Author: Jennifer A. Riley

By Kelly A. Bonner, Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley

Duane Morris Takeaways:  In a significant win for fashion and beauty retailers in the privacy class action space, in Warmack-Stillwell v. Christian Dior Inc., No. 1:22-CV-04633, 2023 U.S. Dist. LEXIS 22926 (N.D. Ill. Feb. 10, 2023), an Illinois federal court held that an exemption to the Illinois Biometric Information Privacy Act (“BIPA”) for data captured from a patient in a health care setting barred proposed class action claims alleging that luxury giant Christian Dior Inc.’s (“Dior”) virtual try-on tool (“VTOT”) violated the BIPA.

Businesses in Illinois, particularly online fashion and beauty retailers, can use this ruling to attack BIPA claims involving VTOT technology.

Case Background

As discussed in our previous publications, lawsuits involving BIPA claims and eyewear have been dismissed under one of BIPA’s statutory exemptions, which in relevant part excludes from its definitions of biometric identifiers and biometric information: (1) information captured from a patient in a health care setting; or (2) information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996, including prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses.

Plaintiff alleged that Dior maintained a VTOT feature on its website that collected users’ facial geometry data without first obtaining written consent or informing users of the purpose and length of time that their data was being collected in violation of Section 15(b) of BIPA. Plaintiff also alleged that Dior failed to provide a publicly available data retention and destruction schedule, as required by Section 15(a) of BIPA.

Dior moved to dismiss Plaintiff’s complaint on the basis that the BIPA’s health care exemption applied to non-prescription sunglasses, such as the ones sold by Dior and which the plaintiff alleged that she tried on with the VTOT technology, and thus precluded Plaintiff’s claims.

Plaintiff countered that the sunglasses were fashion accessories; Dior’s website was not a health care setting; and Dior’s consumers were not patients. Plaintiff also sought to distinguish prior decisions applying the BIPA’s health care exemption as focusing on the VTOT technology being used for prescription glasses, akin to optometrist fittings, and not in connection with the purchase of luxury sunglasses.  Id. at *8.

The Court’s Decision

The Court granted Dior’s motion to dismiss under Rule 12(b)(6).  First, the Court explained that Plaintiff qualified as a “patient in a health care setting” under the dictionary definition of the term “patient,” and that Dior’s VTOT feature “facilitates the provision of a medical device that protects vision.” Id. at *8.  Similarly, the Court held that use of the VTOT technology constituted “health care,” which the dictionary defined as “efforts made to maintain or restore physical, mental, or emotional well-being especially by trained and licensed professionals.”  Id. at *9.

In addition, the Court reasoned that the relevant test was “not a user’s subjective understanding, but rather an objective application of the text of the exemption.” Id. at *8-9.  The Court opined that the outcome of the analysis should not change if a consumer uses the VTOT in search of primarily stylish sunglasses rather than protective ones.

Plaintiff attempted to distinguish Dior’s website from a “health care setting” by arguing that “[a]n artist prepping a canvas is not providing a health care service if they use a scalpel instead of an Xacto knife.”  Id. at *9.  As to that point, the Court concluded that the VTOT feature facilitated the purchase of sunglasses to wear on one’s face and protect one’s eyes, thus performing the product’s intended medical function rather than an unconventional purpose.

Similarly, the Court rejected Plaintiff’s attempts to analogize her case to BIPA suits against blood plasma centers, in which courts rejected application of the health care exemption.  Even if the cases applied the same definitions of “health care” and “patient,” the Court concluded that the removal of plasma for commercial purposes is not “health care because the purpose — at least from the plasma donors’ perspectives — was not to ‘maintain or restore physical, mental or emotional well-being’; it was to get paid.”  Id. at *11.

Finally, the Court notably denied Dior’s motion to dismiss under Rule 12(b)(1), rejecting Dior’s argument that Plaintiff failed to allege an injury-in-fact sufficient for Article III standing. The Court concluded that Plaintiff sufficiently alleged an injury-in-fact under Section 15(a) “because “unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data.”   Id. at *11.

Accordingly, the Court granted Dior’s motion to dismiss on Rule 12(b)(6) grounds, but rejected Dior’s Article III standing argument and denied its motion based on Rule 12(b)(1).

Implications for Retailers

The Court’s decision in Warmack is a solid victory for fashion and apparel retailers, and indicates that courts are willing to expand the BIPA’s healthcare exemption to more retail-oriented environments, and adopt a plain reading of the statue rather than seeking to discern legislative intent. This ruling could have significant implications for personal care products retailers, especially those who utilize VTOT features to assess skin complaints such as aging, hyperpigmentation, and recommend treatments, and whether those defenses will draw regulatory scrutiny for purposed “drug” claims.

In the meantime, retailers should stay abreast of biometric data privacy laws in Illinois and beyond, and ensure that their privacy policies stay current with evolving nationwide legislation.

By Gerald L. Maatman, Jr. and Jennifer Riley

Duane Morris Takeaway: Privacy litigation – in a multitude of forms and theories – revealed itself as the hottest area of growth in terms of activity by the plaintiffs’ class action bar in 2022. The new year started off with a huge privacy ruling from the Illinois Supreme Court in Tims, et al. v. Black Horse Carriers, Case No. 127801 (Ill. Feb. 2, 2023), in which it held that a five-year statute of limitations applies to BIPA claims.

The Illinois Biometric Privacy Act Continued To Drive Lawsuits

In 2022, the plaintiffs’ class action bar continued to focus on businesses and vendors utilizing biometric technology and filed numerous class action lawsuits based on the Illinois Biometric Information Privacy Act, 740 ILCS 14/15 (BIPA).

Enacted in 2008, the BIPA regulates the collection, use, and handling of biometric identifiers and information by private entities. Subject to limited exceptions, the BIPA generally prohibits the collection or use of an individual’s biometric identifiers and biometric information without notice, written consent, and a publicly-available retention and destruction schedule.

Although Texas and Washington have implemented similar biometric protections, the BIPA provides for a private cause of action with aggressive statutory penalties allowing for $1,000 per violation and $5,000 per intentional or reckless violation. Because of this damages provision, the plaintiffs’ bar files almost all BIPA lawsuits as class actions. Plaintiffs have focused more than one-third of BIPA cases on fingerprinting and have focused roughly a quarter on facial recognition surveillance.

The most noteworthy BIPA case of the year was Rogers, et al. v. BNSF Railway Co., Case No. 19-CV-3083 (N.D. Ill.), the first federal jury trial in a case brought under the BIPA. After a week-long trial in the U.S. District Court for the Northern District of Illinois, a jury found that BNSF recklessly or intentionally violated the law 45,600 times and entered a verdict in favor of the class of 45,000 workers. The court thereafter awarded damages against BNSF of $228 million. BNSF subsequently filed a motion for a new trial arguing that none of the 45,000 class members suffered any actual harm and raising constitutional concerns about the BIPA. That motion remains pending for decision, and is almost sure to result in an appeal in 2023.

As BIPA class actions proliferate and businesses struggle to defeat such claims, the Illinois Supreme Court in early 2023 clarified the scope of the statute of limitations applicable to the BIPA in Tims, et al. v. Black Horse Carriers, Case No. 127801 (Ill. Feb. 2, 2023). The Illinois Supreme Court held that a five-year statute of limitations applies to claims under the BIPA. This ruling adds to the risks for employers and companies who do business in Illinois in terms of BIPA class action exposures. Given that the BIPA statute does not have an explicit statute of limitations, the Illinois Supreme Court’s ruling now provides clarity for litigants and attorneys in this space as to the scope of the putative classes in their lawsuits.

If employers have not already done so, now is time to make sure their timekeeping procedures and consent policies are legally compliant. The Tims ruling is apt to increase the plaintiff class action bar’s appetite for BIPA claims, so it is more important than ever for employers to make sure their procedures are legally sound

The Illinois Supreme Court is also due to issue its decision in Cothron v. White Castle System, Inc., No. 1280004 (Ill.), which will decide whether each fingerprint scan is its own discrete violation.  An adverse finding in Cothron could enhance BIPA class action exposures. In Cothron, et al. v. White Castle Systems, 2021 U.S. App. LEXIS 37593 (7th Cir. Dec. 20, 2021), the Seventh Circuit asked the Illinois Supreme Court to provide much-needed clarification on the accrual of BIPA violations, specifically whether certain BIPA claims accrue only once upon the initial collection or disclosure of biometric information or whether a claim accrues each time a company collects or discloses biometric information.

The Illinois Supreme Court likely will rule on these key BIPA matters in the early part of 2023 and the statute will continue to drive class action litigation. Its technical requirements, combined with stiff statutory penalties and fee-shifting, provide a recipe for attention from the plaintiff’s class action bar, and companies’ continued development and use of innovative technologies are apt to provide a veritable barrel of opportunity.

Class Action Suits Alleging Wiretapping Violations

A new wave of class action lawsuits filed in California, Florida, Massachusetts, and Pennsylvania targeted companies that use technologies to track user activity on their websites, based on the theory that such practices violate electronic interception provisions of various state laws when done without consent.

The plaintiffs’ bar grounded these claims in the electronic interception provisions of various state laws. Wiretap statutes like the California Invasion of Privacy Act, the Pennsylvania Wiretapping and Electronic Surveillance Act, and the Florida Security of Communications Act generally prohibit the unauthorized interception or disclosure of communications transmitted electronically.

The plaintiffs’ bar targeted technologies that track a user’s interactions with the website (e.g., clicking, scrolling, swiping, hovering and typing) and create a recording of those interactions and inputs – known as session replay software. They also attacked coding tools that create and store transcripts of conversations with users in a website’s chat feature. The plaintiffs in this new string of class actions allege that recording their interactions with a website and sending that recording to a third party for analysis without their consent is an illegal invasion of their privacy.

Recent decisions from the Ninth and Third Circuits fueled the swell of lawsuits alleging violations of these wiretap statutes. In May 2022, in Javier, et al. v. Assurance IQ, LLC, 2022 U.S. App. LEXIS 14951 (9th Cir. May 31, 2022), the Ninth Circuit held that the California Invasion of Privacy Act requires prior consent and explicitly rejected the argument that this wiretap statute allows a business to obtain consent to the use of session replay software after the recording already has begun. The Ninth Circuit, however, did not comment on what would amount to effective consent to the use of session reply software under the wiretap statute.

A few months later, the Third Circuit in Popa, et al. v. Harriet Carter Gifts, 2022 U.S. App. LEXIS 22707 (3d Cir. Aug. 16, 2022), ruled that an electronic interception violating the Pennsylvania Wiretapping and Electronic Surveillance Act occurred when the plaintiff visited a website to purchase a product and her interactions on that site were recorded and transmitted to a third-party marketing firm.

The Third Circuit concluded that the location of the interception was plaintiff’s browser, and it rejected the defendants’ argument that the wiretap statute did not apply because the third-party marketing firm’s servers – where the information was sent – were located in Virginia. If other circuits follow the Third Circuit’s approach, it could subject companies to liability under a state wiretap statute each time a user accesses its website from that state.

In each of the three lawsuits brought thus far in Pennsylvania, the class consisted of allegedly more than 5,000 individuals. This new wave of lawsuits alleging wiretap violations threatens to subject businesses to a substantial amount in penalties, including fines ranging from $1,000 to $50,000 per violation, depending on the state. If a violation occurs every time a user accesses a website in one of these states, the amount of penalties to which a company may be subject can balloon quickly.

More State Legislation Created And Expanded Data Privacy Rights

While Congress has refrained from addressing data privacy through federal legislation, many states have enacted their own laws, and 2022 saw significant state legislative activity regarding data privacy with five states preparing for new privacy laws to take effect in 2023, including California, Colorado, Connecticut, Utah, and Virginia.

On the heels of California’s enactment of the California Consumer Privacy Act (CCPA) in 2020, California businesses will need to comply with all requirements of the California Privacy Rights Act (CPRA) effective January 1, 2023. The CPRA expands the current CCPA private right of action by authorizing consumers to bring lawsuits arising from data breaches involving additional categories of personal information and is arguably the strictest data privacy law in the United States, which places California privacy law closer, in many respects, to Europe’s GDPR. With potential statutory damages ranging from $100 to $750 per consumer per incident, and breaches often involving hundreds of thousands or even millions of users, these types of claims will almost certainly lead to a sharp rise in class action litigation.

Virginia, Colorado, Connecticut, and Utah likewise enacted sweeping data privacy laws that will roll out in 2023. These laws are all similar in structure, but unlike California’s statute, which allows an individual to sue a company for alleged violations, enforcement will be left to the respective state attorneys general. Each of these laws provides for expanded consumer rights related to their data, including: (i) Right of access (i.e., allows for a consumer to access from a business/data controller the information or categories of information collected about a consumer); (ii) Right of deletion (i.e., right for a consumer to request deletion of personal information about the consumer under certain conditions; (iii) Right to opt-out (i.e., allows for a consumer to opt out of the sale of personal information about the consumer to third parties); (iv) Right of portability (allows for a consumer to request personal information about the consumer be disclosed in a common file format); and (v) Notice and transparency requirements (i.e., an obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs).

The approach each state attorney general takes regarding enforcement of these new laws will provide lessons for other states looking to regulate consumer privacy in the absence of a federal standard and almost certainly will be closely monitored by the plaintiffs’ bar, as it attempts to draw from favorable rulings and to anticipate which state will enact the next plaintiff-friendly data privacy laws. 28 U.S.C. §1292(b), Rule 23(f) does not require the district court to certify an issue for appeal. Moreover, Rule 23(f) does not include the potentially limiting requirements of Section 1292(b), under which the district court can certify an issue for appeal only where an order “involve[s] a controlling question of law as to which there is substantial ground for difference of opinion” and where “an immediate appeal from the order may materially advance the ultimate termination of the litigation.”

Finally, class action litigants can appeal final orders issued by the district court under 28 U.S.C. § 1291, which states that “courts of appeals (other than the United States Court of Appeals for the Federal Circuit) shall have jurisdiction of appeals from all final decisions of the district courts of the United States.”