograph containing his face to the social media platform X and that X then analyzed the photograph for nudity and other inappropriate content using a product called PhotoDNA. Id. at *1. According to the plaintiff, PhotoDNA created a unique digital signature of his face-containing photograph known as a “hash” and, therefore, necessarily obtained a “scan of . . . face geometry” in violation of the BIPA. Id. at *1-2. X Corp. moved to dismiss arguing, among other things, that plaintiff failed to allege that PhotoDNA obtained a scan of face geometry because PhotoDNA does not perform facial recognition. The court granted the motion finding no plausible allegations of a scan of face geometry because “PhotoDNA is not facial recognition software.” Id. at *5. As the court explained, the “plaintiff does not allege that the hash process takes a scan of face geometry, rather he summarily concludes that it must. The court cannot accept such conclusions as facts adequate to state a plausible claim.” Id. at *9.

Second, plaintiffs have filed a significant number of BIPA cases over the use of AI‑based facial recognition systems that transform photographs into numerical expressions that can be compared to determine their similarity. These modern systems are different than older, non-AI facial recognition systems in place at the time of the BIPA’s enactment in 2008 that attempt to identify individuals by using measurements of face geometry. The older systems construct a facial graph from many key landmarks such as the corners of the eyes, tip of the nose, and corners of the mouth. Courts have disagreed as to whether the BIPA, which defines biometric identifiers to include a “scan of face geometry,” applies to AI machine-learning systems for facial analysis or recognition that do not construct such geometric graphs.

One court previously found that this question is one for a jury, see In Re Facebook Biometric Information Privacy Litigation, 2018 WL 2197546, at *2-3 (N.D. Cal. May 14, 2018), but at least one other court, Zellmer, et al. v. Meta Platforms, Inc., 104 F.4th 1117 (9th Cir. 2024), held to the contrary.

In Zellmer, a plaintiff who never used Facebook sued Meta for alleged violations of the BIPA after his friends uploaded photographs of him to Facebook. He alleged that Facebook collected or captured his biometric identifiers when its tag suggestion feature created what Facebook calls a “face signature” from those uploaded photos. Id. at 1120. The district court granted summary judgment to Facebook, and the Ninth Circuit affirmed. As the Ninth Circuit explained, “[n]o one – not even [defendant, the creator of the face signature] – can reverse-engineer the numbers comprising a given face signature to derive information about a person.” Id. at 1121. For this reason, the face signature “cannot identify an individual” and, therefore, is not subject to the BIPA. Id. at 1123.

We expect continued litigation in 2025 over whether the BIPA regulates only those technologies capable of identification and whether AI-based facial recognition systems implicate the BIPA will remain a hotly litigated topic in 2025.

  1. Website Advertising Technology And Other Privacy Claims

Although website activity tracking tools are nothing new, and appear on most websites, this past year they continued to fuel a wave of lawsuits alleging that such tools caused companies in various industries to share users’ private information. While some of these cases and claims met an early dismissal, others inspired sizable settlements, signaling that corporations should expect continued investment in this area by the plaintiffs’ bar in 2025.

In 2024, for the second time in as many years, plaintiffs filed more than two hundred class action complaints alleging that Meta Pixel, Google Analytics, and other similar software code embedded in websites secretly captured plaintiffs’ web browsing data and sent it to Meta, Google, and other online advertising agencies. This software, often called “adtech,” is a popular feature on many websites today. More than ten million companies and governmental organizations use it. Adtech works by collecting information about a person’s web-browsing behavior, using AI to analyze the collected data, and then serving targeted advertisements based on the analysis.

Plaintiffs have asserted claims attacking adtech based on one or more of a wide variety of legal theories, including federal and state wiretapping statutes, eavesdropping statutes, the VPPA, unfair and deceptive practices statutes, various common laws, and other legal theories. Plaintiffs typically seek to invoke a statute that provides for statutory damages, asserting that hundreds of thousands of website visitors, times $10,000 per claimant in statutory damages under the Federal Wiretap Act, for example, equals billions of dollars. Several of these cases have led to multi-million-dollar settlements, but the vast majority remain undecided.

The courts reviewing these claims have been tasked with applying statutes, many of which were passed decades ago, in novel ways to new technologies that the drafters of those laws could not have envisioned. As a result, courts issued an assortment of rulings on motions to dismiss adtech class actions in 2024, resulting in a mixed bag of outcomes. Court rulings on these inventive theories varied widely in 2024, presaging continued battles in 2025 as these issues bubble up to appellate courts.

One of this year’s largest adtech class action led to a victory for defendants in T.D. v. Piedmont Healthcare, Inc., Case No. 23-CV-5416 (N.D. Ga. Aug. 24, 2024). The plaintiffs sued Piedmont alleging that it installed the Meta Pixel on its public-facing website and its secure patient portal and transmitted the plaintiffs’ “personally identifiable information (PII) and protected health information (PHI) [to Meta] without their consent.” Id. at 1-2.

The plaintiffs asserted claims for invasion of privacy, breach of fiduciary duty, negligence, breach of contract, unjust enrichment, and violation of the ECPA. The court granted Piedmont’s motion to dismiss.

First, the court found no invasion of privacy because “[t]here is no intrusion upon privacy when a patient voluntarily provides personally identifiable information and protected health information to his or her healthcare provider.” Id. at 5-6. Second, the court rejected all seven of plaintiffs’ alleged damages theories and, accordingly, dismissed plaintiffs’ breach of fiduciary duty, negligence, breach of contract, and unjust enrichment, all of which required the plaintiffs to plausibly allege damages or, relatedly, enrichment, as an element of these claims. Id. at 7-10. Finally, the court dismissed the plaintiffs’ ECPA claim, which required plaintiffs to plausibly allege an intentional interception of the contents of an electronic communication. Id. at 11.

By contrast, in Kane, et al. v. University Of Rochester, 2024 WL 1178340 (W.D.N.Y. Mar. 19, 2024), a New York federal court denied a motion to dismiss finding that adtech plaintiffs sufficiently alleged that defendant disclosed information they entered on defendant’s website in the form of appointment scheduling information that identified the user who scheduled the appointment, the provider, and the provider’s specialty. Id. at *5-7.

The court declined to dismiss plaintiffs’ claims for breach of express contract, unjust enrichment, bailment, and violation of New York’s deceptive trade practices statute, and found that plaintiffs sufficiently invoked the crime-tort exception under ECPA. Id. at *7-8. The court acknowledged that it joined the “[a]t least one [other] . . . court” by finding an adtech plaintiff sufficiently invoked the crime-tort exception under ECPA with allegations that the website owner’s purpose was to “enhance its marketing efforts.” Id. at *7.

In cases where websites containing video and adtech allegedly transmit video viewing information, plaintiffs often assert claims for alleged violations of the federal VPPA. It prohibits a “video tape service provider” from knowingly disclosing “personally identifiable information concerning any consumer of such provider.” 18 U.S.C. § 2710(b)(1).

The statute defines a “video tape service provider” to include any person “engaged in business, or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio-visual materials.” 18 U.S.C. § 2710(a)(4).

The VPPA provides for damages up to $2,500 per violation in addition to costs and attorneys’ fees for successful litigants, making it an attractive source of filings for the plaintiffs’ class action bar.

Indeed, plaintiffs initiated more than 250 VPPA class actions in 2024, compared to 137 in 2023, reflecting continued growth of VPPA class actions fueled in large part by adtech claims.

In 2024, courts issued a mixed bag of rulings on motions to dismiss claims for alleged violation of the VPPA. Compare, e.g., Brown, et al. v. Learfield Communications, LLC, 2024 U.S. Dist. LEXIS 15587 (W.D. Tex. Jan. 29, 2024) (dismissing VPPA claim because the plaintiff failed to allege a nexus between plaintiff’s newsletter subscription and access to video content), with Salazar, et al. v. National Basketball Association, 2024 U.S. App. LEXIS 25902 (2d Cir. Oct. 15, 2024) (rejecting defendant’s argument that the VPPA applies only to subscribers of audiovisual services and finding that it also applies to subscribers of an email newsletter).

These rulings illustrate the vast and growing patchwork quilt of differing approaches to adtech claims asserted under a variety of legal theories. A more expansive discussion of these rulings appears in Chapter 14 regarding Privacy Class Actions. The initial decisions concerning class certification of adtech claims issued in 2024, however, came out in favor of defendants as both courts denied class certification. See Griffith, et al. v. TikTok, Inc., 2024 U.S. Dist. LEXIS 176403 (C.D. Cal. Sept. 9, 2024); Martinez, et al. v. D2C, LLC, 2024 U.S. Dist. LEXIS 178570 (S.D. Fla. Oct. 1, 2024).

In 2025, we anticipate that the patchwork quilt will expand as more courts confront these novel claims and decisions start making their way toward resolution at the appellate level.

© 2009-2025 Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress