Duane Morris Takeaways: In Sloan, et al. v. Anker Innovations Ltd., No. 22-CV-7174 (N.D. Ill. Jan. 9, 2024), Judge Sarah Ellis of the U.S. District Court for the Northern District of Illinois granted in part a motion to dismiss privacy claims brought against the companies that manufacture and sell “eufy” security products. The Court dismissed the claims asserted under the federal Wiretap Act because Defendants were “parties” to the communication during which the eufy products sent security recordings to Plaintiffs’ mobile devices (notwithstanding that the products also sent the data to a server owned by Defendants). In addition, the Court partially dismissed Plaintiffs’ claims under the Illinois Biometric Information Privacy Act and under four state consumer protection statutes, thereby allowing Plaintiffs to proceed with their case only with respect to some of their claims.
For businesses who are embroiled in facial recognition software and related privacy class actions, this ruling provides a helpful roadmap for fracturing such claims at the outset of the lawsuit.
Plaintiffs were individuals from various states who purchased and used Defendants’ “eufy” branded home security cameras and video doorbells. The eufy products can, among other things, detect motion outside a person’s home and apply a facial recognition program differentiate “between known individuals and strangers by recognizing biometric identifiers and comparing the face template against those stored in a database.” Id. at 3. Eufy products sync to a user’s phone through eufy’s Security app, which notifies a user of motion around the camera by sending the use a recorded thumbnail image or text message.
Defendants advertised that the video recordings and facial recognition data obtained through eufy cameras are stored locally on user-owned equipment owned and that the data would be encrypted so that only the user could access it. Media reports later revealed, however, that the eufy products uploaded thumbnail images used to notify users of movement to Defendants’ cloud storage without encryption, and that users could stream content from their videos through unencrypted websites.
Claiming they relied to their detriment on Defendants’ (allegedly false) privacy-related representations when purchasing the eufy products, the eight named Plaintiffs filed a putative class action against corporate Defendants involved in the manufacture and sale of “eufy” products. In their complaint, Plaintiffs asserted that Defendants violated: (1) the Federal Wiretap Act; (2) the Biometric Information Privacy Act (the “BIPA”); and (3) the consumer protection statutes of Illinois, New York, Massachusetts, and Florida. Defendants moved to dismiss Plaintiffs’ claims under Federal Rule of Civil Procedure 12(b)(6).
The Court’s Decision
The Court granted in part and denied in part Defendants’ motion, holding that: (1) the Wiretap Act claim should be dismissed because Defendants were a party to the relevant communication (i.e., the transmission of data from eufy products to Plaintiffs via the eufy Security app); (2) the BIPA claims should be dismissed as to non-Illinois resident Plaintiffs; and (3) the claims brought under the relevant consumer protection statutes should be dismissed only to the extent they were premised on certain of Defendants’ public-facing privacy statements.
Wiretap Act Claims
The Court first addressed Plaintiffs’ Wiretap Act claims, explaining that the statute “empowers a private citizen to bring a civil claim against someone who ‘intentionally intercepts [or] endeavors to intercept . . . any wire, oral, or electronic communication.’” Id. at 8 (quoting 18 U.S.C. § 2511(1)(a)).
Defendants argued that Plaintiffs failed to state a claim under the Wiretap Act because the statute does not apply to a party to the relevant communication. Specifically, the Wiretap Act exempts a person who intercepts an electronic communication “where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d).
The Court agreed with Defendants and thus dismissed Plaintiffs’ Wiretap Act claim. The Court described the relevant “communication” as the transmission of data from eufy products to Plaintiffs’ devices and explained that the transmission “is not between the eufy product and Plaintiffs, but rather between the eufy product and the eufy Security app, which Defendants own and operate. As such, the communication necessarily requires Defendants’ participation, even if Plaintiffs did not intend to share their information with Defendants.” Id. at 8-9 (emphasis added). The Court thus held that Defendants were parties to the communication, and Defendants also uploading the data to their own server (without Plaintiffs’ knowledge) did not change that conclusion.
Regarding Plaintiffs’ BIPA claims, Defendants argued that Plaintiffs failed to allege that the relevant data (which Defendants described as “thumbnail images”) qualifies for protection under the BIPA because photographs are not biometric data under the statute. The Court rejected this argument since Plaintiffs alleged that Defendants uploaded thumbnail information and facial recognition data (namely, “scans of face geometry”) to their server.
The Court agreed with Defendants’ second argument, however, which asserted that Plaintiffs’ BIPA claim failed to the extent it was brought by or on behalf of Plaintiffs who are not Illinois residents. The BIPA applies only where the underlying conduct occurs “primarily and substantially” in Illinois. The Court determined that the relevant communications between Plaintiffs and Defendants “occurred primarily and substantially in the state of residency for each Plaintiff.” Id. at 12-13. And the End User License Agreement for eufy Camera Products and the Security App stating that the agreement is governed by Illinois law did not change the result that the BIPA claim brought by non-Illinois residents must be dismissed.
Statutory Consumer Protection Claims
Finally, the Court turned to Defendants’ contentions relative to the alleged violations of the four state consumer protection statutes. In beginning its analysis, the Court explained that “[t]o state a claim for deceptive practices under any of the alleged state consumer fraud statutes, Plaintiffs must allege a deceptive statement or act that caused their harm.” Id. at 14. Moreover, “a statement is deceptive if it creates a likelihood of deception or has the capacity to deceive.” Id. at 15 (citation omitted); see also id. (noting that “the allegedly deceptive act must be looked upon in light of the totality of the information made available to the plaintiff”) (citation omitted). Defendants argued in their motion to dismiss that Plaintiffs did not allege cognizable deceptive statements because the statements at issue constitute either puffery or are not false.
The Court dismissed Plaintiffs’ statutory fraud claims in part. Specifically, the Court held that Defendants’ advertising in the form of certain “statements relating to privacy” (e.g., “your privacy is something that we value as much as you do”) constituted nonactionable “puffery.” Id. at 16. The Court therefore dismissed Plaintiffs’ statutory fraud claims insofar as they were premised on the similarly vague “statements relating to privacy.”
However, the Court denied Defendants’ attempt to dismiss the claims premised on their more specific statements about (1) end-user data being stored only on a user’s local device, (2) the use of alleged facial recognition, and (3) end-user data being encrypted. Defendants argued that these were “accurate statements” and thus could not serve as the basis for consumer fraud claims. The Court disagreed, ruling that Plaintiffs sufficiently alleged that the storage, encryption, and facial recognition statements may have misled a reasonable consumer. Accordingly, the Court granted in part and denied in part Defendants’ motion to dismiss.
Implications For Corporate Counsel
The most significant aspect of Sloan v. Anker Innovations Limited is the Court’s analysis of Plaintiffs’ Wiretap Act claims, given the rapidly emerging trend among the plaintiff class action bar of using traditional state and federal laws – including the Wiretap Act – to seek relief for alleged privacy violations. In applying modern technologies to older laws like the Wiretap Act (passed in 1986), courts have grappled with issues such as the determination of who is a “party to the communication” such that an entity is exempt from the statute’s scope. As data exchanges and data storage become more complex, the “party to the communication” determination reciprocally becomes more nebulous.
In Sloan, the “communication” was the eufy products transmitting data to Plaintiffs’ device and “contemporaneously intercept[ing] and sen[ding] [the data] to [Defendant’s] server.” Id. at 8 (citation omitted). Because Plaintiffs had to use the eufy Security app to access the data, and because Defendants owned and operated the app, the Court determined that Defendants necessarily participated in the communication. But the result may have been different if, for instance, Plaintiffs could use a different app (one not owned by Defendants) to access the data, or if unbeknownst to Plaintiffs, the eufy Securty app was actually owned and operated by a third-party entity. The upshot is that corporate counsel should keep these principles in mind with respect to any data-flow processes regarding end-user or employee data.