California Callout: New 2023 Privacy Regulations Coming Soon

By Gerald L. Maatman, Jr., Jennifer Riley, Brandon Spurlock, and Alex W. Karasik

Duane Morris Synopsis:  On the heels of California’s enactment of the California Consumer Privacy Act (“CCPA”) in 2020, and after two legislative bills that proposed to continue the employer exemption failed, employers will now need to comply with all requirements of the CPRA (“California Privacy Rights Act”) effective January 1, 2023. California-based employers now face these strict privacy requirements in the existing minefield of nuanced employment laws.

Legislative Background

The CCPA is often considered the most stringent data privacy law in the United States.  This landmark law established privacy rights for California consumers, including:  (1) the right to know about the personal information a business collects about them and how it is used and shared; (2) the right to delete personal information collected from them (with some exceptions); (3) the right to opt-out of the sale of their personal information; and (4) the right to non-discrimination for exercising their CCPA rights. (See https://oag.ca.gov/privacy/ccpa.).

Currently, data collected from workers is exempt from all but two provisions of the CCPA: (i) employers must provide an initial disclosure to all employees at or prior to the point of collection, and (ii) employees still have a right to statutory damages in the event of a data breach. “Employees” is a term that casts a wide net. It includes job applicants, business owners, officers, directors, medical staff members, independent contractors, emergency contacts and beneficiaries.

Two separate California state bills sought to continue the employer exemption: (1) AB 2891, for an additional three years; and (2) AB 2871, for an indefinite time period.  Neither bill was passed by the Legislature in its final 2022 session. Accordingly, with the exemption expiring, employers must now fully comply with the former CCPA’s requirements, as the new CPRA comes into effect.

Employer Obligations

First, employees are now afforded various rights, including:  (1) a right to request access to their personal information and information about how automated decision technologies work; (2) a right to correct inaccurate personnel information; (3) the right to request that an employer delete their personal information, including the obligation that employers must also notify third parties to whom they have sold or shared such personal information of the consumer’s request to delete; (4) the right to limit the use and disclosure of sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services.

Notice Obligations

Employers should be mindful of particular notice obligations under the CPRA. These include the: (1) requirement of notice at collection; and (2) requirement of a privacy policy.  Regarding the notice at collection, employers are required to give employees, applicants, and contractors notice at the time they collect the information if they plan to collect, use, or disclose that personal information, while also disclosing the categories of personal information.  The privacy policy is comprehensive and must disclose categories of personal information collected over the 12 months before the policy’s effective date. The policy also must disclose sources from which personal information is collected, the business purpose for the collection, categories of third-parties to whom personal information is disclosed; and categories of personal information sold or shared.  And employers are obligated to post the privacy policy online where it is accessible to employees, applicants, and contractors.

Data Governance

To ensure compliance with the CPRA, it is crucial that employers understand where personal information is located within their businesses. It behooves them to undertake a data inventory or data mapping exercise to assess how and where relevant information is stored and/or transferred.  Employers should also take stock of their records retention policies to ensure compliance, and also develop an internal framework to handle requests from employees for access and/or deletion.

Implications For Employers

Employers who have operations in California should immediately take heed of these new obligations. It is inevitable that the Plaintiff’s bar will be scrutinizing these practices come January 2023.  Accordingly, employers should determine whether they are covered by the CPRA, and prepare privacy policies that are fully compliant.

New Trial Sought Following $228 Million Judgment In Landmark BIPA Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Synopsis:  In Rogers v. BNSF Railway Co., Case No. 19-CV-03083 (N.D. Ill.), the first federal court jury trial in a case brought under the novel Illinois Biometric Information Privacy Act (“BIPA”), the plaintiffs secured a verdict in favor of the class of 45,000 workers against Defendant BNSF. After a week-long trial in the U.S. District Court for the Northern District of Illinois in Chicago, the jury found that BNSF recklessly or intentionally violated the law 45,600 times. The Court thereafter entered against BNSF for $228 million. Post-trial motions are now before the Court, which raise significant issues for all companies that use biometric equipment.

On November 9, 2022, Defendant BNSF Railway Co. filed a motion for a new trial under Rule 59(a) or to reduce the damages award under Rule 59(e). It argues that none of the 45,000 class members suffered any actual harm. It also raised constitutional concerns about the BIPA.

This latest development suggests that BNSF is pulling out all the stops to challenge the precedent-setting $228 million judgment. The outcome of this motion and future appeals will profoundly shape the privacy class action landscape.

Case Background

As we blogged about here, Plaintiff filed a class action lawsuit alleging that BNSF unlawfully required truck drivers entering the Company’s facilities to provide their biometric information through a fingerprint scanner. He claimed that BNSF collected the drivers’ fingerprints without first obtaining informed written consent or providing a written policy that complied with the BIPA and therefore violated sections 15(a) and (b) of the BIPA. BNSF argued that it did not operate the biometric equipment and instead sought to shift blame to a third-party vendor who operated the biometric equipment that collected drivers’ fingerprints.

The case proceeded before a jury in federal court in Chicago. The proceeding was closely watched, as it represented the very first time any class action had gone to a full trial with claims under the BIPA. The trial lasted five days. However, the jurors deliberated for just over an hour. Following the jury’s finding of liability, the Court entered a judgment against BNSF in the amount of $5,000 per violation, for a total amount of $228 million.

BNSF’s Motion For A New Trial Or Amended Judgment

BNSF renewed its motion for judgement as a matter of law pursuant to Federal Rule of Civil Procedure Rule 50(b), following the Court’s denial of BNSF’s Rule 50(a) motion at trial. In the alternative, BNSF moved for a new trial under Rule 59(a), or to reduce the damages award under Rule 59(e).

First, BNSF argues that there was insufficient evidence for the jury to find that BNSF violated the BIPA. Id. at *3. In support of that argument, BNSF cited testimony from its former Director of Technology Services that BNSF did not collect or obtain biometrics from truck drivers in Illinois, that the biometric data was stored on another entity’s server, and that BNSF did not maintain a copy of any of that data. Id. at *4.

Second, BNSF argues that it is entitled to judgment as a matter of law or a new trial, or at least a significant reduction in damages, because there was insufficient evidence for a rational jury to conclude that BNSF violated the BIPA recklessly or intentionally 45,600 times — which is the basis for the $228 million damages award.  Id. at *5-6. BNSF claims that there was no evidence that BNSF even learned about the BIPA until April 2019. Therefore, BNSF argued, no rational jury could have inferred from this evidence that BNSF consciously disregarded or intentionally violated the rights of Plaintiff and the class members at any point, much less for the full class period starting in April 2014.

Third, BNSF argued that the Court’s award of $228 million in damages where Plaintiff admits he and the members of the class have suffered no actual harm violates the Due Process Clause and Excessive Fines Clause of the U.S. Constitution. BNSF points out that, “It is undisputed that neither Plaintiff nor any member of the class has suffered any actual harm from any alleged violation of BIPA. Given that the agreed value of the class’s injury is zero dollars, any award would be disproportional to such nonexistent harm.”  Id. at *8-9.

Accordingly, BNSF seeks relief that the Court should enter judgment as a matter of law against Plaintiff and in favor of BNSF; or in the alternative, the Court should grant BNSF a new trial, or substantially reduce the damages award against BNSF.

The ball is now in Plaintiff’s court to respond to the motion. Further proceedings will then await the parties after full briefing of the post-trial motion.

Implications For Employers

BNSF’s filing of this motion indicates that the Company will not be going down (to the tune of $228 million) without a fight. The ultimate outcome of this motion, and any potential Seventh Circuit appeals, will be carefully scrutinized by both the plaintiff class action bar and businesses throughout Illinois and beyond.

Employers not only should continue to monitor this groundbreaking privacy class action lawsuit, but also ensure their strategic compliance plans are sufficient in regards to biometric privacy laws.

Illinois Federal Court Holds Private University Is Exempt From BIPA Regulations

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

 Duane Morris Takeaway:  In an important ruling for higher education entities, Judge Robert Gettleman of the U.S. District Court for the Northern District of Illinois recently dismissed a student’s proposed class action alleging that Defendant’s remote test-proctoring software violated the Illinois Biometric Information Privacy Act (“BIPA”). The Court determined that Defendant DePaul University qualified as a financial institution exempt from the statute. Powell v. DePaul University, No. 21-C-3001, 2022 U.S. Dist. LEXIS 201296 (N.D. Ill. Nov. 4, 2022). Employers in the higher education space who are confronted with biometric privacy class actions can tuck this ruling away for potential use at the pleading stage.

Case Background

Plaintiff alleged that Defendant’s use of the Respondus Monitor, an online remote proctoring tool, violated the BIPA by capturing, using, and storing students’ facial recognition and other biometric identifiers and biometric information. Plaintiff specifically asserted that Defendant did not “disclose or obtain written consent before collecting, capturing, storing, or disseminating user’s biometric data, and failed to disclose what it does with that biometric data after collection, in violation of BIPA’s retention and destruction requirements. Id. at *2.

Defendant moved to dismiss the action pursuant to Rule 12(b)(6) for failure to state a claim. It argued that the BIPA’s express terms specify that it does not apply to financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”). Id. Defendant contended that since it was a participant in the U.S. Department of Education’s Federal Student Aid Program, it is considered a financial institution subject to Title V of the GLBA.  Defendant contended that both the Federal Trade Commission (“FTC”) and the Department of Education (“DOE”) have recognized that universities are considered financial institutions under the GLBA. Defendant also asserted that Title V rulemaking authority lies with the Consumer Financial Protection Bureau (“CFPB”), which adopted and republished the privacy rules originally promulgated by the FTC.  The FTC rules state that any institution “significantly engaged in financial activities” is a financial institution. Id. at *5.

Plaintiff argued that Defendant was not a financial institution, but rather was in the business of higher education. Thus, Plaintiff contended that Defendant was not subject to Title V, and therefore subject to the BIPA.

The Court’s Decision

The Court granted Defendant’s motion to dismiss.  First, the Court noted that at least five other district courts have ruled on the same issue and rejected Plaintiff’s argument, and have determined that the BIPA’s section 25(c) exemption for financial institutions applies to institutions of higher education. Id.

In support of its conclusion, the Court found that the guidance provided by the CFPB included examples demonstrating the word “significantly” means something less than “primary.” Id. at *8. Accordingly, the Court rejected Plaintiff’s argument that the exemption should not apply was because Defendant was not primarily in the financial business. Id.

The Court further explained that the DOE provided issued public guidance in 2020 reiterating that the GLBA required financial institutions to have information privacy protections, and that the FTC “has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA.” Id. at *4-5.

Additionally, the Court opined that the FTC’s rule, made in 2000 when it had enforcement and rulemaking authority under the GLBA, also considered universities to be financial institutions if they “appear to be significantly engaged in lending funds to consumers.” Id. at *6. The Court reasoned that the consistent interpretation of the statute by multiple entities was particularly persuasive in finding that the claims should be dismissed. For these reasons, the Court granted Defendant’s motion to dismiss Plaintiff’s claims with prejudice.

Implications For Employers

In the BIPA class action landscape, federal and state courts in Illinois have rejected many potential affirmative defenses that employers have used to try and stave off these massive cases. However, even though the exemption is somewhat narrow, higher education institutions now have a blueprint to attack BIPA class actions at the pleading stage.  Finally, to the extent states beyond Illinois enact similar privacy statutes, this ruling may be of use to higher education institutions in those states that are confronted with class actions.

$228 Million Judgment Entered In First Ever BIPA Class Action Trial Before A Chicago Jury

By: Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Synopsis:  In Rogers v. BNSF Railway Co., Case No. 19-CV-03083 (N.D. Ill.), the first federal court jury trial in a case brought under the novel Illinois Biometric Information Privacy Act (“BIPA”), the plaintiffs secured a verdict in favor of the class of 45,000 workers against Defendant BNSF. After a week-long trial in the U.S. District Court for the Northern District of Illinois in Chicago, the jury found that BNSF recklessly or intentionally violated the law 45,600 times, based on the defense expert’s estimated number of drivers who had their fingerprints collected.  The Court thereafter entered a judgment against BNSF for $228 million.

This landmark verdict showcases the potentially devastating impact of the BIPA statute on unwary businesses across the state of Illinois that collect, use, or store biometric information.

Case Background

Plaintiff, a truck driver, filed a class action lawsuit alleging that BNSF unlawfully required drivers entering the Company’s facilities to provide their biometric information through a fingerprint scanner.  He claimed that BNSF collected the drivers’ fingerprints without first obtaining informed written consent or providing a written policy that complied with the BIPA and therefore violated sections 15(a) and (b) of the BIPA.  BNSF argued that it did not operate the biometric equipment and instead sought to shift blame to a third-party vendor who operated the biometric equipment that collected drivers’ fingerprints.

The case proceeded before a jury in federal court in Chicago. The proceeding was closely watched, as it represented the very first time any class action had gone to a full trial with claims under the BIPA

The trial lasted five days. However, the jurors deliberated for just over an hour.  The jurors were asked to: (1) indicate on the verdict form whether they sided with Plaintiff, and (2) if so, indicate how many times BNSF violated the BIPA negligently or how many times the company violated the statute recklessly or intentionally.

The BIPA provides for damages of $1,000 for every negligent violation, and up to $5,000 in liquidated damages for every willful or reckless violation. At the conclusion of the trial, the jury found that BNSF recklessly or intentionally violated the law 45,600 times.  Accordingly, the Court entered a judgment against BNSF in the amount of $5,000 per violation, for a total amount of $228 million.

Implications For Employers

This verdict undoubtedly will embolden the plaintiffs’ class action bar and equally serve as an eye opener for businesses in Illinois.  In the short term, companies can expect an uptick in the number of BIPA class actions filed by the plaintiffs’ bar. While it is almost certain that the verdict will be challenged in post-trial motions and in an appeal, companies can expect that plaintiffs’ lawyers will increase their settlement demands in other BIPA class actions.

The BIPA vastly increases the importance of adopting a strategic compliance plan for businesses that operate in Illinois.  It is more important than ever for companies to implement proper mechanisms and consent forms to comply with the BIPA.

Pennsylvania Federal Court Denies Motion For Conditional Certification Of Wage & Hour Collective Action

By: Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways:  In Lincoln v. Apex Human Services LLC, Case No. 22-CV-341, 2022 U.S. Dist. LEXIS 175714 (E.D. Pa. Sept. 28, 2022), Judge Harvey Bartle III of the U.S. District Court for the Eastern District of Pennsylvania denied Plaintiff’s motion for conditional certification a proposed collective action of over 100 registered nurses who alleged they were misclassified as independent contractors and owed unpaid overtime. Since conditional certification is typically granted at a rate of nearly 80% in wage & hour collective actions, the employer-friendly ruling in Lincoln is well-worth a read by corporate counsel. The decision can be used by businesses to defend against FLSA misclassification claims where the named plaintiff fails to establish that they are similarly-situated to other proposed collective members.

Case Background

Plaintiff sued Defendants under the Fair Labor Standards Act (“FLSA”), 29 U.S.C. § 201 et seq., the Pennsylvania Minimum Wage Act, 43 P.S. § 333.104 et seq., and the Pennsylvania Wage Payment and Collection Law, 43 P.S. §260.1, et seq.  She alleged that Defendants misclassified registered nurses (“RNs”), licensed practical nurses (“LPNs”), and other providers as independent contractors, thereby denying them required overtime pay and other employee benefits.  Id. at *1.  Plaintiff moved for conditional certification and judicial notice under Section 216(b) of the FLSA.

The Court’s Decision

The Court denied Plaintiff’s motion for conditional certification.

The Court explained that Third Circuit case law has developed a two-tiered test to determine whether employees are similarly-situated for purposes of allowing an FLSA representative action to proceed.  Id. at *2 (citations omitted). Relevant here, the court first conducts a preliminary inquiry into whether employees are similarly-situated.  Id. at *2-4.

Plaintiff argued that conditional certification was appropriate for three reasons, including: (1) all current workers were subject to Defendants’ uniform policy of failing to pay overtime; (2) all former workers were subject to Defendants’ uniform policy of failing to pay overtime; and (3) Plaintiff met the lenient standard of showing that workers were similarly, if not identically, situated.  Id. at *4-5.  To support her arguments, Plaintiff offered three types of evidence, such as her signed independent contractor agreement; texts messages between the plaintiff and one individual Defendant; and one pay stub from 2019 and four pay stubs from 2020 showing that taxes were not withheld from her pay. She claimed that this evidence was sufficient to meet the standard for conditional certification, which only requires a plaintiff to show “modest evidence, beyond pure speculation,” that the class members are similarly-situated.  Id. at *5 (citation omitted).

The Court rejected Plaintiff’s position. It held that Plaintiff failed to present any evidence showing that she was similarly-situated to other proposed collective action members.  Citing three other cases from the Eastern District of Pennsylvania, the Court noted that the plaintiffs in those cases presented some evidence, typically through affidavits or declarations, of how their individual situation was like that of other proposed collective members.  Id. at *6.  Here, Plaintiff merely alleged that there are over 100 Apex workers who were misclassified as independent contractors and denied overtime pay.  The Court opined that the evidence Plaintiff provided was specific only to her situation, such as her own contract, text messages and pay stubs.  As a result, the Court determined that Plaintiff failed to provide even minimal evidence that she and the proposed collective members were similarly-situated.  Id. at *6.

For these reasons, the Court denied Plaintiff’s motion for conditional certification.

Key Takeaways For Employers

In FLSA misclassification cases, it is not uncommon for plaintiffs to seek the Court‘s approval to pursue these matters as collective actions.  In situations where a named plaintiff fails to provide limited (or any) evidence regarding how they are similarly-situated to other proposed collective members, employers can use the decision in Lincoln to defend against motions for conditional certification.  This strategy can result in a court prohibiting the named plaintiff from disseminating notice, or in other words, reduce a case from having potentially hundreds of plaintiffs down to a single plaintiff.

The EEOC Is At It Again: FY 2022 Finishes Off With September Surge Of Filings

By: Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways: In FY 2022, September was a busy month for EEOC-Initiated litigation. In FY 2021, the EEOC’s litigation enforcement activity showed signs of recovering from the lingering COVID-19 pandemic and the total number of case filings increased from the low of 33 in 2020, giving rise to what was anticipated to be a very busy FY 2022. True to its pre-COVID history, the EEOC ended its year with a surge of last-minute lawsuits.

This year, there were 39 lawsuits filed during September as of the publishing of this blog post (down from the 59 filed in September of FY 2021, however, it constituted a significant increase from 2020).

Cases Filed By EEOC District Offices

In addition to tracking the total number of filings, we closely monitor which of the EEOC’s 15 district offices are most actively filing new cases this September. Some districts tend to be more aggressive than others, and some focus on different case filing priorities. The following chart shows the number of lawsuit filings by EEOC district office.

The most noticeable trend of FY 2022 is the filing dip in some key regions compared to past years. The New York district office had 6 filings in FY 2021 and only 2 in 2022. The California district offices in San Francisco and Los Angeles, which combined for 13 new filings last year, declined in FY 2022, falling to only 4 total filings, including San Francisco’s fall from 6 to 1. The Indianapolis district office was in the middle of the pack with 4 filings this year. Philadelphia led the way in FY 2022 with a total of 7 filings. Miami and Phoenix also had 4 each, Memphis had 3, and Dallas, Houston, and St. Louis all had 2 total filings.

Analysis Of The Types Of Lawsuits Filed In FY 2022

We also analyzed the types of lawsuits the EEOC filed throughout the month, in terms of the statutes and theories of discrimination alleged, in order to determine how the EEOC is shifting its strategic priorities.

When considered on a percentage basis, the distribution of cases filed by statute in September remained roughly consistent compared to FY 2021 and FY 2020. Title VII cases once again made up the majority of cases filed, making up 69% of all filings (a bit higher than the 62% in FY 2021 and 60% in FY 2020). ADA cases also made up a significant percentage of the EEOC’s September filings, totaling 18%, although down from the 36% in FY 2021. There were also 3 ADEA cases filed in September, after only one age discrimination case filed in the entire FY 2021.

The graphs below show the number of lawsuits filed according to the statute under which they were filed (Title VII, Americans With Disabilities Act, Pregnancy Discrimination Act, Equal Pay Act, and Age Discrimination in Employment Act) and, for Title VII cases, the theory of discrimination alleged.

March 2022 Release Of Enforcement Statistics

On March 28, 2022, the EEOC released its fiscal year 2023 budget justification and fiscal year 2021 performance report (“APR”). The APR is a review of the results of the EEOC’s litigation goals and performance from FY 2021 and the FY 2023 budget describes how funds will be allocated. The EEOC put out a proposed 2023 budget of $464,650,000.

FY 2021 APR

The APR described a successful year in the EEOC’s eyes in terms of delivering on its strategic initiatives, including securing $485 million in monetary relief for over 15,000 alleged victims of employment discrimination, resolving a total of 138 merit lawsuits, reducing the inventory of appellate cases by 9.1%, and have a significant percentage of its resolutions in district courts achieve a “favorable result.” Comparing the monetary recovery to previous years, the EEOC recovered $535.5 million in FY 2020, $486 million in FY 2019, and $505 million in FY 2018.

The EEOC also continued working towards its goals in community outreach, education, and technical assistance, and hired predominate front-line positions.

FY 2023 Budget Justification

Moving into 2023, the EEOC’s budget constitutes a $60.160 million increase from 2021, and focuses on three key areas including providing racial justice and eliminating systemic discrimination of all protected bases, pay equity, and the civil rights impact of the COVID-19 pandemic. The EEOC also announced three new programs, including the Hiring Initiative to Reimagine Equity (HIRE), which aims to expand employment opportunities as the nation recovers from the pandemic; a joint anti-retaliation initiative with the U.S. Department of Labor and the National Labor Relations Board; and an initiative to ensure that employment-related artificial intelligence and algorithmic decision-making tools comply with federal civil rights laws.

Key Employer Takeaways

FY 2022 was a year of new leadership and structural changes at the EEOC. With a vastly increased proposed budget, it is more crucial than ever for employers to take heed in regards to the EEOC’s strategic priorities and enforcement agendas.

Biometric Privacy, Plasma & Preemption: Illinois Federal Court Issues Another Pro-Plaintiff Ruling

By Gerald L. Maatman, Jr.Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways: In Vaughan v. Biomat USA, Inc. et al, Case No. 20-CV-4241, 2022 U.S. Dist. LEXIS 168497 (N.D. Ill. Sept. 19, 2022), Judge Marvin Aspen of the U.S. District Court for the Northern District of Illinois issued the latest plaintiff-friendly decision under the Illinois Biometric Information Privacy Act (“BIPA”), holding that federal regulations relating to plasma collection do not preempt the BIPA. For employers looking to craft novel defenses in response to the recent onslaught of biometric privacy class action litigation, this ruling represents another impediment to a potential defense strategy. Continue reading “Biometric Privacy, Plasma & Preemption: Illinois Federal Court Issues Another Pro-Plaintiff Ruling”

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress