Author: Tyler Z. Zmick

Read Tyler's bio.
Posted on by Gerald L. Maatman, Jr.

Seventh Circuit Holds BIPA Amendment Applies Retroactively, Reversing Three Illinois Federal Court Decisions

By Gerald L. Maatman, Jr., Hayley Ryan, and Tyler Zmick

Duane Morris Takeaways: On April 1, 2026, in Clay et al. v. Union Pacific Railroad Co. et al., Nos. 25-2185 et al., 2026 WL 891902 (7th Cir. Apr. 1, 2026),  a three-judge panel of the U.S. Court of Appeals for the Seventh Circuit reversed three federal district court decisions and held that the August 2, 2024, amendment to Section 20 of the Illinois Biometric Information Privacy Act (“BIPA”) applies retroactively to cases pending at the time of enactment. The Seventh Circuit concluded that the amendment is remedial because it governs damages rather than liability and, therefore, applies retroactively under Illinois law.

This decision is a watershed win for BIPA defendants in the class action space. It significantly curtails potential exposure by confirming that plaintiffs may recover, at most, $5,000 in statutory damages for intentional violations or $1,000 for negligent violations per person, rather than on a per-scan basis that previously threatened astronomical liability.

Background

As the Seventh Circuit observed, “BIPA has become a font of high-stakes litigation.” Id. at *1.  In response to the Illinois Supreme Court’s decision in Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 926 (Ill. 2023), which held that BIPA claims accrue “with every scan or transmission” of biometric information, the Illinois General Assembly amended Section 20 of the BIPA in August 2024 to clarify the scope of recoverable damages. The amendment provides, in relevant part, that a private entity that collects or discloses “the same biometric identifier or biometric information from the same person using the same method of collection…has committed a single violation…for which the aggrieved person is entitled to, at most, one recovery under this Section.” 740 ILCS 14/20(b) (emphasis added).

The consolidated appeals arose from three cases asserting typical BIPA theories. Plaintiff Reginald Clay alleged that Union Pacific violated Section 15(b) by requiring repeated fingerprint scans to access the company’s facilities. Plaintiffs John Gregg and Brandon Willis alleged that their employers used biometric timekeeping systems in violation of Sections 15(a), (b), and (d).

The Seventh Circuit emphasized the extraordinary financial stakes. Plaintiff Clay alleged approximately 1,500 fingerprint scans – translating to $7.5 million in potential damages for a single plaintiff if damages were calculated on a per-scan basis.  2026 WL 891902 at *2.  In contrast, the putative class claims in Plaintiff Willis’ case exposed the defendant to billions of dollars in potential liability. Id.  The three interlocutory appeals posed the same legal question: whether the 2024 amendment to BIPA Section 20 applies retroactively to limit such exposure.

The Seventh Circuit’s Decision

The Seventh Circuit answered that question with a definitive “yes.” It held that the amendment to Section 20 applies retroactively to pending cases. Id. at *3. 

Applying Illinois retroactivity principles, the Seventh Circuit explained that where the legislature is silent on the temporal reach of the amendment, as here, courts look to Section 4 of the Illinois Statute on Statutes, which, in turn, directs the court to determine whether the amendment is substantive or procedural. Id. (citing Perry v. Dep’t of Fin. & Pro. Regul., 106 N.E.3d 1016, 1026-27 (Ill. 2018)). 

The Seventh Circuit concluded that the amendment is remedial and, therefore, procedural, because it governs damages rather than underlying liability. Id. at *4.  Central to this determination was the statutory text and structure. The legislature amended Section 20, which addresses liquidated damages, rather than Section 15, which sets forth the substantive requirements governing the collection and disclosure of biometric data.  The Seventh Circuit emphasized that the amendment does not alter “the rights, duties, and obligations of persons to one another,” which are the defining characteristics of substantive changes. Id. (citing Perry, 106 N.E.3d at 1034). Instead, the amendment focuses exclusively on the remedies available once a violation has been established.

The appellees argued that the Illinois Supreme Court’s decision in Cothron established that each biometric scan constitutes a separate “violation,” and that the amendment therefore effected a substantive change by transforming thousands of violations into a single recoverable event, thus “terminating millions of dollars of liability.” Id. at *4. The Seventh Circuit rejected this position, reasoning that it both misinterprets the statute and overstates Cothron’s holding. Id. at *5. The Court clarified that Cothron addressed only when claims accrue under Section 15 and did not consider the meaning of “violation” for purposes of damages under Section 20. Id.  According to the Seventh Circuit, that distinction was dispositive. Id.

Ultimately, the Seventh Circuit determined that the amendment does not alter the number of violations or the injuries alleged by plaintiffs but instead limits the damages that may be awarded for those violations.  As the Seventh Circuit explained, the amendment “simply changed the statutory award of damages available to plaintiffs, cabining the discretion of trial court judges when they fashion the remedy.” Id. at *6.  Accordingly, the Court held that the amendment is remedial in nature and applies retroactively. Id. at *7. It therefore reversed the district court decisions that had concluded otherwise. Id.

Implications for Companies

Clay is one of the most consequential BIPA defense rulings in years. It materially reshapes the litigation landscape in several key respects:

  • Caps on exposure: The decision eliminates the “per-scan” damages theory asserted by plaintiffs that drove outsized settlement pressure and bet-the-company risk.
  • Immediate impact on pending cases: Defendants in ongoing litigation now have strong grounds to limit damages and revisit class certification, settlement posture, and jurisdictional arguments.
  • Strategic leverage: The ruling provides powerful leverage in motion practice and settlement negotiations, particularly where plaintiffs previously relied on inflated damages models.
  • Deterrence of new filings: By significantly reducing potential recoveries, Clay may dampen the volume of new BIPA filings and recalibrate plaintiffs’ bar incentives.

In sum, Clay delivers a decisive, defense-friendly interpretation of BIPA’s damages framework. Companies facing biometric privacy claims should promptly assess how this ruling affects their litigation strategy and potential exposure.

Posted on by Gerald L. Maatman, Jr.

AbbVie Defeats Genetic Privacy Class Action Because Request For Plaintiff’s Family Medical History Was Not A “Condition Of Employment”

By Gerald L. Maatman, Jr., Tyler Zmick, and Hayley Ryan

Duane Morris Takeaways:  In Henry v. AbbVie, Inc., No. 23-CV-16830 (N.D. Ill. Mar. 20, 2026), Judge Manish S. Shah of the U.S. District Court for the Northern District of Illinois granted defendant’s motion for summary judgment and dismissed a claim brought under the Illinois Genetic Information Privacy Act (“GIPA”). In his ruling, Judge Shah determined that the alleged request for plaintiff’s family medical history (which history Plaintiff did not provide) during his pre-employment medical screening was not a “condition of employment.” The decision is welcome news for employers that ask employees to undergo medical exams. The ruling indicates that an employer does not necessarily request genetic information “as a condition of employment” by requiring an employee to undergo a medical exam (even if an employee is asked to disclose genetic information during the exam).

Background

Plaintiff Daniel Henry was assigned to work for Defendant AbbVie, Inc., a biopharmaceutical company. During the onboarding process, Plaintiff was required to undergo a “medical surveillance,” which included “questionnaires, blood work, and a brief physical exam.” Henry v. AbbVie, Inc., 2026 WL 788630, at *2 (N.D. Ill. Mar. 20, 2026).

AbbVie used Premise Health, a third-party healthcare provider, to conduct Plaintiff’s medical screening. During the screening, Premise Health nurses asked Plaintiff to complete a written questionnaire and to undergo a physical examination. “Section U” of the questionnaire asked for Plaintiff’s genetic information (specifically, his family medical history), though Plaintiff did not complete that part of the form. Plaintiff claimed that nurses also verbally asked for his family medical history during the physical exam. After the exam, Plaintiff worked at an AbbVie facility in Illinois for four months.

Plaintiff subsequently sued AbbVie under the GIPA, alleging that the company violated Section 25(c)(1) of the statute by “solicit[ing], request[ing], [or] requir[ing] . . . genetic information of a person or a family member of the person . . . as a condition of employment [or] preemployment application.”  410 ILCS 513/25(c)(1).

AbbVie first responded to Plaintiff’s Complaint by moving to dismiss under Federal Rule of Civil Procedure 12(b)(6). Judge Shah denied AbbVie’s motion to dismiss after determining that the family medical history information sought during the medical screening constituted “genetic information” under the GIPA. See Henry v. AbbVie, Inc., 2024 WL 4278070, at *5-6 (N.D. Ill. Sept. 24, 2024).

AbbVie later moved for summary judgment, arguing that: (1) AbbVie did not request Plaintiff’s genetic information because third-party Premise Health (not AbbVie) conducted the screening; (2) even if AbbVie requested Plaintiff’s genetic information, the request was inadvertent because the medical questionnaire instructed Plaintiff to not disclose genetic information; and (3) AbbVie did not condition Plaintiff’s work status or assignment on any request for his genetic information.

The Court’s Decision

The Court granted AbbVie’s motion for summary judgment. While the Court was not persuaded by AbbVie’s first two arguments, it concluded that AbbVie’s third argument warranted dismissal of Plaintiff’s GIPA claim.

Request for Genetic Information

The Court first considered whether AbbVie can be characterized as having requested Plaintiff’s family medical history despite third-party Premise Health having conducted the medical screening. In answering in the affirmative, the Court relied on the GIPA’s incorporation of certain protections found in the federal Genetic Information Nondiscrimination Act (“GINA”). See 410 ILCS 513/25(a) (“An employer … shall treat genetic testing and genetic information in such a manner that is consistent with the requirements of federal law, including but not limited to [GINA].”). The Court cited a regulation promulgated under GINA providing that an employer that requires employees or applicants to undergo medical examinations “must tell health care providers not to collect genetic information, including family medical history, as part of a medical examination intended to determine the ability to perform a job.” 29 C.F.R. § 1635.8(d). Based on this federal regulation, the Court concluded that AbbVie “[n]ot telling Premise Health to elicit genetic information is not enough; the [GIPA] requires an affirmative instruction not to elicit it.” Henry, 2026 WL 788630, at *5.

Inadvertent Disclosure

AbbVie’s second argument turned on the GIPA’s “inadvertent exception,” which states that “inadvertently requesting family medical history by an employer … does not violate this Act.” 410 ILCS 513/25(g). The Court observed that AbbVie’s health questionnaire advised Plaintiff to “not provide any genetic information, including family medical history.” Henry, 2026 WL 788630, at *6 (citation omitted). Thus, the Court held that the inadvertent exception barred Plaintiff’s claim to the extent it was premised on the written questionnaire. See id. (“The disclaimer on AbbVie’s form was enough to make any disclosure on the form inadvertent.”). But the Court determined that the exception did not necessarily bar Plaintiff’s claim to the extent it was premised on nurses orally asking for his family medical history. See id. (“[T]he written disclaimer in the form does not necessarily mean that [Plaintiff] knew that he should not disclose genetic information in response to verbal questions during his physical exam.”) (emphasis added).

Request as a Condition of Employment

Finally, the Court turned to AbbVie’s argument that Plaintiff’s claim failed because any request for his family medical history was not a condition of his employment. See 410 ILCS 513/25(c)(1) (an employer may not “solicit, request, [or] require … genetic information of a person or a family member of the person … as a condition of employment [or] preemployment application”) (emphasis added). The Court agreed with AbbVie and granted the company’s motion for summary judgment on this basis, holding that no genuine issue of material fact existed regarding AbbVie’s request for Plaintiff’s family medical history not having been a condition of his employment. The Court further noted that “the request for genetic information on the written questionnaire was not a condition of [Plaintiff’s] employment, for the simple fact that [Plaintiff] did not fill out that section and it did not affect his employment with AbbVie.” Henry, 2026 WL 788630, at *6.

Moreover, the Court concluded that even if Plaintiff was required to undergo a medical exam to be eligible to work at AbbVie, that did not mean that the verbal request for his family medical history (made during the exam) was a condition of his employment. See id. at *7. The Court thus recognized an important distinction between (i) AbbVie requiring Plaintiff to undergo a medical screening as a condition of employment and (ii) AbbVie specifically requesting Plaintiff’s family medical history as a condition of employment. See id. (“[T]hat [Plaintiff] could not decline to complete his medical surveillance does not create a genuine dispute over whether the verbal request during his exam was a condition of his employment. The undisputed evidence is that a contractor could decline parts of the surveillance and still have the surveillance considered completed.”). Accordingly, because AbbVie did not condition Plaintiff’s employment on a request for his genetic information, the Court granted summary judgment in the company’s favor.

Takeaways For Companies

As noted in a prior blog post, recent decisions suggest that courts may be hesitant to dismiss GIPA claims (especially at the pleading stage). Given the GIPA statute’s strict penalty provision – under which statutory damages can quickly become significant ($2,500 per negligent violation and $15,000 per intentional or reckless violation, see 410 ILCS 513/40(a)(1)-(2)) – we have advised employers to ensure they comply with the statute regarding any health screenings they ask applicants or employees to complete (including by explicitly advising applicants and employees not to disclose their family medical histories during the screenings).

In this plaintiff-friendly litigation landscape, the Henry decision comes as welcome news for GIPA defendants and companies that have employees undergo medical screenings. Importantly, Henry suggests that an employer does not necessarily violate the GIPA by requesting an employee’s genetic information “as a condition of employment” by merely directing her to undergo a medical exam (during which the employee may or may not be asked to provide her family medical history).

Posted on by Gerald L. Maatman, Jr.

Illinois Supreme Court Rules That Employees Must Be Paid For Pre-Shift COVID-19 Screenings Under Illinois Wage Law

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Zmick

Duane Morris Takeaways:  In Johnson, et al. v. Amazon.com Services, LLC, 2026 IL 132016 (Mar. 19, 2026), the Illinois Supreme Court held that unlike the federal Fair Labor Standards Act (“FLSA”), Illinois’s Minimum Wage Law (“IMWL”) requires employers to compensate hourly employees for time spent completing pre-shift COVID-19 screenings and other “preliminary or postliminary” activities. In doing so, the Illinois Supreme Court embraced an employee-friendly interpretation regarding the scope of compensable time under the IMWL. Johnson is a must-read opinion for companies that impacts all employers with hourly, non-exempt employees working in Illinois.

Background

Plaintiffs were former hourly Amazon employees who worked at the company’s distribution warehouses in Illinois. In March 2020, in response to the COVID-19 pandemic, Amazon began requiring employees to undergo COVID-19 symptom screenings before they could enter the warehouses and clock in for their shifts. According to Plaintiffs, it “took 10 to 15 minutes on average” to complete the pre-shift screenings. See Johnson, 2026 IL 132016,¶ 4.

Plaintiffs subsequently filed a class action lawsuit alleging that Amazon violated the FLSA and IMWL by not paying them and other warehouse employees for time spent undergoing the mandatory screenings.

Amazon moved to dismiss Plaintiffs’ Complaint under Federal Rule of Civil Procedure 12(b)(6), arguing that Plaintiffs’ claims failed because under the FLSA an hourly employee need not be compensated for time spent on “activities which are preliminary to or postliminary to” the employee’s principal work duties. See 29 U.S.C. § 254 (a)(2). In granting Amazon’s motion and dismissing Plaintiffs’ FLSA and IMWL claims, the U.S. District Court for the Northern District of Illinois reasoned that “state and federal courts frequently look to case authority interpreting and applying the FLSA for guidance in interpreting the [IMWL].” Johnson, 2026 IL 132016,¶ 7.

Plaintiffs appealed to the U.S. Court of Appeals for the Seventh Circuit. Rather than ruling on the substance of the appeal, however, the Seventh Circuit certified the following question to the Illinois Supreme Court: “whether Section 4a of [the IMWL] incorporates the [FLSA’s] exclusion from compensation for ‘employee activities that are preliminary or postliminary to their principal activities.’” Id. ¶ 1.

The Illinois Supreme Court’s Decision

The Illinois Supreme Court began its analysis by noting that the IMWL provides “a right of overtime compensation for Illinois employees” and also sets forth 10 “specific exceptions to the general right to overtime compensation.” Johnson, 2026 IL 132016,¶ 12 (citing 820 ILCS 105/4a(1)-(2)). Importantly, the Court observed that four of Section 4a(2)’s 10 exceptions incorporate certain provisions of the FLSA and/or related federal regulations, yet none of the exceptions reference FLSA regulations regarding the exclusion of “preliminary or postliminary activities” from the definition of compensable time. See id. ¶¶ 14, 16.

The Illinois Supreme Court further noted that the IMWL gives the Illinois Director of the Department of Labor (“IDOL”) authority to define the IMWL’s terms. See 820 ILCS 105/10(a). Pursuant to that authority, IDOL promulgated a regulation defining “hours worked” as “all the time an employee is required to be on duty, or on the employer’s premises, or at other prescribed places of work, and any additional time the employee is required or permitted to work for the employer.” 56 Ill. Adm. Code 210.110. In addition to acknowledging the breadth of this definition, the Illinois Supreme Court emphasized that while IDOL referenced provisions of the FLSA and related federal regulations in certain statutory definitions, IDOL did not reference the FLSA regulations “that establish a preliminary or postliminary activities exclusion from ‘hours worked.’” Johnson, 2026 IL 132016 ¶ 16; see also id. (“To the contrary, IDOL defines ‘hours worked’ to include all time an employee is required to be on the employer’s premises, which contradicts the potential applicability of any such exclusion.”).

Accordingly, the Illinois Supreme Court held that a plain reading of Section 4a and IDOL’s definition of “hours worked” reveals that the Illinois legislature did not incorporate the FLSA’s “preliminary and postliminary activities exclusion” into the IMWL. Rather, the legislature delegated the authority to define “hours worked” to IDOL, who “adopted a definition of ‘hours worked’ that necessarily includes preliminary and postliminary activities, explicitly encompassing all time that an employee is required to be on an employer’s premises.” Id. ¶ 18.

In so holding, the Illinois Supreme Court rejected Amazon’s argument that the FLSA’s “preliminary and postliminary activities exclusion” should apply to the IMWL because the IMWL’s general overtime provision “is patterned after the general overtime provision found in…the FLSA.” Id. ¶ 19. The Court reasoned that “while section 4a of the [IMWL] contains the same general overtime provision of the FLSA, it does not include the preliminary and postliminary activity exclusion that is set forth in the FLSA….[T]o accept Amazon’s invitation would be to read exceptions into the statute that depart from its plain language, in violation of our well-established rules of statutory interpretation.” Id. ¶ 20.

Implications Of The Decision

The Illinois Supreme Court’s opinion in Johnson is required reading for companies with hourly employees working in Illinois. The decision definitively answers the question whether the IMWL incorporates the FLSA’s “preliminary or postliminary activities exclusion” – a question that, until now, has been heavily litigated.

Johnson is also a reminder of the importance of complying with federal and state wage-and-hour statutes, as laws in many jurisdictions (including Illinois) impose additional requirements on employers that are not found in the FLSA. See, e.g., Johnson, 2026 IL 132016, ¶ 20 (noting that the overtime provisions of the IMWL and the FLSA “are not parallel but rather state the same general rule with marked differences in their respective statements of exceptions”). Companies must be vigilant to ensure they comply with wage-and-hour laws in all jurisdictions where they have hourly employees.

Posted on by Gerald L. Maatman, Jr.

Illinois State Court Grants Certification Of BIPA Class Comprised Of Customers Who Used Apple’s Siri Function

By Gerald L. Maatman, Jr., Hayley Ryan, and Tyler Zmick

Duane Morris Takeaways:  In Zaluda et al. v. Apple, Inc., Case No. 2019 CH 11771, (Cir. Ct. Cook Cnty., Ill. Jan. 29, 2026), Judge Michael T. Mullen of the Circuit Court of Cook County, Illinois granted class certification to a class of plaintiffs alleging that Apple’s Siri function violated the Illinois Biometric Information Privacy Act (“BIPA”).  In doing so, Judge Mullen delivered a significant setback to Apple’s efforts to block the certification of a purported class that could number in the millions.  Pre-certification discovery established that there were approximately 2.6 to 3.9 million Siri users in Illinois during the relevant class period.

This decision represents the latest success for the plaintiffs’ bar in a string of victories in Illinois privacy class actions (as we previously blogged about here and here) and underscores that even the largest and most sophisticated companies in the world face substantial legal exposure arising from their biometric data collection, retention, and use practices.

Background

Apple’s voice-activated digital assistant, “Siri,” uses speech recognition technology to understand and respond to user inquiries and to perform user-requested tasks. Siri comes pre-loaded on a wide range of Apple devices, including iPhones, iPads, HomePods, Apple Watches, Macbooks, iMacs, and AirPods.

Siri relies on an automatic speech recognition (“ASR”) process that “automatically and uniformly computes biometric feature vectors [] from every user utterance for every Siri user,” and that process functions uniformly across all Apple devices. Id. at 4. These “feature vectors” are capable of being used to identify a speaker. Id. at 3. During the relevant class period, Apple’s privacy policies and disclosures applicable to Siri users were uniform and did not include the notice, consent, or retention policy disclosures required by the BIPA. Id. at 4.

Apple sorts its records to identify device users based on their state of residence or telephone number area code. Id. at 5. Apple’s former Senior Director of Siri testified at his deposition that Apple tracks the percentage of device owners who enable Siri and that approximately 20% to 30% of all device owners do so. Based on those figures, Apple estimated that there were approximately 2.6 to 3.9 million Siri users in Illinois during the relevant period at issue in the lawsuit. Id. at 3, 5.

Against this backdrop, plaintiffs filed a class action lawsuit alleging that Apple violated the BIPA by collecting, capturing, storing and/or disseminating “biometric feature vectors” and/or “voiceprints” of millions of Illinois residents who used Siri on any Apple device without first providing the required disclosures, obtaining informed written consent, or maintaining publicly available written data retention and destruction guidelines. Id. at 2. Plaintiffs sought certification of a class consisting of all Illinois residents who used Siri on any Apple device on or after September 19, 2014. Id. at 5. Notably, pre-certification discovery revealed that there were more than 13 million unique Apple IDs associated with a billing address in Illinois and an Apple device capable of running Siri. Id. at 5 n.20.

The Court’s Ruling

In ruling in favor of the plaintiffs, Judge Mullen systematically rejected Apple’s arguments that plaintiffs failed to satisfy the requirements for class certification under 735 ILCS 5/2-801. Given the size of the purported class, Apple stipulated to numerosity for purposes of class certification. Id. at 8.

With respect to the adequacy requirement, Apple argued that the named plaintiffs were inadequate representatives because they lacked sufficient knowledge about the case and because three of them no longer reside in Illinois. Id. at 18. The Court rejected those arguments. After reviewing the named plaintiffs’ deposition testimony, the Court found that each plaintiff demonstrated a basic understanding of the claims and emphasized that class representatives are not “required to be experts.”  Id. The Court further concluded that each named plaintiff was an Illinois resident at some point during the proposed class period and that there was no evidence of any conflict between the interests of any named plaintiff and the interests of absent class members. Id.

The Court also found that common questions of law and fact predominated over any questions affecting individual members, and that a class action was an appropriate method for adjudicating the claims.  Id. at 17, 22. Apple argued that commonality and predominance were lacking because: (1) Siri is optional and not all Apple device users enable it; (2) Siri users do not all activate Siri in precisely the same manner; and (3) Siri’s speech recognition functions changed during the class period. Id. The Court rejected each contention.

First, the Court explained that users who never enabled Siri are not members of the proposed class, rendering that argument irrelevant. Id. Second, the Court concluded that regardless of how Siri is activated, Plaintiffs plausibly alleged that Siri’s ASR process uniformly generates feature vectors that are capable of identifying a speaker from all user utterances. Id. The Court further reasoned that the optional Siri features cited by Apple do not undermine plaintiffs’ claims based on Siri’s ASR process and, at most, could give rise to additional BIPA claims for users who opted in to those features. Id. at 11-12. Third, the Court found that alleged changes to Siri’s speech recognition functions during the class period did not alter the uniform operation of the ASR process and therefore did not defeat commonality or predominance. Id. at 12.

Apple also contended that class membership could only be established through “individualized” proof, which it argued defeated certification. Id. at 14. The Court disagreed. Citing Svoboda v. Amazon.com, Inc., 2024 WL 1363718, *10 (N.D. Ill. Mar. 30, 2024) (which we previously blogged about here), the Court held that issues concerning how class members are identified are matters of class management, not class certification. Id. at 16. The Court explained that, if liability is established, class members could submit affidavits attesting to their Siri use in Illinois, which could then be cross-checked against Apple IDs, home addresses, IP addresses, and geolocation data. Id.

Finally, the Court concluded that proceeding on a class basis was the most efficient and fair method of adjudication. Id. at 22. The Court noted that Apple’s implicit alternative (i.e., requiring millions of individual BIPA lawsuits by Illinois Siri users) would impose a severe burden the judicial system. Id. at 21.

Implications for Companies

This decision serves as a reminder of the significant risks associated with collecting or retaining biometric information without BIPA-compliant policies and practices. As Zaluda illustrates, the larger the company, the larger the potential class size (and the greater exposure to statutory damages). Although the ultimate size of the certified class remains to be determined, it is likely to number in the millions. Companies of all sizes should view this ruling as a wake-up call regarding the substantial liability that can result from noncompliance with Illinois’ biometric privacy laws.

Posted on by Gerald L. Maatman, Jr.

Seventh Circuit Affirms Certification Of BIPA Class Comprised Of Customers Who Used Amazon’s “Virtual Try-On” Tool 

By Gerald L. Maatman, Jr. and Tyler Zmick

Duane Morris Takeaways:  In Svoboda, et al. v. Amazon.com Inc., No. 25-1361, 2025 WL 3654053 (7th Cir. Dec. 17, 2025), a panel of the U.S. Court of Appeals for the Seventh Circuit affirmed an order granting class certification in a case alleging that Amazon’s “virtual try-on” technology violated the Illinois Biometric Information Privacy Act (“BIPA”). In doing so, the Seventh Circuit dealt Amazon a significant blow by allowing Plaintiffs to proceed on behalf of a class comprised of hundreds of thousands of people who used Amazon’s technology. The Svoboda decision is the most recent example of the plaintiffs’ bar successfully obtaining class certification in an Illinois privacy class action, and it shows that even the most sophisticated companies can face exposure arising out of their data collection and retention practices. 

Background

Plaintiffs alleged that Amazon sells makeup and eyeware products through its mobile shopping application and that the company’s “virtual try-on” (“VTO”) technology incorporates augmented reality to overlay the products on images of users, allowing shoppers to see how makeup and eyewear products look on their faces. To superimpose a product over an image of a user’s face, Plaintiffs claimed that the VTO software detects a person’s facial features to determine where to virtually overlay a given makeup or eyewear product.

Based on these allegations, Plaintiffs filed a class action in September 2021, claiming that Amazon violated the BIPA by collecting, capturing, storing, or otherwise obtaining the facial geometry and associated personal identifying information of thousands of Illinois residents who used Amazon’s VTO technology.

On March 30, 2024, Judge Jorge L. Alonso of the U.S. District Court for the Northern District of Illinois certified a class of individuals who used the VTO feature on Amazon’s mobile website or app while in Illinois on or after September 7, 2016 (our previous blog post on the district court’s order can be found here). Amazon subsequently appealed the class certification order to the Seventh Circuit.

The Seventh Circuit’s Opinion

On appeal, the Seventh Circuit affirmed the class certification order and held that the district court did not abuse its discretion in certifying a class of Amazon VTO users within Illinois.

The Seventh Circuit began by identifying Federal Rule of Civil Procedure 23(a)’s four class-certification requirements (i.e., numerosity, commonality, typicality, and adequacy) and by explaining that Plaintiffs must also satisfy Rule 23(b)(3), which requires that “questions of law or fact common to class members predominate” over individual questions and that “a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” The Seventh Circuit further noted that Amazon’s appeal challenged the district court’s order only with respect to Rule 23(b)(3)’s predominance and superiority requirements.

In affirming the district court’s predominance ruling, the Seventh Circuit found that the same conduct (specifically, Amazon’s alleged use of the VTO application) unites Plaintiffs’ BIPA claims and that issues relating to the functionality of the VTO software, Amazon’s alleged use of class members’ biometric data, and legal questions about whether that use violated the BIPA were common to the class and could be resolved by the district court “in one stroke.”

The Seventh Circuit then turned to the individualized questions identified by Amazon, including the question of whether a class member was in Illinois at the time he or she used Amazon’s VTO tool. Regarding this “locational element,” the Seventh Circuit observed that class members must prove that they were in Illinois when they used the VTO tool to have viable BIPA claims and that the lack of such proof also raised questions relating to class member identification and manageability. The Seventh Circuit further acknowledged that common proof of location may only be available for a subset of claimants, while “individualized inquiries will be necessary for others.” Id. at *5 (“For example, where billing address and geolocation data point to different states, or are unavailable for an alleged VTO use, individual affidavits or other proof will be necessary to show that the claimant used the VTO in Illinois.”).

The Seventh Circuit ultimately ruled that the location of potential class members could generally be determined using (i) users’ billing addresses, (ii) users’ IP addresses and geolocation data, and (iii) personal affidavits from class members attesting that they used the VTO application while in Illinois, and that individualized questions connected to proof of location would not predominate over common questions. See also id. (“[I]t is not uncommon for class actions to have a ‘final phase’ for class members to submit individualized proof of a claim….A phase requiring individual presentations of proof on all (or part of) an element of a claim does not defeat predominance. Stated another way, an individual question does not predominate where common questions of law and fact relevant to liability otherwise generate significant efficiencies and the individual question is manageable.”) (citation omitted). The Seventh Circuit also rejected Amazon’s due process challenge to the district court’s predominance finding because the company would have the opportunity to challenge class members’ individual proof of location.

Implications For Corporate Counsel

Svoboda is one of many cases demonstrating the dangers associated with collecting or retaining biometric information without implementing BIPA-compliant policies. The opinion is also a reminder that the larger the company, the larger the potential class size (and accompanying statutory damages award). The class in Svoboda contained over one hundred thousand individuals, illustrating the potentially significant exposure associated with running afoul of Illinois privacy laws.

Corporate counsel should also remember that the Seventh Circuit’s discussion in Svoboda applies to all class actions (not just those alleging BIPA violations) in which it may not be possible to identify a class member’s location at the time of the alleged privacy violation. As noted above, due process does not require that class counsel be able to uncover such information for all class members at the certification stage. See also, e.g., Mullins v. Direct Digital, LLC, 795 F.3d 654, 672 (7th Cir. 2015) (“[C]ourts should not decline certification merely because the plaintiff’s proposed method for identifying class members relies on affidavits.”).

Posted on by Gerald L. Maatman, Jr.

Illinois Supreme Court Imposes Stricter Standing Test For “No-Injury” Class Actions Premised On Statutory Violations

By Gerald L. Maatman, Jr., Tyler Zmick, and Hayley Ryan

Duane Morris Takeaways:  In Fausett v. Walgreen Co., 2025 IL 131444 (Nov. 20, 2025), the Illinois Supreme Court narrowly construed the private right of action set forth in the federal Fair Credit Reporting Act (FCRA), holding that because the FCRA does not explicitly authorize consumers to sue for violations, the law does not authorize individual lawsuits unless a consumer shows that a violation caused a concrete injury. Thus, at least for FCRA actions, a plaintiff must now allege a “concrete injury” in Illinois state courts similar to what a plaintiff must allege to establish Article III standing in federal courts. This is a significant development, as Illinois courts have not previously required “concrete-injury” allegations for statutory claims under the state’s more liberal standing test.

Fausett is therefore a must-read opinion that represents an obstacle for future plaintiffs pursuing “no-injury” claims premised on the FCRA, in addition to other federal statutes containing similar private rights of action.

Case Background

Plaintiff alleged that Defendant violated the Fair and Accurate Credit Transactions Act (FACTA) – a provision of the FRCA – by printing a receipt containing more than the last five digits of her debit card number. Plaintiff sought statutory damages for the alleged FACTA violation, though she did not claim the violation led to actual harm by, for example, a third party using the receipt to steal her identity.

Plaintiff moved to certify a class of individuals for whom Defendant printed receipts containing more than the last five digits of their payment card numbers. In granting class certification, the trial court rejected Defendant’s argument that Plaintiff had no viable claim due to lack of standing. The trial court reasoned that Illinois courts are not bound by the same jurisdictional restrictions applicable to federal courts and that the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, established that “a violation of one’s rights afforded by a statute is itself sufficient for standing.” Fausett, 2025 IL 3237846, ¶ 15. The Illinois Appellate Court affirmed the trial court’s class certification order, and Defendant subsequently appealed to the Illinois Supreme Court.

The Illinois Supreme Court’s Decision

The issue before the Illinois Supreme Court was whether standing existed in Illinois courts for a plaintiff alleging a FACTA violation that did not result in actual harm.

The Court began by distinguishing the standing doctrines applied in Illinois state courts vs. federal courts. The Court observed that Illinois courts are not bound by federal standing law and that Illinois standing principles apply to all claims pending in state court – even those premised on federal statutes.

The Court then identified the two different types of standing that exist in Illinois courts, including: (1) common-law standing, which – like Article III – requires an injury in fact to a legally recognized interest; and (2) statutory standing, which requires the fulfillment of statutory conditions to sue for legislatively created relief. See id. ¶ 39 (for statutory standing, the legislature creates a right of action and determines “who shall sue, and the conditions under which the suit may be brought”) (citation omitted). The Court further noted that a statutory violation, without actual harm, can establish statutory standing only where the statute specifically authorizes a private lawsuit for violations.

Turning to Plaintiff’s FACTA lawsuit, the Court determined that Plaintiff’s claim could not invoke statutory standing because the FCRA’s liability provisions “fail to include standing language. In other words, Congress did not expressly define the parties who have the right to sue for the statutory damages established in FCRA.” Id. ¶ 40; see also id. ¶ 44 (“the plain and unambiguous language” of the FCRA “does not state the consumer or an aggrieved person may file the cause of action”). Thus, because the FCRA is “silent as to who may bring the cause of action for damages,” Plaintiff’s FACTA claim “does not implicate statutory standing principles, and thus common-law standing applies to plaintiff’s suit.” Id.

As for common law standing, the Court concluded that Plaintiff’s claim did not satisfy Illinois’s common law standing test, under which an alleged injury, “whether actual or threatened, must be: (1) distinct and palpable; (2) fairly traceable to the defendant’s actions; and (3) substantially likely to be prevented or redressed by the grant of the requested relief.” Id. ¶ 39 (quoting Petta v. Christie Business Holdings Co., P.C., 2025 IL 130337, ¶ 18). The injury alleged must also be concrete – meaning that a plaintiff alleging only a purely speculative future injury lacks a sufficient interest to have standing.

The Court held that Plaintiff failed to allege or prove a concrete injury because she conceded that she was unaware of any harm to her credit or identity caused by the alleged FACTA violation, and she could not identify anyone who had even seen her receipts “beyond the cashier, herself, and her attorneys.” See id. ¶ 48. Thus, Plaintiff could only show an increased risk of identity theft – something the Court has found to be insufficient to confer standing for a complaint seeking money damages. Because Plaintiff lacked a viable claim due to lack of standing, the Court held that the trial court abused its discretion in granting Plaintiff’s motion for class certification.

Implications Of The Fausett Decision

Fausett will impact FCRA class actions in a significant manner by precluding plaintiffs from bringing certain “no-injury” class actions in Illinois state courts. Federal courts have regularly dismissed such claims for lack of Article III standing based on the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, 578 U.S. 330 (2016).

Fausett now forecloses plaintiffs from refiling the same claims in Illinois state courts, leaving plaintiffs without a venue to prosecute no-injury FCRA claims in Illinois. Importantly, the Fausett decision will likely reach beyond the FCRA context, as other federal consumer-protection statutes contain liability provisions with private-right-of-action language similar to the language found in the FCRA.

Posted on by Gerald L. Maatman, Jr.

California Federal Court Dismisses Adtech Class Action For Failure To Specify Highly Offensive Invasion Of Privacy

By Gerald L. Maatman, Jr., Justin R. Donoho, Tyler Zmick, and Hayley Ryan

Duane Morris Takeaways:  On October 30, 2025, in DellaSalla, et al. v. Samba TV, Inc., 2025 WL 3034069 (N.D. Cal. Oct. 30, 2025), Judge Jacqueline Scott Corley of the U.S. District Court for the Northern District of California dismissed a complaint brought by TV viewers against a TV technology company alleging that the company’s provision of advertising technology in the plaintiffs’ smart TVs committed the common law tort of invasion of privacy and violated the Video Privacy Protection Act (“VPPA”), the California Invasion of Privacy Act (“CIPA”), and California’s Comprehensive Computer Data Access and Fraud Act (“CDAFA”).  The ruling is significant as it shows that in the hundreds of adtech class actions across the nation alleging that adtech violates privacy laws, plaintiffs do not plausibly state a common law claim for invasion of privacy unless they specify in the complaint the information allegedly disclosed and explain how such a disclosure was highly offensive.  The case is also significant in that it shows that the VPPA does not apply to video analytics companies, and that California privacy statutes do not apply extraterritorially to plaintiffs located outside California.

Background

This case is one of a legion of class actions that plaintiffs have filed nationwide alleging that third-party technology captured plaintiffs’ information and used it to facilitate targeted advertising. 

This software, often called advertising technologies or “adtech,” is a common feature of millions of consumer products and websites in operation today.  In adtech class actions, the key issue is often a claim brought under a federal or state wiretap act, a consumer fraud act, or the VPPA, because plaintiffs often seek millions (and sometimes even billions) of dollars, even from midsize companies, on the theory that hundreds of thousands of consumers or website visitors, times $2,500 per claimant in statutory damages under the VPPA, for example, equals a huge amount of damages.  Plaintiffs have filed the bulk of these types of lawsuits to date against healthcare providers, but they have filed suits against companies that span nearly every industry including retailers, consumer products, universities, and the adtech companies themselves.  Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, and the vast majority remain undecided. 

In DellaSalla, the plaintiffs brought suit against a TV technology company that embedded a chip with analytics software in plaintiffs’ smart TVs.  Id. at *1, 5.  According to the plaintiffs, the company intercepted the plaintiffs’ “private video-viewing data in real time, including what [t]he[y] watched on cable television and streaming services,” and tied this information to each plaintiff’s unique anonymized identifier in order to “facilitate targeted advertising,” all allegedly without the plaintiffs’ consent.  Id. at *1.  Based on these allegations, the plaintiffs claimed that the TV technology company violated the CIPA, CDAFA, and VPPA, and committed the common-law tort of invasion of privacy. 

The company moved to dismiss, arguing that the CIPA and CDAFA did not apply because the plaintiffs were located outside California, that the VPPA did not apply because the TV technology company was not a “video tape service provider,” and that the plaintiffs failed to plausibly allege a highly offensive violation of a privacy interest.

The Court’s Decision

The Court agreed with the TV technology company and dismissed the complaint in its entirety, with leave to amend any existing claims but not to add any additional claims without further leave.

On the CIPA and CDAFA claims, the Court found that the plaintiffs did not allege that any unlawful conduct occurred in California.  Instead, the plaintiffs alleged that the challenged conduct occurred in their home states of North Carolina and Oklahoma.  Id. at *1, 3-4.  For these reasons, the Court dismissed the CIPA and CDAFA claims, finding that these statutes do not apply extraterritorially.  Id.

On the VPPA claim, the Court addressed the VPPA’s definition of  “video tape service provider,” which is “any person, engaged in the business … of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”  Id. at *5.  The plaintiffs argued that the TV technology company was a video tape service provider “because its technology is incorporated in Smart TVs, which deliver prerecorded videos.  [The defendant] advertises its technology precisely as providing a ‘better viewing experience’ ‘immersive on-screen experiences’ and a ‘more tailored ad experience’ through its technology.”  Id.  The Court rejected this argument. It held that “[t]his allegation does not plausibly support an inference, [the defendant]—an analytics software provider—facilitated the exchange of a video product. Rather, the allegations support an inference [the defendant] collected information about Plaintiffs’ use of a video product, but not that it provided the product itself.”  Id. (emphasis added).

On the common law claim for invasion of privacy, the TV technology company argued that this claim failed because the plaintiffs “have no expectation of privacy in the information it collects and Plaintiffs have not alleged a highly offensive intrusion.”  In examining this argument, the Court noted that Plaintiff had only provided “vague references” to the information supposedly intercepted.  Id. at *4.  This information included video-viewing data generally (none specified) tied to an anonymized identifier.  Id. at *1, 5.  Thus, the Court agreed with the defendant’s argument and found that plaintiffs identified “no embarrassing, invasive, or otherwise private information collected” and no explanation of how the tracking of video viewing history with an anonymized ID caused plaintiffs “to experience any kind of harm that is remotely similar to the ‘highly offensive’ inferences or disclosures that were actionable at common law.”  Id. at *5.  In sum, the Court concluded that “Plaintiffs have not plausibly alleged a highly offensive violation of a privacy interest.”

Implications For Companies

DellaSala provides powerful precedent for any company opposing adtech class action claims (1) brought under statutes enacted in states other than the plaintiffs’ place of residence; (2) brought under the federal VPPA where the company allegedly transmitted video usage information, as opposed to any videos themselves; and (3) alleging common-law invasion of privacy, where the plaintiffs have not specified the information disclosed and why such a disclosure is highly offensive. 

The last point is a recurring theme in adtech class actions.  Just as this plaintiff suing a TV technology company did not plausibly state a common-law claim for invasion of privacy without identifying the videos watched and any highly offensive harm in associating those videos with an anonymized ID, so did a plaintiff not plausibly state a claim for invasion of privacy by way of alleging adtech’s disclosure of protected health information (“PHI”), without specifying the PHI allegedly disclosed (as we blogged about here).  These cases show that for adtech plaintiffs to plausibly plead claims for invasion of privacy, they at least need to identify what allegedly private information was disclosed and explain how the alleged disclosure was highly offensive.

Posted on by Gerald L. Maatman, Jr.

California Federal Court Narrows CIPA “In-Transit” Liability for Common Website Advertising Technology and Urges Legislature to Modernize Privacy Law

By Gerald L. Maatman, Jr., Justin Donoho, Hayley Ryan, and Tyler Zmick

Duane Morris Takeaways: On October 17, 2025, in Doe v. Eating Recovery Center LLC, No. 23-CV-05561, ECF 167 (N.D. Cal. Oct. 17, 2025), Judge Vince Chhabria of the U.S. District Court for the Northern District of California granted summary judgment to Eating Recovery Center, finding no violation of the California Invasion of Privacy Act (CIPA) where the Meta Pixel collected website event data. Specifically, the Court held that Meta did not “read” those contents while the communications were “in transit.” In so holding, the Court applied the rule of lenity, construed CIPA narrowly, and urged the California Legislature “to step up” and modernize the statute for the digital age. Id. at 2.

This decision is significant because Judge Chhabria candidly described CIPA as “a total mess,” noting it is often “borderline impossible” to determine whether the law – enacted in 1967 to criminalize wiretapping and eavesdropping on confidential communications – applies to modern internet transmissions. Id. at 1. As the Court observed, CIPA “was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA’s already-obtuse language to new technologies.” Id.  This is a “must read” decision for corporate counsel dealing with privacy issues and litigation.

Background

This class action arose after plaintiff, Jane Doe, visited Eating Recovery Center’s (ERC) website to research anorexia treatment and later received targeted advertisements. Plaintiff alleged that ERC’s use of the Meta Pixel caused Meta to receive sensitive URL and event data from her interactions with ERC’s site, resulting in targeted ads related to eating disorders.

ERC had installed the standard Meta Pixel on its website, which automatically collected page URLs, time on page, referrer paths, and certain click events to help ERC build custom audiences for advertising. Id. at 3. Plaintiff alleged that ERC’s use of the Pixel allowed Meta to intercept her communications in violation of CIPA, Cal. Penal Code § 631(a). She also brought claims under the California Medical Information Act (CMIA), the California Unfair Competition Law (UCL), and for common law unjust enrichment. The UCL claim was dismissed at the pleading stage.

ERC later moved for summary judgment on the remaining CIPA, CMIA, and unjust enrichment claims. In a separate order, the Court granted summary judgment on the CMIA and unjust enrichment claims, finding that plaintiff was not a “patient” under the CMIA and that there was no evidence ERC had been unjustly enriched. See id., ECF 168 at 1-2.

The Court’s Decision

With respect to the CIPA claim, the parties disputed two elements under CIPA § 631(a): (1) whether the event data obtained by Meta constituted “contents” of plaintiff’s communication with ERC, and (2) whether Meta read, attempted to read, or attempted to learn those contents while they were “in transit.” ECF 167 at 6.

The Court first held that URLs and event data can constitute the “contents” of a communication because they can reveal substantive information about a user’s activities – such as researching medical treatment. Id. at 7. The court thus deviated from other courts that have held differently on this particular issue when considering additional facts or allegations not addressed by this court (such as encryption, and inability to reasonably identify the data among lines of code).  However, the Court concluded that Meta did not read or attempt to learn any contents while the communications were “in transit.” Instead, Meta processed the data only after it had reached its intended recipient (i.e., ERC, the website operator).

In reaching that conclusion, Judge Chhabria relied on undisputed testimony about Meta’s internal filtering processes: “Meta’s corporate representative testified that, before logging the data that it obtains from websites, Meta filters URLs to remove information that it does not wish to store (including information that Meta views as privacy protected).” Id. at 8.

This evidence supported the finding that Meta’s conduct involved post-receipt filtering rather than contemporaneous “reading” or “learning.” Id. at 9. The Court emphasized that expanding “in transit” to include post-receipt processing would improperly criminalize routine website analytics practices. Because CIPA is both a criminal statute and a source of punitive civil penalties, the Court applied the rule of lenity to adopt a narrow interpretation. Id. at 11-12. The Court further cautioned that an overly broad reading would render CIPA’s related provision (§ 632, prohibiting eavesdropping and recording) largely redundant. Id. at 10.

Finding that Meta did not read, attempt to read, or attempt to learn the contents of Doe’s communications while they were in transit, the court granted summary judgment to ERC on the CIPA claim. Id. at 12.

The opinion concluded by reiterating that California’s decades-old wiretap law is “virtually impossible to apply [] to the online world,” urging the Legislature to “go back to the drawing board on CIPA,” and suggesting that it “would probably be best to erase the board entirely and start writing something new.” Id.

Implications For Companies

The Doe decision narrows one significant avenue for CIPA liability, particularly for routine use of website analytics and advertising pixels. The Northern District of California has now drawn a distinction between data “read” while in transit and data processed after receipt, significantly reducing immediate CIPA exposure for standard web advertising tools.

At the same time, the court’s reasoning underscores that pixel-captured data may be considered by some courts as “contents” of a communication under CIPA, although there is a split of authority on this issue. Companies could therefore face potential exposure under other California privacy statutes, including the CMIA, the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA), depending on the data involved and how it is used.

Organizations should continue to inventory the data they share through advertising technologies, minimize sensitive information in URLs, and ensure clear and accurate privacy disclosures. Because the court expressly invited legislative reform, companies should also monitor ongoing case law and potential statutory amendments.

Ultimately, Doe v. Eating Recovery Center reflects a pragmatic narrowing of CIPA’s “in transit” requirement while reaffirming that CIPA was not intended to cover common website advertising technologies or, in any event, should not be interpreted as such given the harsh statutory penalties involved and the rule of lenity — like the Supreme Judicial Court of Massachusetts concluded regarding Massachusetts’ wiretap act, as we previously blogged about here.  While this case is a big win for website operators, companies relying on third-party analytics should treat this decision as guidance—not immunity—and continue adopting privacy-by-design principles in their data collection and vendor management practices.

Posted on by Gerald L. Maatman, Jr.

Third Circuit Green Lights “Hybrid” Class Action Settlements That Release Unasserted FLSA Claims

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Zmick

Duane Morris Takeaways:  In Lundeen v. 10 West Ferry Street Operations, LLC, No. 24-3375 (3d Cir. Oct. 16, 2025), the U.S. Court of Appeals for the Third Circuit held that the opt-in requirement set forth in Section 216(b) of the federal Fair Labor Standards Act (“FLSA”) does not prohibit plaintiffs in a class action from settling prospective class members’ unasserted FLSA claims as part of an opt-out class settlement. In a precedential and unanimous opinion, the Third Circuit concluded that Section 216(b) establishes only the mechanism by which FLSA claims may be litigated, not the conditions under which they may be released. The decision is welcome news for both plaintiffs and defendants, as the case makes it easier for parties to settle “hybrid” cases asserting claims under both federal and state wage-and-hour laws.

Background

Plaintiff Graham Lundeen alleged that Defendant – his former employer, and the owner of a restaurant and bar – violated the FLSA and the Pennsylvania Minimum Wage Act (“PMWA”) in connection with its tip-pooling practices. Plaintiff styled his case as a “hybrid” class/collective action, asserting that his FLSA claim should proceed as a collective action under Section 216(b) and that his PMWA claim should proceed as a class action under Federal Rule of Civil Procedure 23(b)(3).

The parties reached a settlement under which class members would agree to release their claims, including those arising under the FLSA, even if class members did not submit claim forms, submit opt-in consent forms, or receive settlement payouts.

The U.S. District Court for the Eastern District of Pennsylvania denied preliminary approval of the proposed settlement, ruling that the settlement “was ‘neither fair nor reasonable’ because it ‘require[d] class members who did not opt in to the FLSA collective to release their FLSA claims.’” Id. at 6.

The Third Circuit’s Decision

After accepting the parties’ interlocutory appeal, the Third Circuit vacated the District Court’s ruling and held that Section 216(b) does not bar approval of a Rule 23 settlement that includes the release of “unasserted FLSA claims.” Id. at 10-11. In reaching its conclusion, the Third Circuit began with the text of Section 216(b):

An action to recover the liability prescribed in the preceding sentences [for failure to pay statutorily required overtime or minimum wages under the FLSA] may be maintained against any employer (including a public agency) in any Federal or State court of competent jurisdiction by any one or more employees for and in behalf of himself or themselves and other employees similarly situated. No employee shall be a party plaintiff to any such action unless he gives his consent in writing to become such a party and such consent is filed in the court in which such action is brought.

Id. at 8-9 (emphasis in original) (quoting 29 U.S.C. § 216(b)).

Acknowledging that no other federal circuit has resolved the split among district courts regarding the propriety of “hybrid” settlements, the Third Circuit ultimately sided “with those courts that have held that § 216(b) of the FLSA provides only a mechanism for opting into collective litigation.” Id. at 10 (emphasis added). In other words, Section 216(b) “requires written consent to litigate FLSA claims, but it does not forbid the release of unasserted claims through a Rule 23(b)(3) opt-out settlement.” Id. at 16 (emphases added).   

The Third Circuit concluded with an important caveat, however, emphasizing that while the FLSA does not prohibit settlements through which Rule 23 class members release unasserted FLSA claims, that does not mean such settlements are always permissible: “[W]hether judges can approve opt-out settlements that release FLSA claims is a different inquiry from whether judges should do so. The former question is an issue of statutory interpretation; the latter turns on whether the settlement is ‘fair, reasonable, and adequate,’ subject to the District Court’s considerable discretion.” Id. at 16-17 (internal citation omitted). Thus, “while § 216(b) does not forbid the release of unasserted FLSA claims in opt-out settlements, such releases remain relevant to the court’s overall Rule 23(e)(2) analysis.” Id. at 18.

Implications Of The Decision

The Lundeen decision provides clarity on the proper scope of “hybrid” settlements involving the simultaneous release of FLSA claims and Rule 23 class claims premised on state wage-and-hour laws. Moving forward, defendants settling such claims will likely rely on Lundeen to broaden their settlements to cover the FLSA claims of all individuals within the Rule 23 settlement class, even if such individuals do not affirmatively opt into the case. This will give defendant-employers closure and alleviate potential risks as to whether settlement class members who did not opt into the case retain their rights to bring FLSA claims.

Parties should take heed of the caveat noted by the Third Circuit, however – namely, that a class settlement involving the release of unasserted FLSA claims will not automatically pass muster. Rather, district courts must still consider whether a class settlement is “fair, reasonable, and adequate.” To increase the likelihood that courts will approve “hybrid” class settlements, parties should ensure their proposed settlements satisfy the Rule 23(e)(2) “fairness” factors, including by: providing clear notice to class members of the scope of the release and a meaningful opportunity to opt out; and ensuring that the relief provided to the class is adequate when accounting for the costs and risks of litigation, the method of distributing relief to the class, and the terms of any proposed award of attorney’s fees.

Posted on by Gerald L. Maatman, Jr.

Illinois Federal Court Finds “Self-Inflicted Injury” Insufficient To Confer Article III Standing In Publicity Class Action Lawsuit

By Gerald L. Maatman, Jr., Justin Donoho, Hayley Ryan, and Tyler Zmick

Duane Morris Takeaways: On October 2, 2025, in Azuz v. Accucom Corp. d/b/a InfoTracer, No. 21-CV-01182, 2025 U.S. Dist. LEXIS 195474 (N.D. Ill. Oct. 2, 2025), Judge LaShonda A. Hunt of the U.S. District Court for the Northern District of Illinois dismissed a class action complaint alleging violations of the Illinois Right of Publicity Act (IRPA). The plaintiff claimed that InfoTracer unlawfully used individuals’ names and likeness to advertise and promote its products without consent. The Court held that the Plaintiff lacked Article III standing because she failed to plausibly allege a concrete injury – her only alleged harm was “self-inflicted,” as no one other than her own counsel ever searched her name on the site.

The decision illustrates that plaintiffs bringing right of publicity claims against website operators must show that a third party actually accessed their information for a commercial purpose. Mere availability of an individual’s information on a website, without evidence of third-party viewing, does not establish a concrete injury under Article III.

Background

Plaintiff Marilyn Azuz filed a putative class action complaint against Accucom Corp. d/b/a InfoTracer, which operates infotracer.com, a website selling personal background reports. She alleged that Accucom used her name and likeness to advertise and promote its products without written consent, in violation of the IRPA. Id. at *2-4. Plaintiff sought damages and injunctive relief barring Accucom from continuing the alleged conduct. Id. at *4.

After three years of litigation and discovery, Accucom moved to dismiss for lack of subject matter jurisdiction, raising a factual challenge to Article III standing. Accucom submitted evidence showing that the only search of Plaintiff’s name on InfoTracer occurred in February 2021, when her own counsel accessed the site after she responded to a Facebook solicitation by her counsel about potential claims. Accucom argued that such a “self-inflicted” search could not establish a concrete injury and that Plaintiff’s claim for injunctive relief was moot because she had since moved to Minnesota and her data had been removed from the site.

Plaintiff countered that her identify being “held out” to be searched constituted a sufficient injury, and that her request for injunctive relief was not moot Accucom could resume the alleged conduct.

The Court’s Decision

The Court sided with Accucom, holding that the Plaintiff failed to establish a concrete injury and therefore lacked standing to pursue her individual claims. Id. at *15.

Relying on the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), Judge Hunt explained that an intangible statutory violation, without evidence of concrete harm, is insufficient for Article III standing.  Just as inaccurate information in a credit file causes no concrete injury unless disclosed to a third party, the Court concluded, “a person’s identity is not appropriated under the IRPA unless it is used for a commercial purpose.” Id. at *14.

The Court rejected Plaintiff’s reliance on Lukis v. Whitepages Inc., 549 F. Supp. 3d 798 (N.D. Ill. 2021), noting that Lukis involved only a facial attack to standing at the pleading stage, not a factual attack supported by evidence, like here. Id. at *9-10.

Noting that it had not found any post-TransUnion decisions analyzing the IRPA under a factual challenge to standing, Judge Hunt found Fry v. Ancestry.com Operations Inc., 2023 U.S. Dist. LEXIS 50330 (N.D. Ind. Mar. 24, 2023) to be instructive. Id. at *11. In Fry, the court cautioned that a plaintiff asserting a right of publicity claim must ultimately produce evidence showing that his likeness was viewed by someone other than his attorney or their agents. That same “forewarning,” Judge Hunt concluded, applied to Plaintiff, who presented no such evidence. Id. at *12-13.

The Court also dismissed Plaintiff’s request for injunctive relief, holding that any potential future harm was speculative and not sufficiently imminent. Because Plaintiff had relocated to Minnesota, the IRPA’s extraterritorial application could not extend to her circumstances. Id. at *16.

Finally, the Court declined to allow the substitution of new named plaintiffs so that the case could continue, reasoning that because the original plaintiff lacked standing from the outset, the Court never had jurisdiction to allow substitution. Id. at *17.

Implications For Companies

Azuz underscores the importance of scrutinizing Article III standing in every stage of litigation, particularly in statutory publicity and privacy cases. Where plaintiffs cannot show that a third party viewed or interacted with their data, courts are likely to find no concrete injury — and therefore no federal jurisdiction.

Website operators facing IRPA or similar publicity-based class actions should consider asserting factual standing challenges supported by evidence demonstrating the absence of third-party access. Such jurisdictional defenses can be decisive and may be raised at any time in the litigation.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress