By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik
Duane Morris Takeaways: The last year saw a virtual explosion in privacy class action litigation. As a result, compliance with privacy laws in the myriad of ways that companies interact with employees, customers, and third parties is a corporate imperative. To that end, the class action team at Duane Morris is pleased to present the Privacy Class Action Review – 2024. This publication analyzes the key privacy-related rulings and developments in 2023 and the significant legal decisions and trends impacting privacy class action litigation for 2024. We hope that companies and employers will benefit from this resource in their compliance with these evolving laws and standards.
Click here to download a copy of the Privacy Class Action Review – 2023 eBook. Look forward to an episode on the Review coming soon on the Class Action Weekly Wire!
Duane Morris Takeaways: On February 1, 2024, a football fan filed a class action lawsuit against the New England Patriots in a Massachusetts federal court, alleging that the football team’s mobile app (the “App”) knowingly disclosed users’ location data and personal information to third-parties in alleged violation of the Video Privacy Protection Act (“VPPA”). This lawsuit marks the latest high-profile VPPA class action lawsuit filing, which have significantly spiked in the last two years.
Although the recent tide of VPPA class action court rulings has generally tipped in favor of defendants, the plaintiffs’ class action bar is still exploring novel theories to bring these high-stakes cases. Companies must therefore pay close attention to privacy-related issues involving mobile applications, including what data is collected and to whom it is transmitted.
Congress passed the VPPA in 1988. The statute imposes liability on, “[a] video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider.” 18 U.S.C. § 2710(b)(1). A “video tape service provider” is defined as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” Id. 3-4 (citations omitted). “Personally identifiable information” (“PII”) is defined as “information which identifies a person as having requested or obtained specific video materials or services from a video service provider.” Id. In essence, the statute purports to account for advancements in video-delivery technology by defining a “video tape service provider” broadly to include any business engaged in the “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” Id.
The New VPPA Class Action Lawsuit
In terms of data collection, the lawsuit alleges that when a user opens a video on the App, the App sends the content type, video title, and a persistent identifier to the user’s device. The App then transmits to third parties the user’s information, including location (in geographical coordinates and altitude), advertising ID, and video content consumption. Id. at 6. According to the complaint, the New England Patriots allegedly leverage users’ geolocation so it can maximize advertising revenue and, to that end, uniquely identify its users. For Android software users, the complaint alleges that the Patriots unique advertising ID called an Android Advertising ID (“AAID”) for each of its users with third-parties, which enables a third party to track the user’s movements, habits, and activity on mobile applications. Id. at 10.
Accordingly, the lawsuit alleges that through the New England Patriots’ dissemination of consumers’ PII, third parties such as Google can collect and store billions of metrics and events and make it easier for clients to make data-driven decisions, and these reports are continuously updated and metrics are reported as they occur. Id at 16. Plaintiff seeks to represent a class defined as “All persons in the United States who used the Patriots App to watch videos and had their personally identifiable information — including but not limited to the videos they watched, their geolocation, and their unique advertising IDs — transmitted to one or more third parties.” Id. On behalf of the class, Plaintiff seeks an award of damages, including, but not limited to, actual, consequential, punitive, statutory, and nominal damages.
Implications For Businesses
This lawsuit represents another example of class action plaintiffs’ lawyers using traditional state and federal laws – including the long dormant VPPA – to seek relief for alleged privacy violations. In applying modern technologies to older laws like the VPPA (passed in 1988), courts have grappled with issues such as the determination of who qualifies as a “video tape service provider” or a “consumer” under the statute. It will be interesting to follow this lawsuit to see whether the Court follows the recent trend of courts dismissing VPPA class actions.
That said, this high-profile filing also suggests that companies should regularly update their online consent provisions as needed to specifically address the VPPA. Businesses that pro-actively implement compliance mechanisms will thank themselves later in terms of preventing class action litigation.
By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther
Duane Morris Takeaways: In Brown v. Learfield Communications, LLC, et al., No. 1:23-CV-00374, 2024 U.S. Dist. LEXIS 15587 (W.D. Tex. Jan. 29, 2024), Judge David A. Ezra of the U.S. District Court for the Western District of Texas granted Defendants Learfield Communications, LLC and Sidearm Sports, LLC’s Rule 12(b)(6) motion to dismiss Plaintiff’s Video Privacy Protection Act (VPPA) class claim. The Court held that Plaintiff failed to plead facts to support his claim under the VPPA because he did not allege that he was a subscriber to audio-visual goods or services themselves, just a newsletter that contained links to publicly-available content on The University of Texas’s website. Defendants in VPPA class actions can utilize this decision as a roadmap when preparing motions to dismiss.
Defendants Learfield Communications, LLC and Sidearm Sports, LLC (collectively, “Defendants”) operated the University of Texas at Austin’s (“UT”) website (the “UT Website”). Id. at 2. The UT Website contains software that enables Facebook to track the activity of UT Website users on other websites. Id. Defendants invite UT Website visitors to subscribe to emailed newsletters. Id. at 3. The newsletters provide links to various videos, clips, and other content on the UT Website related to UT Athletics. Id. Plaintiff Adam Brown subscribes to UT’s emailed newsletter. Id.
In April 2023, Plaintiff filed a class action against Defendants UT, UT Athletics, Learfield, and Sidearm alleging that they violated the VPPA by purportedly exposing the subscribers’ personal identification information and gathering marketing data without consent. Id. at 4. In June 2023, UT and UT Athletics filed a motion to dismiss based on sovereign immunity. Id. at 2. The motion was granted in July. Id. In September, Defendants Learfield and Sidearm filed a motion to dismiss under 12(b)(1), 12(b)(6), and 12(b)(7). Id.
The Court’s Decision
The Court denied Defendants’ Rule 12(b)(1) and 12(b)(7) motions to dismiss. It held that neither Learfield or Sidearm was entitled to immunity as an “arm of the state,” and that neither UT or UT Athletics were indispensable parties to the lawsuit. Id. at 7-10.
The Court, however, granted Defendants’ Rule 12(b)(6) motion to dismiss on the basis that Plaintiff was not a “consumer” under the VPPA because he failed to allege a factual nexus between the subscription and Defendants’ allegedly actionable video content. Id. at 2, 19, 26.
To state a claim under the VPPA, the Court noted that a plaintiff must allege that a defendant “(1) is a video tape service provider; (2) who knowingly disclosed to any person; (3) personally identifiable information; (4) concerning any consumer.” Id. at 10-11; 18 U.S.C. 2710(b)(1). Under the VPPA, a “consumer” is “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” 18 U.S.C. § 2710(a)(1).
The Court reasoned that the VPPA “only applies to consumers (including subscribers) of audio video services” because, when reading the term “consumer” in the full context of the VPPA, “a reasonable reader would understand the definition of ‘consumer’ to apply to a renter, purchaser or subscriber of audio-visual goods or services, and not goods or services writ large.” Id. at * 19 (emphasis original) (quoting Carter v. Scripps Networks, LLC, 2023 WL 3061858, at *6 (S.D.N.Y. Apr. 24, 2023)).
The Court concluded that Plaintiff was not a “consumer” under the VPPA because (i) the newsletter did not contain videos, just links to videos on the UT Website; and (ii) the linked videos were available for any member of the public to see on the UT Website, not just those who subscribed to the newsletter. Id. at 26-28. Accordingly, the Court ruled that Plaintiff was not a subscriber to audio-visual goods or services, just a newsletter. Id. at 28-29. Ultimately, because Plaintiff failed to allege facts to support a claim under the VPPA, the Court granted Defendants 12(b)(6) motion to dismiss. Id. at 29.
Implications For Companies
The decision in Brown v. Learfield serves as a roadmap for defendants in VPPA class actions to utilize when preparing motions to dismiss. This case is also important as it adds the Western District of Texas to a growing number of federal courts that strictly construe the VPPA to audio-visual materials, not links to publically-available videos in newsletters. See, e.g., Carter v. Scripps Networks, LLC, No. 22-CV-2031, 2023 WL 3061858, at *6 (S.D.N.Y. Apr. 24, 2023); Jefferson v. Healthline Media, Inc., No. 3:22-CV-05059, 2023 WL 3668522, at *3 (N.D. Cal. May 24, 2023); Gardener v. MeTV, No. 22-CV-5963, 2023 WL 4365901, at *4 (N.D. Ill. July 6, 2023).
By Gerald L. Maatman, Jr., Alex W. Karasik, and Tyler Zmick
Duane Morris Takeaways: In Sloan, et al. v. Anker Innovations Ltd., No. 22-CV-7174 (N.D. Ill. Jan. 9, 2024), Judge Sarah Ellis of the U.S. District Court for the Northern District of Illinois granted in parta motion to dismiss privacy claims brought against the companies that manufacture and sell “eufy” security products. The Court dismissed the claims asserted under the federal Wiretap Act because Defendants were “parties” to the communication during which the eufy products sent security recordings to Plaintiffs’ mobile devices (notwithstanding that the products also sent the data to a server owned by Defendants). In addition, the Court partially dismissed Plaintiffs’ claims under the Illinois Biometric Information Privacy Act and under four state consumer protection statutes, thereby allowing Plaintiffs to proceed with their case only with respect to some of their claims.
For businesses who are embroiled in facial recognition software and related privacy class actions, this ruling provides a helpful roadmap for fracturing such claims at the outset of the lawsuit.
Plaintiffs were individuals from various states who purchased and used Defendants’ “eufy” branded home security cameras and video doorbells. The eufy products can, among other things, detect motion outside a person’s home and apply a facial recognition program differentiate “between known individuals and strangers by recognizing biometric identifiers and comparing the face template against those stored in a database.” Id. at 3. Eufy products sync to a user’s phone through eufy’s Security app, which notifies a user of motion around the camera by sending the use a recorded thumbnail image or text message.
Defendants advertised that the video recordings and facial recognition data obtained through eufy cameras are stored locally on user-owned equipment owned and that the data would be encrypted so that only the user could access it. Media reports later revealed, however, that the eufy products uploaded thumbnail images used to notify users of movement to Defendants’ cloud storage without encryption, and that users could stream content from their videos through unencrypted websites.
Claiming they relied to their detriment on Defendants’ (allegedly false) privacy-related representations when purchasing the eufy products, the eight named Plaintiffs filed a putative class action against corporate Defendants involved in the manufacture and sale of “eufy” products. In their complaint, Plaintiffs asserted that Defendants violated: (1) the Federal Wiretap Act; (2) the Biometric Information Privacy Act (the “BIPA”); and (3) the consumer protection statutes of Illinois, New York, Massachusetts, and Florida. Defendants moved to dismiss Plaintiffs’ claims under Federal Rule of Civil Procedure 12(b)(6).
The Court’s Decision
The Court granted in part and denied in part Defendants’ motion, holding that: (1) the Wiretap Act claim should be dismissed because Defendants were a party to the relevant communication (i.e., the transmission of data from eufy products to Plaintiffs via the eufy Security app); (2) the BIPA claims should be dismissed as to non-Illinois resident Plaintiffs; and (3) the claims brought under the relevant consumer protection statutes should be dismissed only to the extent they were premised on certain of Defendants’ public-facing privacy statements.
Wiretap Act Claims
The Court first addressed Plaintiffs’ Wiretap Act claims, explaining that the statute “empowers a private citizen to bring a civil claim against someone who ‘intentionally intercepts [or] endeavors to intercept . . . any wire, oral, or electronic communication.’” Id. at 8 (quoting 18 U.S.C. § 2511(1)(a)).
Defendants argued that Plaintiffs failed to state a claim under the Wiretap Act because the statute does not apply to a party to the relevant communication. Specifically, the Wiretap Act exempts a person who intercepts an electronic communication “where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d).
The Court agreed with Defendants and thus dismissed Plaintiffs’ Wiretap Act claim. The Court described the relevant “communication” as the transmission of data from eufy products to Plaintiffs’ devices and explained that the transmission “is not between the eufy product and Plaintiffs, but rather between the eufy product and the eufy Security app, which Defendants own and operate. As such, the communication necessarily requires Defendants’ participation, even if Plaintiffs did not intend to share their information with Defendants.” Id. at 8-9 (emphasis added). The Court thus held that Defendants were parties to the communication, and Defendants also uploading the data to their own server (without Plaintiffs’ knowledge) did not change that conclusion.
Regarding Plaintiffs’ BIPA claims, Defendants argued that Plaintiffs failed to allege that the relevant data (which Defendants described as “thumbnail images”) qualifies for protection under the BIPA because photographs are not biometric data under the statute. The Court rejected this argument since Plaintiffs alleged that Defendants uploaded thumbnail information and facial recognition data (namely, “scans of face geometry”) to their server.
The Court agreed with Defendants’ second argument, however, which asserted that Plaintiffs’ BIPA claim failed to the extent it was brought by or on behalf of Plaintiffs who are not Illinois residents. The BIPA applies only where the underlying conduct occurs “primarily and substantially” in Illinois. The Court determined that the relevant communications between Plaintiffs and Defendants “occurred primarily and substantially in the state of residency for each Plaintiff.” Id. at 12-13. And the End User License Agreement for eufy Camera Products and the Security App stating that the agreement is governed by Illinois law did not change the result that the BIPA claim brought by non-Illinois residents must be dismissed.
Statutory Consumer Protection Claims
Finally, the Court turned to Defendants’ contentions relative to the alleged violations of the four state consumer protection statutes. In beginning its analysis, the Court explained that “[t]o state a claim for deceptive practices under any of the alleged state consumer fraud statutes, Plaintiffs must allege a deceptive statement or act that caused their harm.” Id. at 14. Moreover, “a statement is deceptive if it creates a likelihood of deception or has the capacity to deceive.” Id. at 15 (citation omitted); see also id. (noting that “the allegedly deceptive act must be looked upon in light of the totality of the information made available to the plaintiff”) (citation omitted). Defendants argued in their motion to dismiss that Plaintiffs did not allege cognizable deceptive statements because the statements at issue constitute either puffery or are not false.
The Court dismissed Plaintiffs’ statutory fraud claims in part. Specifically, the Court held that Defendants’ advertising in the form of certain “statements relating to privacy” (e.g., “your privacy is something that we value as much as you do”) constituted nonactionable “puffery.” Id. at 16. The Court therefore dismissed Plaintiffs’ statutory fraud claims insofar as they were premised on the similarly vague “statements relating to privacy.”
However, the Court denied Defendants’ attempt to dismiss the claims premised on their more specific statements about (1) end-user data being stored only on a user’s local device, (2) the use of alleged facial recognition, and (3) end-user data being encrypted. Defendants argued that these were “accurate statements” and thus could not serve as the basis for consumer fraud claims. The Court disagreed, ruling that Plaintiffs sufficiently alleged that the storage, encryption, and facial recognition statements may have misled a reasonable consumer. Accordingly, the Court granted in part and denied in part Defendants’ motion to dismiss.
Implications For Corporate Counsel
The most significant aspect of Sloan v. Anker Innovations Limited is the Court’s analysis of Plaintiffs’ Wiretap Act claims, given the rapidly emerging trend among the plaintiff class action bar of using traditional state and federal laws – including the Wiretap Act – to seek relief for alleged privacy violations. In applying modern technologies to older laws like the Wiretap Act (passed in 1986), courts have grappled with issues such as the determination of who is a “party to the communication” such that an entity is exempt from the statute’s scope. As data exchanges and data storage become more complex, the “party to the communication” determination reciprocally becomes more nebulous.
In Sloan, the “communication” was the eufy products transmitting data to Plaintiffs’ device and “contemporaneously intercept[ing] and sen[ding] [the data] to [Defendant’s] server.” Id. at 8 (citation omitted). Because Plaintiffs had to use the eufy Security app to access the data, and because Defendants owned and operated the app, the Court determined that Defendants necessarily participated in the communication. But the result may have been different if, for instance, Plaintiffs could use a different app (one not owned by Defendants) to access the data, or if unbeknownst to Plaintiffs, the eufy Securty app was actually owned and operated by a third-party entity. The upshot is that corporate counsel should keep these principles in mind with respect to any data-flow processes regarding end-user or employee data.
By Gerald L. Maatman, Jr., Alex W. Karasik, and Christian J. Palacios
Duane Morris Takeaways: In Thompson, et al., v. Matcor Metal Fabrication (Illinois), Inc., Case No. 2020-CH-00132 (Ill. Cir. Ct. 10th Dist. Dec. 8, 2023), a class of metal fabricators prevailed on a motion for summary judgment against their employer in what is believed to be the first summary judgment ruling for a certified class under the Illinois Biometric Information Privacy Act (BIPA). An Illinois state court, determining there was no dispute of material fact, entered the pre-trial liability judgment against the defendant employer for collecting employee biometric data through its timekeeping system in violation of BIPA.
This decision highlights the danger that companies face under state privacy “strict liability” statutes, and should serve as a warning for employers that lack robust policies governing the way they collect biometrics data from their employees.
In September of 2019, Matcor Fabrication rolled out a new timekeeping policy whereby it collected its employees’ fingerprints using “biometric scanners” for the purposes of determining when employees clocked in and out of work. Id. at 3. The scanners that collected this information were connected to Matcor’s timekeeping vendor – ADP – and the company sent finger-scan data to ADP every time an employee scanner their fingertips. The named Plaintiff and class representative William Thompson subsequently brought the lawsuit in May of 2020, alleging the company’s timekeeping policy violated the Illinois BIPA. Nearly one year after the lawsuit had commenced, Matcor implemented BIPA-compliant policies, which included distributing a “Biometric Consent Form” to employees that stated that the company’s vendors “may collect, retain, and use biometric data for the purposes of verifying employee identity and recording time” as well as describing Matcor’s policies for retaining and destroying employee data. Id. at 4. The Court previously had certified a class of Matcor employees who enrolled in the company’s finger-scan timekeeping system between May 13, 2015 and June 16, 2021, prior to the policy update. After a lengthy discovery period, both parties filed motions for summary judgement.
The Court’s Ruling
The Court held that there was no genuine dispute of material fact that Matcor’s timekeeping policies during the class-wide time period violated the BIPA. In its ruling, the Court dismissed a series of defenses offered by the company, including that in order for the BIPA to apply, Matcor’s timeclocks needed to “collect” and store its employees’ fingerprints, rather than just transmit it to a third-party vendor. The Court was unconvinced. It opined that the BIPA also applied when timeclocks collected biometric information “based on” a fingerprint. Id. at 7. Matcor further argued that there was a difference between the “fingertip” scans it took and the “fingerprint” scans covered by the BIPA, but it was unable to cite authority that showed a meaningful difference between the two. Finally, Matcor argued that the Court needed “expert testimony” to assess the type of information the company’s timeclocks collected. The Court rejected this contention. It observed that collecting employee’s fingertip information clearly fell under the BIPA’s definition of biometric information.
Based on the facts, the Court determined that it was undisputed that Matcor began using biometric timeclocks to collect employee’s fingerprints in 2019, and the company did not implement a BIPA-compliant policy until one year after the Plaintiff commenced his suit. The record also clearly showed that Matcor failed to obtain its employees consent before collecting their fingerprints, and only obtained BIPA releases 2 years after the suit was initiated. Accordingly, the Court granted the Plaintiff’s motion for summary judgement and the lawsuit will now proceed to the damages stage.
As this ruling emphasizes, employers can be held strictly liable for any period of time in which they collect their employees’ biometric data without having a corresponding BIPA-compliant policy. State privacy statutes like the BIPA pose unique dangers for unwary employers who do not keep up-to-date with evolving legal requirements relating to the collection, retention, and use of biometric data. Although Illinois was one of the first early adopters of such stringent privacy laws, it will certainly not be the last, and companies should begin taking preventative measures to limit liability associated with such statutes.
Duane Morris Takeaways: In the latest ruling in the biometric privacy class action space, the Illinois Supreme Court embraced a broad readingof the “health care exception” in the Illinois Biometric Information Privacy Act (“BIPA”) in Mosby v. Ingalls Memorial Hospital, 2023 IL 129081 (Ill. Nov. 30, 2023). The Illinois Supreme Court held that the statute excludes from its scope data collected in two separate and distinct scenarios: (1) “information captured from a patient in a health care setting”; and (2) information collected “for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Unlike clause (1), the Supreme Court held that the exception in clause (2) is not limited to data obtained from patients and serves to exclude information that originates from any source.
The Mosby ruling is welcome news to BIPA defendants and companies operating in the health care space. In the wake of the decision, courts likely will be asked to define the exact contours of the BIPA’s broadened “health care exception” in cases presenting facts that are less obviously tied to health care treatment, payment, or operations compared to the facts at issue in Mosby.
The Plaintiffs in Mosby were nurses who claimed that their hospital-employers required them to use a fingerprint-based medication-dispensing system to verify their identities. Plaintiffs sued their employers and the company that distributed the medication-dispensing system, alleging that Defendants violated §§ 15(a), 15(b), and 15(d) of the BIPA by using the medical-station scanning device to collect, use, and/or store their “finger-scan data” without complying with the BIPA’s notice-and-consent requirements and by disclosing their purported biometric data to third parties without first obtaining their consent.
Defendants moved to dismiss in the trial court, arguing that the claims failed because Plaintiffs’ data was specifically excluded from the BIPA’s scope under § 10 of the statute, which states that “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].” 740 ILCS 14/10. Defendants argued that the latter clause applied in that Plaintiffs’ fingerprints had been used in connection with Plaintiffs providing medicine to patients, meaning their fingerprints were “collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].” Id.
The trial court denied Defendants’ motions. It ruled that § 10’s “health care exception” was limited to patient information protected under the HIPAA and that the exclusion does not extend to information collected from health care workers.
On appeal, the First District of the Illinois Appellate Court affirmed the denial of Defendants’ motions to dismiss. Echoing the trial court, the Appellate Court determined that the biometric data of health care workers is not excluded from the BIPA’s scope and that the relevant provision of § 10 excluded from the BIPA’s protections “only patient biometric information.” Mosby, 2023 IL 129081, ¶ 16; see id. ¶ 17 (“[T]he appellate court held that ‘the plain language of the statute does not exclude employee information from the [BIPA’s] protections because they are neither (1) patients nor (2) protected under HIPAA.’”) (citation omitted).
Appellate Court Judge Mikva dissented from the majority’s opinion. Judge Mikva opined that the legislature meant to exclude from the BIPA’s scope the biometric data of health care workers “where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by the HIPAA.” Id. ¶ 19 (citation omitted). Judge Mikva expressed the view that the first part of § 10’s “health care exception” excludes from the BIPA’s coverage information from a particular source (i.e., patients in a health care setting) and that the second part excludes information used for particular purposes (i.e., health care treatment, payment, or operations), regardless of the source of that information.
The Illinois Supreme Court’s Decision
On further appeal, the Illinois Supreme Court agreed with Appellate Court Judge Mikva’s dissent, unanimously holding that the BIPA’s exclusion for “information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA]” can apply to the biometric data of health care workers (not only patients).
The Supreme Court determined that the relevant sentence of § 10 excludes from the definition of “biometric identifier” data that may be collected in two distinct (rather than overlapping) scenarios – namely, biometric identifiers do not include (i) information captured from a patient in a health care setting or (ii) information collected, used, or stored for health care treatment, payment, or operations under HIPAA. Id. ¶ 37 (“[T]he phrase prior to the ‘or’ and the phrase following the ‘or’ connotes two different alternatives. The Illinois legislature used the disjunctive ‘or’ to separate the [BIPA’s] reference to ‘information captured from a patient in a health care setting’ from ‘information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].’ Pursuant to its plain language, information is exempt from the [BIPA] if it satisfies either statutory criterion.”) (internal citations omitted).
The Supreme Court agreed with Defendants that the two categories of information are different because information excluded under the first clause originates from the patient, whereas information excluded under the second clause may originate from any source. Regarding the second clause, the Supreme Court observed that the Illinois legislature borrowed the phrase “health care treatment, payment, and operations” from the federal HIPAA regulations. Accordingly, the Supreme Court determined that “the legislature was directing readers to the HIPAA to discern the meaning of those terms,” which meanings “relate to activities performed by the health care provider – not by the patient.” Id. ¶ 52.
Thus, the Supreme Court held that a health care worker’s data used to permit access to medication-dispensing stations for patient care qualifies as “information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA]” and is exempt from the statute’s scope.
Implications Of The Decision
After the recent slew of plaintiff-friendly BIPA decisions issued by both state and federal courts, the Illinois Supreme Court’s decision in Mosby comes as welcome news for companies facing privacy-related class actions – particularly those operating in the health care space.
Relying on Mosby, defendants will likely add the BIPA’s “health care exception” to their arsenal of defenses in a wider array of cases moving forward. Importantly, for purposes of the second “HIPAA prong” of the statute’s “health care exception,” federal HIPAA regulations govern the definitions of the terms “health care treatment,” “payment,” and “operations.” Given that the regulatory definitions of those terms are broad, see 45 C.F.R. § 160.103; id. § 164.501, defendants will likely test the breadth of the exception in future cases presenting facts that may be less obviously tied to health care treatment, health care payment, and/or health care operations compared to the facts at issue in Mosby.
Duane Morris Takeaways: In Wilcosky, et al. v. Amazon.com, Inc., et al., No. 19-CV-5061 (N.D. Ill. Nov. 1, 2023), the U.S. District Court for the Northern District of Illinois issued a decision embracing a strict interpretation of the notice a private entity must provide before collecting a person’s biometric data in compliance with the Illinois Biometric Information Privacy Act (“BIPA”). The decision underscores the importance of not only obtaining written consent before collecting a person’s biometric data, but also of the need to be as specific as possible in drafting privacy notices to inform end users that the company is collecting biometric data and to describe the “specific purpose and length of term for which” biometric data is being collected.
In light of the potentially monumental exposure faced by companies defending putative BIPA class actions, companies that operate in Illinois and collect data that could potentially be characterized as “biometric” should review and, if necessary, update their public-facing privacy notices to ensure compliance with the BIPA.
Plaintiffs’ BIPA claims in Wilcosky were premised on their respective interactions with Amazon’s “Alexa” device – a digital assistant that provides voice-based access to Amazon’s shopping application and other services. According to Plaintiffs, Alexa devices identify individuals who speak within the vicinity of an active device by collecting and analyzing the speaker’s “biometric identifiers” (specifically, “voiceprints”).
Among the four named Plaintiffs, three had enrolled in Voice ID using their respective Alexa devices (the “Voice ID Plaintiffs”). One Plaintiff, Julia Bloom Stebbins, did not enroll in Voice ID; rather, she alleged that she spoke in the vicinity of Plaintiff Jason Stebbins’s Alexa device, resulting in Alexa collecting her “voiceprint” to determine whether her voice “matched” the Voice ID of Plaintiff Jason Stebbins.
Based on their alleged interactions with Alexa, Plaintiffs claimed that Amazon violated Sections 15(b), 15(c), and 15(d) of the BIPA by (i) collecting their biometric data without providing them with the requisite notice and obtaining their written consent, (ii) impermissibly “profiting from” their biometric data, and (iii) disclosing their biometric data without consent.
Amazon moved to dismiss Plaintiffs’ complainton the basis that: (1) the Voice ID Plaintiffs received the required notice and provided their written consent by completing the Voice ID enrollment process; and (2) Plaintiff Bloom Stebbins never enrolled in Voice ID – meaning she was a “total stranger” to Amazon such that Amazon could not possibly identify her based on the sound of her voice.
The Court’s Decision
The Court denied Amazon’s motion to dismiss in a 15-page order, focused primarily on Amazon’s arguments relating to Plaintiffs’ Section 15(b) claim.
Sufficiency Of Notice Provided To Voice ID Plaintiffs
Regarding the requirements of Section 15(b), the Court noted that a company collecting biometric data must first: (1) inform the individual that biometric data is being collected or stored; (2) inform the individual of the specific purpose and length of term for which the biometric data is being collected, stored, and used; and (3) receive a written release signed by the individual.
In moving to dismiss the Voice ID Plaintiffs’ Section 15(b) claim, Amazon argued that those three Plaintiffs received all legally required notices during the Voice ID enrollment process. During that process, Amazon explained how Voice ID works and informed users that the technology creates an acoustic model of a user’s voice characteristics. Amazon maintained that notice language need not track the exact language set forth in Section 15(b) because the BIPA does not require that any particular statutory language be provided to obtain a person’s informed consent. Id. at 6 (noting Amazon’s argument that “Voice ID Plaintiffs’ voiceprints were collected in circumstances under which any reasonable consumer should have known that his or her biometric information was being collected”).
The Court adopted Plaintiffs’ stricter reading of Section 15(b). It held that the complaint plausibly alleged that Amazon’s disclosures did not fully satisfy Section 15(b)’s notice requirements. While Amazon may have informed users that Voice ID enables Alexa to learn their voices and recognize them when they speak, Amazon did not specifically inform users that it is “collecting and capturing the enrollee’s voiceprint, a biometric identifier.” Id.at 8. As a result, and acknowledging that it was “a close call,” the Court denied Amazon’s motion to dismiss the Section 15(b) claim asserted by the Voice ID Plaintiffs.
Application Of The BIPA To “Non-User” Plaintiff Julia Bloom Stebbins
The Court next turned to Plaintiff Bloom Stebbins, who did not create an Alexa Voice ID but alleged that Amazon collected her “voiceprint” when she spoke in the vicinity of Plaintiff Jason Stebbins’s Alexa device. Amazon argued that her Section 15(b) claim failed because the BIPA was not meant to apply to someone in her shoes – that is, a stranger to Amazon and “who Amazon has no means of identifying.” Id. at 11.
The Court rejected Amazon’s argument. In doing so, the Court refused to read Section 15(b)’s requirements as applying only where a company has some relationship with an individual. According to the Court, that interpretation would amount to “read[ing] a requirement into the statute that does not appear in the statute itself.” Id. at 12; see also id. (“[C]ourts in this Circuit have rejected the notion that to state a claim for a Section 15(b) violation, there must be a relationship between the collector of the biometric information and the individual.”).
Wilcosky is required reading for corporate counsel of companies that are facing privacy-related class actions and/or want to ensure their consumer or employee-facing privacy disclosures contain all notices required under applicable law.
The Wilcosky decision endorses a strict view regarding the notice a company must provide to individuals to fully comply with Section 15(b) of the BIPA. To ensure compliance, companies should provide end users with language that is as specific as possible regarding the type(s) of data being collected (including the fact that the data may be “biometric”), the purpose the data is being collected, and the time period during which the data will be stored. The notice should closely track the BIPA’s statutory text, and companies should also require individuals to affirmatively express that they have received the notice and agree to the collection of their biometric data. (Despite a footnote stating that the Court’s order in Wilcosky should not “be interpreted to mean that . . . a disclosure must parrot the exact language of BIPA in order to satisfy Section 15(b),” id. at 8 n.3, the Court does not explain how a disclosure could satisfy Section 15(b) without tracking the statute’s language verbatim.)
Moreover, Wilcosky raises the question whether a company should characterize data it collects as “biometric” data in its privacy notice – even if the company maintains (perhaps for good reason) that the data does not constitute biometric data subject to regulation under the BIPA. Further complicating this question is the fact that the precise contours of the types of data that qualify as “biometric” under the BIPA are unclear and are currently being litigated in many cases. Companies may wish to err on the “safe side” and refer to the data being collected as “biometric” data in their privacy notices.
Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and associate Tyler Zmick with their discussion of a $7 million BIPA class action settlement announced this month and analysis of developing trends in biometric privacy litigation spurred by cutting-edge technology and the ever-evolving innovation of the plaintiffs’ class action bar.
Jerry Maatman: Hello, loyal blog readers and listeners. Welcome to our Friday weekly podcast, the Class Action Weekly Wire. I’m joined by my colleague Tyler Zmick today, one of our BIPA thought leaders, to discuss privacy class action litigation in general and Illinois BIPA lawsuits in particular. Welcome, Tyler.
Tyler Zmick: Great to be here, Jerry. Thanks for having me.
Jerry: I look on the docket every day, and there seems to be just a mushroom cloud explosion of BIPA class action filings. What’s going on there, and what’s driving the plaintiffs’ bar to file so many of the BIPA cases?
Tyler: Sure, I mean, that’s absolutely accurate. It seems for years now that plaintiffs’ lawyers on the class action side have been filing BIPA cases on seemingly a daily basis. The impetus, the sort of driving force, I believe, is really just the possibility of very high levels of damages. It could be a lot of money involved for both class members and plaintiffs’ counsel, especially in the wake of very plaintiff-friendly Illinois Supreme Court decisions. We have just plaintiffs’ lawyers really just looking to cash in and join the many high dollar settlements that have been come into play in recent years.
Jerry: One of the areas of focus of the Duane Morris Class Action Review has been our tracking of settlements. I’m a believer that success begets copycats, and big settlements result in more filings and more plaintiffs’ lawyers attracted to the area. Recently in the news there was a large BIPA class action settlement preliminarily approved in federal court here in Illinois, about a Little Caesars. Could you tell us a little bit about that, and share your thoughts about what was going on in that case?
Tyler: Sure, Jerry, so this is a settlement between Little Caesars, the Pizza company, and thousands of employees who targeted the company’s finger scanning time clock. It’s a fairly old case filed initially in 2019, so it’s been pending for over four years now. The employees in the case asserted that Little Caesars violated BIPA by requiring employees to scan their fingerprints to clock in and out of work without first providing the necessary disclosures, or obtaining their express written consent. Little Caesars denied all allegations of wrongdoing, and denied that it violated BIPA.
This type of case – probably by and large, if you were to count by the numbers the factual context of different BIPA cases – employee timekeeping cases involving fingerprint scanning is probably the most common fact pattern, although far from the only fact pattern you would find in BIPA cases that are being filed.
Jerry: Can you explain to our listeners where you would peg this $7 million settlement kind of on the range of what large-scale BIPA cases have been settling for – either on an aggregate basis or on a per claimant per class member basis?
Tyler: I would say that this settlement of just under $7 million for a class of approximately 8,500 class members is right in the middle of the range of recoveries that we have seen over the past couple of years. When all fees for administrative costs and plaintiffs’ attorney fees are taken out of the picture, each class member will receive roughly $545 each – and that is really consistent with a number we’ve seen in a lot of BIPA class action settlements. And, importantly, if that number of class members stated in the settlement agreement turns out to be higher, the gross settlement fund will increase by $832 for each class member, just to make sure that the per class member payments do not change.
Jerry: You had mentioned this as an older case. Could you provide your analysis to our listeners about kind of the average length of time it takes for BIPA cases to work through either the state court system as compared to the federal system? This one, of course, was in the federal court.
Tyler: Yeah, sure, Jerry. So I think it’s hard to come up with an average lifespan for a BIPA case, just because some can be dismissed very early on if the fact investigation done by plaintiffs’ counsel reveals that there actually is no biometric data at issue in the in the case, and their allegations and complaint were actually untrue, then they’ll voluntarily dismiss the case. Other cases can reach settlements on an individual basis early on, or even on a class basis, early on. Whereas other defendants, this case Little Caesars, for a good period of time opt instead to litigate the case, and really to prove, either at the summary judgment stage or trial stage, that they did not, in fact, violate BIPA for a number of different reasons.
Jerry: Well, in following that mantra of ‘success begets copycats,’ and more of these cases get filed, could you share with corporate counsel what you view as the future of BIPA litigation, the types of claims apt to be brought? I know that in talking you to before, claims are divided into two boxes, one being employee-related cases and others being non-employee related cases.
Tyler: Yeah, absolutely. And that’s a great question. I think, as I mentioned, the most common type of BIPA case, historically, has been the employee. Timekeeping context and facts involving employees clocking in and out – either with fingerprints or face scans. I think, moving forward, we are likely to see non-employee BIPA class actions, and we can also expect to see BIPA cases brought against people that are further downstream than you might think. For example, a company like Amazon Web Services that provides cloud storage services, and is pretty far removed from any “collection” of biometric data that may have occurred relative to an end user. So it may have been collected by one entity, whether it’s an employer or timekeeping vendor, and then sent to another company and ultimately sent to some kind of cloud of storage service provider that really has no idea what’s on its servers. And we are seeing companies like that being sued under BIPA or other companies in similar situations, that are one step or two steps removed from consumers or employees, being named as defendants in BIPA cases.
Jerry: That’s an interesting perspective. I’d call that “BIPA 2.0: The Next Generation.” And the plaintiffs’ bar, I’ve found in my experience, is nothing if not innovative, and is pressing the envelope of statutes like BIPA. Well, Tyler, thank you so much for sharing your analysis and your thought leadership in this area. Loyal listeners, that signs off on another Friday weekly podcast – thanks so much for joining us.
Tyler: Thanks for having me, Jerry, always great to be here.
Duane Morris Takeaways: In Carroll v. General Mills, Inc., No. 23-CV-1746 (C.D. Cal. Sept. 1, 2023), Judge Dale Fischer of the U.S. District Court for the Central District of California issued a decision dismissing (for a second time) a class claim brought against General Mills under the Video Privacy Protection Act (“VPPA”). In its decision, the Court ruled that General Mills – a company that manufactures and sells cereals and other food products – did not qualify as a “video tape service provider” under the VPPA, and that even if it did, Plaintiffs’ claim would still fail because they did not show they were “consumers” covered by the statute’s privacy protections. Carroll v. General Mills is the latest decision involving the VPPA – a long dormant statute that class action plaintiffs have recently turned to in attempting to seek redress for alleged privacy violations.
Plaintiffs Keith Carroll and Rebeka Rodriguez alleged that they watched videos on General Mills’ website and that General Mills subsequently disclosed their “video viewing behavior” to Facebook and Google. Specifically, Carroll claimed that General Mills sent Facebook the video he watched online and his identifying information in connection with General Mills’ use of a Facebook advertising feature. Similarly, Rodriguez claimed that General Mills disclosed her “video viewing behavior” and other website analytics data to Google through General Mills’ use of the Google Marketing Platform.
Based on these allegations, Plaintiffs filed a class action that alleged General Mills violated the Video Privacy Protection Act (“VPPA”) by knowingly disclosing their personally identifiable information (“PII”) to Facebook and Google. See 18 U.S.C. § 2710(b)(1).
The District Court’s Decision
The Court granted General Mills’ motion to dismiss Plaintiffs’ VPPA claim. It held that Plaintiffs failed to satisfy the first two prongs of the four-step pleading test applicable to VPPA claims.
In analyzing the allegations, the Court explained that to state a VPPA claim, a plaintiff must allege that: (1) a defendant is a “video tape service provider”; (2) the defendant disclosed PII concerning a consumer to another person; (3) the disclosure was made knowingly; and (4) the disclosure was not authorized by the “safe harbor” provision set forth in 18 U.S.C. § 2710(b)(2).
Like the claim asserted in the previous version of their complaint, the Court determined that Plaintiffs’ VPPA claim failed at step (1) because Plaintiffs did not adequately allege that General Mills is a “video tape service provider,” and that even if the Court were to proceed to step (2), Plaintiffs would also fail at that step based on their inability to show that they qualify as “consumers” under the statute.
“Video Tape Service Provider”
Regarding step (1), the VPPA defines a “video tape service provider” as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” 18 U.S.C. § 2710(a)(4). Importantly, the Court noted that the statute does not apply to every company that “delivers audio visual materials ancillary to its business” but only to companies “specifically in the business of providing audio visual materials.” See Order at 6.
Based on the allegations at hand, the Court held that Plaintiffs failed to allege that General Mills – who manufactures and sells cereals, yogurts, dog food, and other products – is “engaged in the business of delivering, selling, or renting audiovisual material.” Id. The Court rejected Plaintiffs’ attempt to satisfy step (1) by adding allegations in their amended complaint regarding General Mills posting on its website links to professionally made videos. In the Court’s words, these “allegations do no more than show that videos are part of General Mills’ marketing and brand awareness,” which does not suggest “that the videos are profitable in and of themselves” or that the videos “are the business that General Mills is engaged in.” Id. at 6-7.
The Court next held that even if Plaintiffs had satisfied the first step, they nonetheless would have failed at step (2) based on their failure to allege facts establishing that they are “consumers” under the VPPA.
The VPPA defines “consumer” as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” 18 U.S.C. § 2710(a)(1). Read in the statute’s full context, courts have held that “a reasonable reader would understand the definition of ‘consumer’ to apply to a renter, purchaser or subscriber of audio-visual goods or services,and not goods or services writ large.” See Order at 7 (citation omitted). That is, the definition of “consumer” “mirrors the language used to define a ‘video tape service provider’ as one who is in the business of ‘rental, sale, or delivery’ of audiovisual material.” Id.; see alsoid. at 7-8 (“‘[C]onsumer’ is obviously meant to be cabined in the same way [as ‘video tape service provider’] – as a renter, purchaser, or subscriber of prerecorded video cassette tapes or similar audio visual materials.”).
The Court determined that Plaintiffs’ prior purchase of General Mills’ food – an “unrelated product” – does not make them “consumers of audiovisual material.” Id. at 8. The Court further noted that Plaintiffs’ failure at step (2) highlights “the fundamental issue” with their VPPA claim – namely, Plaintiffs struggle to plead that they are consumers of General Mills’ audiovisual material because General Mills is not in the business of offering audiovisual material to consumers. Seeid. at 8-9 (“If General Mills were in such a business, Plaintiffs would not be referring to purchases of General Mills’ food products to establish themselves as consumers.”).
Implications For Corporate Counsel
The decision in Carroll v. General Mills reflects the recent trend among class action plaintiffs’ lawyers of using traditional state and federal laws – including the long dormant VPPA – to seek relief for alleged privacy violations. In applying modern technologies to older laws like the VPPA (passed in 1988), courts have grappled with, among other issues, determining who qualifies as a “video tape service provider” or a “consumer” under the statute.
The Carroll decision may suggest that the definitions of “video tape service provider” and “consumer” are relatively straightforward, but other cases can present close calls (e.g., whether a social media platform that delivers various services to users, including video content, is a “video tape service provider”). Indeed, courts have recently faced challenges in interpreting the VPPA’s definitions in cases involving, inter alia, whether individuals who download a free app through which they view videos qualify as “subscribers” (and therefore “consumers”) under the statute.
Given this uncertainty, companies that provide audio visual materials in connection with their business operations should take advantage of the “safe harbor” amendment, adopted in 2013, under which “video tape service providers” may lawfully disclose PII with the informed written consent of consumers. To do so, companies should update their online consent provisions as needed to specifically address the VPPA.
By Gerald L. Maatman, Jr., Jennifer A. Riley and Rebecca S. Bjork
Duane Morris Takeaways:On September 1, 2023, Judge Deborah Chasanow of the U.S. District Court for the District of Maryland granted a motion to dismiss a class action alleging that the website of defendant Jetblue Airways violated users’ privacy rights under the Maryland Website and Electronic Surveillance Act (“MWES”A). Finding that the named Plaintiff lacked Article III standing to bring the lawsuit, the Court relied upon the lack of any allegations in the Complaint that any of Plaintiff’s personal information was captured by the alleged use of a session replay code. As a result, his Complaint lacked any allegation of a concrete harm that is necessary to bestow standing by virtue of suffering an injury-in-fact. Employers are well-served to examine their websites for the level of risk they might pose of exposure to litigation of this kind, which is currently being filed in more and more courts around the country.
Jetblue Airways Corp. (“Jetblue”) was sued by Matthew Straubmuller in the U.S. District Court for the District of Maryland, alleging that he and a putative class of website users who had visited Jetblue’s website were entitled to damages from Jetblue for violation of the MWESA. Slip Op. at 2. The purpose of that statute is two-fold: both to be a useful tool in crime prevention; and to ensure that “interception of private communications is limited.” Id. at 8.
Plaintiff alleged Jetblue’s website uses a “session replay code” and that this allows for Jetblue to track users electronic communications with the website in real time, and also can enable reenactments of a user’s visit to the website, and that these constitute actionable privacy violations under the provisions of the MWESA.
JetBlue filed a motion to dismiss. It asserted that that Plaintiff lacked Article III standing to bring his claims. It contended that Plaintiff alleged a mere procedural violation of the MWESA and did not allege a concrete harm necessary to establish an injury-in-fact to confer standing.
The District Court’s Decision
Judge Chasnow granted Jetblue’s motion to dismiss. Relying on the Supreme Court’s decision in TransUnion v. Ramirez, 141 S. Ct. 2190 (2021), she rejected Plaintiff’s argument that a statutory violation alone is a concrete injury. The Judge opined that “Courts must independently decide whether a plaintiff has suffered a concrete harm because a plaintiff cannot automatically satisfy the injury-in-fact requirement whenever there is a statutory violation.” Slip Op. at 5-6 (quoting TransUnion (“under Article III, an injury in law is not an injury in fact.”). And more to the point, she cited case law interpreting the MWESA itself to this effect, which Plaintiff had not cited. Id.
As a way of underlining its ruling, the Court noted that Jetblue had submitted a June 12, 2023 decision coming to the exact same conclusion involving a nearly identical complaint filed against Jetblue in the Southern District of California in Lightoller v. Jetblue Airways Corp. Id. at 4.n.1. Other cases involving similar rulings are presently percolating throughout the federal district courts. Id. at 7 (collecting cases).
Implications For Employers
Judge Chasnow’s decision in Straubmuller v. Jetblue Airways Corp. provides corporate counsel with a good opportunity to set up a time to talk with their company’s information technology officers to discuss litigation risks related to websites and how they interact with employees, prospective employees and customers. As more plaintiffs-side attorneys file lawsuits alleging privacy violations like the ones alleged against Jetblue in both state and federal courts around the country, many have a good chance of surviving motions to dismiss. Preventing class action lawsuits are far superior to defending them.