Four Best Practices For Deterring Cybersecurity And Data Privacy Class Actions And Mass Arbitrations

By Justin Donoho

Duane Morris Takeaway: Class action lawsuits and mass arbitrations alleging cybersecurity incidents and data privacy violations are rising exponentially.  Corporate counsel seeking to deter such litigation and arbitration demands from being filed against their companies should keep in mind the following four best practices: (1) add or update arbitration clauses to mitigate the risks of mass arbitration; (2) use cybersecurity best practices, including continuously improving and prioritizing compliance activities; (3) audit and adjust uses of website advertising technologies; and (4) update website terms of use, data privacy policies, and vendor agreements.

Best Practices

  1. Add or update arbitration agreements to mitigate the risks of mass arbitration

Many organizations have long been familiar with the strategy of deterring class and collective actions by presenting arbitration clauses containing class and collective action waivers prominently for web users, consumers, and employees to accept via click wrap, browse wrap, login wrap, shrink wrap, and signatures.  Such agreements would require all allegedly injured parties to file individual arbitrations in lieu of any class or collective action.  Moreover, the strategy goes, filing hundreds, thousands, or more individual arbitrations would be cost-prohibitive for so many putative plaintiffs and thus deter them from taking any action against the organization in most cases.

Over the last decade, this strategy of deterrence was effective.[1]  Times have changed.  Now enterprising plaintiffs’ attorneys with burgeoning war chests, litigation funders, and high-dollar novel claims for statutory damages are increasingly using mass arbitration to pressure organizations into agreeing to multimillion dollar settlements, just to avoid the arbitration costs.  In mass arbitrations filed with the American Arbitration Association (AAA) or Judicial Arbitration and Mediation Services (JAMS), for example, fees can total millions of dollars just to defend only 500 individual arbitrations.[2]  One study found upfront fees ranging into the tens of millions of dollars for some large mass arbitrations.[3]  Companies with old arbitration clauses have been caught off guard with mass arbitrations, have sought relief from courts to avoid having to defend these mass arbitrations, and this relief was rejected in several recent decisions where the court ordered the defendant to arbitrate and pay the required hefty mass arbitration fees.[4]

If your organization has an arbitration clause, then one of the first challenges for counsel defending many newly served class action lawsuits these days is determining whether to move to compel arbitration.  Although it could defeat the class action, is it worth the risk of mass arbitration and the potential projected costs of mass arbitration involved?  Sometimes not.

Increasingly organizations are mitigating this risk by including mechanisms in their arbitration clauses such as pre-dispute resolution clauses, mass arbitration waivers, bellwether procedures, arbitration case filing requirements, and more.  This area of the law is developing quickly.  One case to watch will be one of the first appellate cases to address the latest trend of mass arbitrations — Wallrich v. Samsung Electronics America, Inc., No. 23-2842 (7th Cir.) (argued February 15, 2024, at issue is whether the district court erred in ordering the BIPA defendant to pay over $4 million in mass arbitration fees).

  1. Use cybersecurity best practices, including continuously improving and prioritizing

IT organizations have long been familiar with the maxim that they should continuously improve their cybersecurity measures and other IT services.  Continuous improvement is part of many IT industry guidelines, such as ISO 27000, COBIT, ITIL, the NIST Cybersecurity Framework (CSF) and Special Publication 800, and the U.S. Department of Energy’s Cybersecurity Capability Maturity Model (C2M2).  Continuous improvement is becoming increasingly necessary in cybersecurity, as organizations’ IT systems and cybercriminals’ tools multiply at an increased rate.  The volume of data breach class actions doubled three times from 2019-2023:

Continuous improvement of cybersecurity measures needs to accelerate accordingly.  As always, IT organizations need to prioritize.  Priorities typically include:

  • improving IT governance;
  • complying with industry guidelines such as ISO, COBIT, ITIL, NIST, and C2M2;
  • deploying multifactor authentication, network segmentation, and other multilayered security controls;
  • staying current with identifying, prioritizing, and patching security holes as new ones continuously arise;
  • designing and continuously improving a cybersecurity incident response plan;
  • routinely practicing handling ransomware incidents with tabletop exercises (may be covered by cyber-insurers); and
  • implementing and continuously improving security information and event management (SIEM) systems and processes.

Measures like these to continuously improve and prioritize: (a) will help prevent a cybersecurity incident from occurring in the first place; and (b) if one occurs, will help the victim organization of cybertheft defend against plaintiffs’ arguments that the organization failed to use reasonable cybersecurity measures.

  1. Audit and adjust uses of website advertising technologies

In 2023, plaintiffs filed over 250 class actions alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants’ websites secretly captured plaintiffs’ web browsing data and sent it to Meta, Google, and other online advertising agencies, respectively.  This software, often called website advertising technologies or “adtech” (and often referred to by plaintiffs as “tracking technologies”) is a common feature on many websites in operation today — millions of companies and governmental organizations have it.[5]  These lawsuits generally allege that the organization’s use of adtech violated federal and state wiretap statutes, consumer fraud statutes, and other laws, and often seek hundreds of millions of dollars in statutory damages.  The businesses targeted in these cases so far mostly have been healthcare providers but also span nearly every industry including retailers, consumer products, and universities.

Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, and the vast majority remain undecided.  The legal landscape in this area has only begun to develop under many plaintiffs’ theories of liability, statutes, and common laws.  The adtech alleged has included not only Meta Pixel and Google Analytics but also dozens of the hundreds or thousands of other types of adtech.  All this legal uncertainty multiplied by requested statutory damages equals serious business risk to any organization with adtech on its public-facing website(s).

An organization may not know that adtech is present on its public-facing websites.  It could have been installed on a website by a vendor without proper authorization, for example, or as a default without any human intent by using some web publishing tools.

Organizations should consider whether to have an audit performed before any litigation arises as to which adtech is or has been installed on which web pages when and which data types were transmitted as a result.  Multiple experts specialize in such adtech audits and serve as expert witnesses should any litigation arise.  An adtech audit is relatively quick and inexpensive and it might be cost-beneficial for an organization to perform an adtech audit before litigation arises because: (a) it might convince an organization to turn off some of its unneeded adtech now, thereby cutting off any potential damages relating to that adtech in a future lawsuit; (b) in the event of a future lawsuit, such an audit would not be wasted — it is one of the first things adtech defendants typically perform upon being served with an adtech lawsuit; and (c) an adtech audit could assist in presently updating and modernizing website terms of use, data privacy policies, and vendor agreements (next topic).

  1. Update and modernize website terms of use, data privacy policies, and vendor agreements

Organizations should consider whether to modify their website terms of use and data privacy policies to describe the organization’s use of adtech in additional detail.  Doing so could deter or help defend a future adtech class action lawsuit similar to the many that are being filed today, alleging omission of such additional details, raising claims brought under various states’ consumer fraud acts, and seeking multimillion-dollar statutory damages.

Organizations should consider adding to contracts with website vendors and marketing vendors clauses that prohibit the vendor from incorporating any unwanted adtech into the organization’s public-facing websites.  That could help disprove the element of intent at issue in many claims brought under the recent explosion of adtech lawsuits.

Implications For Corporations: Implementation of these best practices is critical to mitigating risk and saving litigation dollars.  Click to learn more about the services Duane Morris provides in the practice areas of Class Action Litigation; Arbitration, Mediation, and Alternative Dispute Resolution; Cybersecurity; Privacy and Data Protection; Healthcare Information Technology; and Privacy and Security for Healthcare Providers.

 

 

[1] In 2015, for example, a large study found that of 33 banks that had engaged in practices relating to debit card overdrafts, 18 endured class actions and ended up paying out $1 billion to 29 million customers, whereas 15 had arbitration clauses and did not endure any class actions.  See Consumer Protection Financial Bureau (CPFB), Arbitration Study: Report to Congress, Pursuant to Dodd-Frank Wall Street Reform and Consumer Protection Act § 1028(a) at Section 8, available at https://files.consumerfinance.gov/f/201503_cfpb_arbitration-study-report-to-congress-2015.pdf.  These 15 with arbitration clauses paid almost nothing—less than 30 debit card customers per year in the entire nation filed any sort of arbitration dispute regarding their cards during the relevant timeframe.  See id. at Section 5, Table 1.  Another study of AT&T from 2003-2014 found similarly, concluding, “Although hundreds of millions of consumers and employees are obliged to use arbitration as their remedy, almost none do.”  Judith Resnik, Diffusing Disputes: The Public in the Private of Arbitration, the Private in Courts, and the Erasure of Rights, 124 Yale L.J. 2804 (2015).

[2] AAA, Consumer Mass Arbitration and Mediation Fee Schedule (amended and effective Jan. 15, 2024), available at https://www.adr.org/sites/default/files/Consumer_Mass_Arbitration_and_Mediation_Fee_Schedule.pdf; JAMS, Arbitration Schedule of Fees and Costs, available at https://www.jamsadr.com/arbitration-fees.

[3] J. Maria Glover, Mass Arbitration, 74 Stan. L. Rev. 1283, 1387 & Table 2 (2022).

[4] See, e.g., BuzzFeed Media Enters., Inc. v. Anderson, 2024 WL 2187054, at *1 (Del. Ch. May 15, 2024) (dismissing action to enjoin mass arbitration of claims brought by employees); Hoeg v. Samsung Elecs. Am., Inc., No. 23-CV-1951 (N.D. Ill. Feb. 2024) (ordering defendant of BIPA claims brought by consumers to pay over $300,000 in AAA filing fees); Wallrich v. Samsung Elecs. Am., Inc., 2023 WL 5935024 (N.D. Ill. Sept. 12, 2023) (ordering defendant of BIPA claims brought by consumers to pay over $4 million in AAA fees); Uber Tech., Inc. v. AAA, 204 A.D.3d 506, 510 (N.Y. App. Div. 2022) (ordering defendant of reverse discrimination claims brought by customers to pay over $10 million in AAA case management fees).

[5] See, e.g., Customer Data Platform Institute, “Trackers and pixels feeding data broker stores,” reporting “47% of websites using Meta Pixel, including 55% of S&P 500, 58% of retail, 42% of financial, and 33% of healthcare” (available at https://www.cdpinstitute.org/news/trackers-and-pixels-feeding-data-broker-data-stores/); builtwith, “Facebook Pixel Usage Statistics,” offering access to data on over 14 million websites using the Meta Pixel, stating, “We know of 5,861,028 live websites using Facebook Pixel and an additional 8,181,093 sites that used Facebook Pixel historically and 2,543,263 websites in the United States” (available at https://trends.builtwith.com/analytics/Facebook-Pixel).

Webinar Replay: Privacy Class Action Litigation Trends

Duane Morris Takeaways: The significant stakes and evolving legal landscape in privacy class action rulings and legislation make the defense of privacy class actions a challenge for corporations. As a new wave of wiretapping violation lawsuits target companies that use technologies to track user activity on their websites, there is significant state legislative activity regarding data privacy across the country. In the latest edition of the Data Privacy and Security Landscape webinar series, Duane Morris partners Jerry Maatman, Jennifer Riley, and Colin Knisely provide an in-depth look at the most active area of the plaintiffs’ class action bar over the past year.

The Duane Morris Class Action Defense Group recently published its desk references on privacy and data breach class action litigation, which can be viewed on any device and are fully searchable with selectable text. Bookmark or download the e-books here: Data Breach Class Action Review – 2024 and Privacy Class Action Review – 2024.

SB 2979 – Illinois Biometric Privacy Act Legislation Passes The Illinois Senate

By Gerald L. Maatman, Jr., Alex W, Karasik, and George J. Schaller

Duane Morris Takeaways: On April 11, 2024, the Illinois Senate passed Senate Bill 2979 (the “Bill”) by vote of 46 to 13. The Bill introduces legislation that would amend the Biometric Information Privacy Act (“BIPA”) to limit claims accrued to one violation of the BIPA in stark contrast to the statute’s current “per-collection basis.” The Bill’s proposed revisions are accessible here and the status of the Bill can be tracked here. For any companies involved in privacy class action litigation, the proposed legislations is exceedingly important.

Background On The BIPA

The BIPA currently provides for “a violation for every scan,” based on the Illinois Supreme Court’s decision in Cothron v. White Castle Sys., 2023 IL 128004 (Feb. 17, 2023).  In Cothron, the Illinois Supreme Court held that “the plain language of §§ 15(b) and 15(d) shows that a claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Id. at ¶ 45.

The majority of the Illinois Supreme Court opined that any policy-based concerns “about potentially excessive damage awards under the Act are best addressed by the legislature.” Id. at ¶ 43.

On January 31, 2024, Senator Bill Cunningham introduced SB 2979 to the Illinois Senate.

The Proposed Revisions To The BIPA Under SB 2979

The Bill’s proposed revisions articulate two key amendments regarding: (1) the “every scan” violation under §§ 15(b) and 15(d); and (2) an additional definition for “electronic signature” that augments the BIPA’s current “Written release” definition.

For violations under §§ 15(b) and 15(d), the Bill endeavors to limit alleged violations of the BIPA to a “single violation” for these respective sections.

The Bill narrows an aggrieved person’s entitled recovery to “at most, one recovery under this section,” provided that biometric identifier or biometric information was obtained from the same person using the same method of collection.  See SB 2979, 740 ILCS 14/20(b).  Similar single violation language is proposed under sub-section (d) of § 15 on the BIPA’s dissemination provision.  See SB 2979, 740 ILCS 14/20(c).

Also included in the Bill is a new definition for ‘electronic signature’ as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.” See SB 2979, 740 ILCS 14/10.  This definition is then incorporated to the BIPA’s already defined “Written release.”  See id.

As of April 25, 2024, the Bill advanced to Illinois General Assembly’s House of Representatives and is assigned to the Judiciary – Civil Committee.

Implications For Employers

Employers should monitor SB 2979 closely as it progresses through the Illinois House of Representatives.  The unfettered potential damages from BIPA claims may be limited to a single scan if the Bill passes.  This would be a major and much-needed legislative coup for businesses with operations in Illinois who utilize biometric technology.

Pennsylvania Federal Court Dismisses Data Privacy Class Action Based On Lack Of Standing

By Gerald L. Maatman, Jr., Jesse S. Stavis, and Ryan T. Garippo

Duane Morris Takeaways: On April 5, 2024, Judge Marilyn J. Horan of the U.S. District Court for the Western District of Pennsylvania granted defendant Spirit Airlines’ motion to dismiss in Smidga et al. v. Spirit Airlines, No: 2:22-CV-0157 (W.D. Pa. Apr. 5, 2024). Plaintiffs alleged that Spirit had invaded their privacy and violated state wiretapping laws by recording data regarding visits to Spirit’s website, but the Court held that they failed to plead a concrete injury sufficient to establish Article III standing. The ruling should serve as a reminder of the importance of considering challenges to standing, particularly in data privacy class actions where alleged injuries are often abstract and speculative.

Case Background

Like many companies, Spirit Airlines uses session replay code to track users’ activity on its website in order to optimize user experience. Session replay code allows a website operator to track mouse movements, clicks, text entries, and other data concerning a visitor’s activity on a website. According to Spirit, all data that is collected is thoroughly anonymized.

The plaintiffs in this putative class action alleged that Spirit violated numerous state wiretapping and invasion of privacy laws by recording their identities, travel plans, and contact information. One of the plaintiffs also alleged that she had entered credit card information into the website. All three plaintiffs claimed that the invasion of privacy had caused them mental anguish and suffering as well as lost economic value in their information.

Spirit moved to dismiss based on a lack of standing under Rule 12(b)(1) and failure to state a claim under Rule 12(b)(6).

The Court’s Ruling

The Court dismissed all claims without prejudice. It held that the plaintiffs had failed to establish standing. Under Article III of the U. S. Constitution, a plaintiff must establish that he or she has standing to sue in order to proceed with a lawsuit. The standing analysis asks whether: “(1) the plaintiff suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).

Spirit argued that the plaintiffs had failed to identify an injury in fact because they did not suffer any concrete injury from the recording of session data. The court accepted this argument, noting that absent a concrete injury, a violation of a statute alone is insufficient to establish standing: “Congress [or a state legislature] may not simply enact an injury into existence, using its lawmaking power to transform something that is not remotely harmful into something that is.” Smidga et. al v. Spirit Airlines, Inc., No. 2:22-CV-1578, 2024 WL 1485853, at *3 (W.D. Pa. Apr. 5, 2024) (internal citations and quotation marks omitted).

Judge Horan cited over fifteen recent cases where federal courts denied standing in similar circumstances to demonstrate that the mere recording of anonymized data does not satisfy the constitutional standing requirement. Further, the Court reasoned that a website’s “collection of basic contact information” is also insufficient. Id. at *4. However, the Court did note that recording credit card data without a user’s authorization might be sufficient to establish standing. Id. at *5. In Smidga, one plaintiff alleged that she had entered her credit card information, but Spirit insisted that no personally identifying information had been stored. Because plaintiffs bear the burden to prove standing, the Court found that the mere assertion that a plaintiff entered her credit card information into a website was — absent allegations that her personalized data was tied to that information — insufficient to confer Article III standing.

Having dismissed the case for lack of standing, the Court did not analyze Spirit’s arguments under Rule 12(b)(6) for failure to state a claim. The court did, however, grant the plaintiffs leave to amend their complaint.

Implications For Companies

The success or failure of a class action often comes down to whether the putative class can achieve certification under Rule 23. Nonetheless, Rule 23 challenges are not the only weapon in a defendant’s arsenal. Indeed, a Rule 12(b)(1) challenge to standing is often an effective and efficient way to quickly dispose of a claim. This strategy is a particularly potent defense in the data privacy space, as the harms that are alleged in these cases are often abstract and speculative. The ruling in Smidga shows that even if a defendant allegedly violated a state privacy or wiretapping law, a plaintiff must still demonstrate that he or she has actually been harmed.

The Class Action Weekly Wire – Episode 46: 2024 Preview: Privacy Class Action Litigation


Duane Morris Takeaway:
This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jennifer Riley, special counsel Brandon Spurlock, and associate Jeff Zohn with their discussion of 2023 developments and trends in privacy class action litigation as detailed in the recently published Duane Morris Privacy Class Action Review – 2024.

Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Google Podcasts, the Samsung Podcasts app, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, YouTube or our RSS feed.

Episode Transcript

Jennifer Riley: Welcome to our listeners, thank you for being here for our weekly podcast, the Class Action Weekly Wire. I’m Jennifer Riley, partner at Duane Morris, and joining me today is special counsel Brandon Spurlock and associate Jeffrey Zohn. Thank you for being on the podcast, guys.

Brandon Spurlock: Thank you, Jen, happy to be part of the podcast.

Jeff Zohn: Thanks, Jen, I am glad to be here.

Jennifer: Today on the podcast we are discussing the recent publication of this year’s edition of the Duane Morris Privacy Class Action Review. Listeners can find the eBook publication on our blog, the Duane Morris Class Action Defense Blog. Brandon, can you tell our listeners a little bit about our new publication?

Brandon: Yeah, sure, Jen, the last year saw a virtual explosion of privacy class action litigation. As a result, compliance with privacy laws in the myriad ways that companies interact with employees, customers, and third parties is a corporate imperative. To that end, the class action team at Duane Morris is pleased to present the Privacy Class Action Review – 2024. This publication analyzes the key privacy-related rulings and developments in 2023, and the significant legal decisions and trends impacting privacy class action litigation for 2024. We hope the companies and employers will benefit from this resource. Their compliance with these evolving laws and standards

Jennifer: In the rapidly evolving privacy litigation landscape, it is crucial for businesses to understand how courts are interpreting these often ambiguous privacy statutes. In 2023, courts across the country issued a mixed bag of results leading to major victories for both plaintiffs and defendants. Jeff, what were some of the takeaways from the publication with regard to litigation in this area in 2023?

Jeff: Yeah, you’re absolutely right that there was a mixed bag of results – both defendants and plaintiffs can point to major BIPA victories in 2023. This past year will definitely be remembered for some of the landmark pro-plaintiff rulings that will provide the plaintiffs’ bar with more than enough ammunition to keep BIPA litigation in the headlines for the foreseeable future. Specifically in 2023, the Illinois Supreme Court issued two seminal decisions that increase the opportunity for recovery of damages under BIPA, including Tims, et al. v. Black Horse Carriers, which held a five-year statute of limitations applies to claims under BIPA, and Cothron, et al. v. White Castle System, Inc., which held that a claim accrues under the BIPA each time a company collects or discloses biometric information.

Jennifer: Two major rulings indeed. Brandon, what do you anticipate these rulings will mean for privacy class actions in 2024?

Brandon: Sure, Jen. These rulings have far-reaching implications together. They have the potential to increase monetary damages in BIPA class actions in an exponential manner, especially in employment context, where employees may scan in and out of work multiple times per day across more than 200 workdays per year. In 2023, in the wake of these rulings, class action filings more than doubled. We anticipate that the high volume of case filings will continue at 2024.

Jeff: I think it’s important to add that even though BIPA is an Illinois state statue, various other states are continuing to consider proposed copycat statutes that follow the lead of Illinois. The federal government likewise continues to consider proposals for a national statute. These factors have transformed biometric privacy compliance into a top priority for businesses nationwide and have promoted privacy class actions to the top of the list of litigation risks facing business today. If other states succeed in enacting similar statutes, businesses can expect similar surges in those States as the filing numbers of Illinois continue their upward trend.

Jennifer: Thanks so much for that information – all very important for companies navigating the privacy class action regulations and statutes. The Review also talks about the top privacy settlements in 2023. How did plaintiffs do in securing settlement funds last year?

Brandon: Plaintiffs did very well in securing high dollar settlements. In 2023, the top 10 privacy settlements totaled $1.32 billion. This was a significant increase over 2022, when the top 10 privacy class action settlements totaled still a high number, but just almost $900 million. Specific to BIPA litigation settlements, the top 10 BIPA class action settlements totaled almost $150 million dollars in 2023.


Jennifer: Thank you. We will continue to track those settlement numbers in 2024 as record breaking settlement amounts have been a huge trend that we have tracked over the past two years. Thank you to Brandon and Jeff for being here today, and thank you to the loyal listeners for tuning in. Listeners, please stop by the blog for a free copy of the Privacy Class Action Review eBook.

Jeff: Thank you for having me, Jen, and thank you to all of our listeners.

Brandon: Thanks so much, everyone.

It’s Here! The Duane Morris Privacy Class Action Review – 2024


By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways: The last year saw a virtual explosion in privacy class action litigation. As a result, compliance with privacy laws in the myriad of ways that companies interact with employees, customers, and third parties is a corporate imperative. To that end, the class action team at Duane Morris is pleased to present the Privacy Class Action Review – 2024. This publication analyzes the key privacy-related rulings and developments in 2023 and the significant legal decisions and trends impacting privacy class action litigation for 2024. We hope that companies and employers will benefit from this resource in their compliance with these evolving laws and standards.

Click here to download a copy of the Privacy Class Action Review – 2023 eBook. Look forward to an episode on the Review coming soon on the Class Action Weekly Wire!

Spygate 2.0? New England Patriots Sued In VPPA Privacy Class Action

By Alex W. Karasik and Gerald L. Maatman, Jr.

Duane Morris Takeaways:  On February 1, 2024, a football fan filed a class action lawsuit against the New England Patriots in a Massachusetts federal court, alleging that the football team’s mobile app (the “App”) knowingly disclosed users’ location data and personal information to third-parties in alleged violation of the Video Privacy Protection Act (“VPPA”). This lawsuit marks the latest high-profile VPPA class action lawsuit filing, which have significantly spiked in the last two years.

Although the recent tide of VPPA class action court rulings has generally tipped in favor of defendants, the plaintiffs’ class action bar is still exploring novel theories to bring these high-stakes cases. Companies must therefore pay close attention to privacy-related issues involving mobile applications, including what data is collected and to whom it is transmitted.

The VPPA

Congress passed the VPPA in 1988.  The statute imposes liability on, “[a] video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider.”  18 U.S.C. § 2710(b)(1).  A “video tape service provider” is defined as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”  Id. 3-4 (citations omitted).  “Personally identifiable information” (“PII”) is defined as “information which identifies a person as having requested or obtained specific video materials or services from a video service provider.”  Id.  In essence, the statute purports to account for advancements in video-delivery technology by defining a “video tape service provider” broadly to include any business engaged in the “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”  Id.

The New VPPA Class Action Lawsuit

Plaintiff alleges that he downloaded and installed the App to his mobile phone and regularly used it to access video content.  Id. at 2.  When downloading the App, users are presented with an option to sign into an existing account, create a new account, or continue without signing in by selecting “MAYBE LATER.”  Id. at 4-5.  Plaintiff alleges that consumers who select “MAYBE LATER” are not presented with the App’s Terms of Use or Privacy Policy.  And even if users select “JOIN NOW”, they are redirected to a login screen where they have the option to log in, but are not required to view or assent to any terms of use or privacy policy unless they take additional steps to create an account.  Id. at 5.

In terms of data collection, the lawsuit alleges that when a user opens a video on the App, the App sends the content type, video title, and a persistent identifier to the user’s device. The App then transmits to third parties the user’s information, including location (in geographical coordinates and altitude), advertising ID, and video content consumption. Id. at 6. According to the complaint, the New England Patriots allegedly leverage users’ geolocation so it can maximize advertising revenue and, to that end, uniquely identify its users. For Android software users, the complaint alleges that the Patriots unique advertising ID called an Android Advertising ID (“AAID”) for each of its users with third-parties, which enables a third party to track the user’s movements, habits, and activity on mobile applications.  Id. at 10.

Accordingly, the lawsuit alleges that through the New England Patriots’ dissemination of consumers’ PII, third parties such as Google can collect and store billions of metrics and events and make it easier for clients to make data-driven decisions, and these reports are continuously updated and metrics are reported as they occur.  Id at 16.  Plaintiff seeks to represent a class defined as “All persons in the United States who used the Patriots App to watch videos and had their personally identifiable information — including but not limited to the videos they watched, their geolocation, and their unique advertising IDs — transmitted to one or more third parties.”  Id.  On behalf of the class, Plaintiff seeks an award of damages, including, but not limited to, actual, consequential, punitive, statutory, and nominal damages.

Implications For Businesses

This lawsuit represents another example of class action plaintiffs’ lawyers using traditional state and federal laws – including the long dormant VPPA – to seek relief for alleged privacy violations.  In applying modern technologies to older laws like the VPPA (passed in 1988), courts have grappled with issues such as the determination of who qualifies as a “video tape service provider” or a “consumer” under the statute. It will be interesting to follow this lawsuit to see whether the Court follows the recent trend of courts dismissing VPPA class actions.

That said, this high-profile filing also suggests that companies should regularly update their online consent provisions as needed to specifically address the VPPA. Businesses that pro-actively implement compliance mechanisms will thank themselves later in terms of preventing class action litigation.

Texas Federal Court Dismisses Video Privacy Protection Act Class Action Concerning Email Newsletter From University Of Texas

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Emilee N. Crowther

Duane Morris Takeaways: In Brown v. Learfield Communications, LLC, et al., No. 1:23-CV-00374, 2024 U.S. Dist. LEXIS 15587 (W.D. Tex. Jan. 29, 2024), Judge David A. Ezra of the U.S. District Court for the Western District of Texas granted Defendants Learfield Communications, LLC and Sidearm Sports, LLC’s Rule 12(b)(6) motion to dismiss Plaintiff’s Video Privacy Protection Act (VPPA) class claim.  The Court held that Plaintiff failed to plead facts to support his claim under the VPPA because he did not allege that he was a subscriber to audio-visual goods or services themselves, just a newsletter that contained links to publicly-available content on The University of Texas’s website.  Defendants in VPPA class actions can utilize this decision as a roadmap when preparing motions to dismiss.

Case Background

Defendants Learfield Communications, LLC and Sidearm Sports, LLC (collectively, “Defendants”) operated the University of Texas at Austin’s (“UT”) website (the “UT Website”).  Id. at 2.  The UT Website contains software that enables Facebook to track the activity of UT Website users on other websites.  Id.  Defendants invite UT Website visitors to subscribe to emailed newsletters.  Id. at 3.  The newsletters provide links to various videos, clips, and other content on the UT Website related to UT Athletics.  Id.  Plaintiff Adam Brown subscribes to UT’s emailed newsletter.  Id.

In April 2023, Plaintiff filed a class action against Defendants UT, UT Athletics, Learfield, and Sidearm alleging that they violated the VPPA by purportedly exposing the subscribers’ personal identification information and gathering marketing data without consent.  Id. at 4.  In June 2023, UT and UT Athletics filed a motion to dismiss based on sovereign immunity.  Id.  at 2.  The motion was granted in July.  Id.  In September, Defendants Learfield and Sidearm filed a motion to dismiss under 12(b)(1), 12(b)(6), and 12(b)(7).  Id.

The Court’s Decision

The Court denied Defendants’ Rule 12(b)(1) and 12(b)(7) motions to dismiss. It held that neither Learfield or Sidearm was entitled to immunity as an “arm of the state,” and that neither UT or UT Athletics were indispensable parties to the lawsuit.  Id. at 7-10.

The Court, however, granted Defendants’ Rule 12(b)(6) motion to dismiss on the basis that Plaintiff was not a “consumer” under the VPPA because he failed to allege a factual nexus between the subscription and Defendants’ allegedly actionable video content.  Id. at 2, 19, 26.

To state a claim under the VPPA, the Court noted that a plaintiff must allege that a defendant “(1) is a video tape service provider; (2) who knowingly disclosed to any person; (3) personally identifiable information; (4) concerning any consumer.”  Id. at 10-11; 18 U.S.C. 2710(b)(1).  Under the VPPA, a “consumer” is “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”  18 U.S.C. § 2710(a)(1).

The Court reasoned that the VPPA “only applies to consumers (including subscribers) of audio video services” because, when reading the term “consumer” in the full context of the VPPA, “a reasonable reader would understand the definition of ‘consumer’ to apply to a renter, purchaser or subscriber of audio-visual goods or services, and not goods or services writ large.”  Id. at * 19 (emphasis original) (quoting Carter v. Scripps Networks, LLC, 2023 WL 3061858, at *6 (S.D.N.Y. Apr. 24, 2023)).

The Court concluded that Plaintiff was not a “consumer” under the VPPA because (i) the newsletter did not contain videos, just links to videos on the UT Website; and (ii) the linked videos were available for any member of the public to see on the UT Website, not just those who subscribed to the newsletter.  Id. at 26-28.  Accordingly, the Court ruled that Plaintiff was not a subscriber to audio-visual goods or services, just a newsletter.  Id. at 28-29.  Ultimately, because Plaintiff failed to allege facts to support a claim under the VPPA, the Court granted Defendants 12(b)(6) motion to dismiss.  Id. at 29.

Implications For Companies

The decision in Brown v. Learfield serves as a roadmap for defendants in VPPA class actions to utilize when preparing motions to dismiss. This case is also important as it adds the Western District of Texas to a growing number of federal courts that strictly construe the VPPA to audio-visual materials, not links to publically-available videos in newsletters.  See, e.g., Carter v. Scripps Networks, LLC, No. 22-CV-2031, 2023 WL 3061858, at *6 (S.D.N.Y. Apr. 24, 2023); Jefferson v. Healthline Media, Inc., No. 3:22-CV-05059, 2023 WL 3668522, at *3 (N.D. Cal. May 24, 2023); Gardener v. MeTV, No. 22-CV-5963, 2023 WL 4365901, at *4 (N.D. Ill. July 6, 2023).

Illinois Federal Court Partially Dismisses Class Action Privacy Claims Involving “Eufy” Security Cameras

By Gerald L. Maatman, Jr., Alex W. Karasik, and Tyler Zmick

Duane Morris Takeaways:  In Sloan, et al. v. Anker Innovations Ltd., No. 22-CV-7174 (N.D. Ill. Jan. 9, 2024), Judge Sarah Ellis of the U.S. District Court for the Northern District of Illinois granted in part a motion to dismiss privacy claims brought against the companies that manufacture and sell “eufy” security products.  The Court dismissed the claims asserted under the federal Wiretap Act because Defendants were “parties” to the communication during which the eufy products sent security recordings to Plaintiffs’ mobile devices (notwithstanding that the products also sent the data to a server owned by Defendants).  In addition, the Court partially dismissed Plaintiffs’ claims under the Illinois Biometric Information Privacy Act and under four state consumer protection statutes, thereby allowing Plaintiffs to proceed with their case only with respect to some of their claims.

For businesses who are embroiled in facial recognition software and related privacy class actions, this ruling provides a helpful roadmap for fracturing such claims at the outset of the lawsuit.

Case Background

Plaintiffs were individuals from various states who purchased and used Defendants’ “eufy” branded home security cameras and video doorbells.  The eufy products can, among other things, detect motion outside a person’s home and apply a facial recognition program differentiate “between known individuals and strangers by recognizing biometric identifiers and comparing the face template against those stored in a database.”  Id. at 3.  Eufy products sync to a user’s phone through eufy’s Security app, which notifies a user of motion around the camera by sending the use a recorded thumbnail image or text message.

Defendants advertised that the video recordings and facial recognition data obtained through eufy cameras are stored locally on user-owned equipment owned and that the data would be encrypted so that only the user could access it.  Media reports later revealed, however, that the eufy products uploaded thumbnail images used to notify users of movement to Defendants’ cloud storage without encryption, and that users could stream content from their videos through unencrypted websites.

Claiming they relied to their detriment on Defendants’ (allegedly false) privacy-related representations when purchasing the eufy products, the eight named Plaintiffs filed a putative class action against corporate Defendants involved in the manufacture and sale of “eufy” products.  In their complaint, Plaintiffs asserted that Defendants violated: (1) the Federal Wiretap Act; (2) the Biometric Information Privacy Act (the “BIPA”); and (3) the consumer protection statutes of Illinois, New York, Massachusetts, and Florida.  Defendants moved to dismiss Plaintiffs’ claims under Federal Rule of Civil Procedure 12(b)(6).

The Court’s Decision

The Court granted in part and denied in part Defendants’ motion, holding that: (1) the Wiretap Act claim should be dismissed because Defendants were a party to the relevant communication (i.e., the transmission of data from eufy products to Plaintiffs via the eufy Security app); (2) the BIPA claims should be dismissed as to non-Illinois resident Plaintiffs; and (3) the claims brought under the relevant consumer protection statutes should be dismissed only to the extent they were premised on certain of Defendants’ public-facing privacy statements.

Wiretap Act Claims

The Court first addressed Plaintiffs’ Wiretap Act claims, explaining that the statute “empowers a private citizen to bring a civil claim against someone who ‘intentionally intercepts [or] endeavors to intercept . . . any wire, oral, or electronic communication.’”  Id. at 8 (quoting 18 U.S.C. § 2511(1)(a)).

Defendants argued that Plaintiffs failed to state a claim under the Wiretap Act because the statute does not apply to a party to the relevant communication.  Specifically, the Wiretap Act exempts a person who intercepts an electronic communication “where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception.”  18 U.S.C. § 2511(2)(d).

The Court agreed with Defendants and thus dismissed Plaintiffs’ Wiretap Act claim.  The Court described the relevant “communication” as the transmission of data from eufy products to Plaintiffs’ devices and explained that the transmission “is not between the eufy product and Plaintiffs, but rather between the eufy product and the eufy Security app, which Defendants own and operate.  As such, the communication necessarily requires Defendants’ participation, even if Plaintiffs did not intend to share their information with Defendants.”  Id. at 8-9 (emphasis added).  The Court thus held that Defendants were parties to the communication, and Defendants also uploading the data to their own server (without Plaintiffs’ knowledge) did not change that conclusion.

BIPA Claims

Regarding Plaintiffs’ BIPA claims, Defendants argued that Plaintiffs failed to allege that the relevant data (which Defendants described as “thumbnail images”) qualifies for protection under the BIPA because photographs are not biometric data under the statute.  The Court rejected this argument since Plaintiffs alleged that Defendants uploaded thumbnail information and facial recognition data (namely, “scans of face geometry”) to their server.

The Court agreed with Defendants’ second argument, however, which asserted that Plaintiffs’ BIPA claim failed to the extent it was brought by or on behalf of Plaintiffs who are not Illinois residents.  The BIPA applies only where the underlying conduct occurs “primarily and substantially” in Illinois.  The Court determined that the relevant communications between Plaintiffs and Defendants “occurred primarily and substantially in the state of residency for each Plaintiff.”  Id. at 12-13.  And the End User License Agreement for eufy Camera Products and the Security App stating that the agreement is governed by Illinois law did not change the result that the BIPA claim brought by non-Illinois residents must be dismissed.

Statutory Consumer Protection Claims

Finally, the Court turned to Defendants’ contentions relative to the alleged violations of the four state consumer protection statutes.  In beginning its analysis, the Court explained that “[t]o state a claim for deceptive practices under any of the alleged state consumer fraud statutes, Plaintiffs must allege a deceptive statement or act that caused their harm.”  Id. at 14.  Moreover, “a statement is deceptive if it creates a likelihood of deception or has the capacity to deceive.”  Id. at 15 (citation omitted); see also id. (noting that “the allegedly deceptive act must be looked upon in light of the totality of the information made available to the plaintiff”) (citation omitted).  Defendants argued in their motion to dismiss that Plaintiffs did not allege cognizable deceptive statements because the statements at issue constitute either puffery or are not false.

The Court dismissed Plaintiffs’ statutory fraud claims in part.  Specifically, the Court held that Defendants’ advertising in the form of certain “statements relating to privacy” (e.g., “your privacy is something that we value as much as you do”) constituted nonactionable “puffery.”  Id. at 16.  The Court therefore dismissed Plaintiffs’ statutory fraud claims insofar as they were premised on the similarly vague “statements relating to privacy.”

However, the Court denied Defendants’ attempt to dismiss the claims premised on their more specific statements about (1) end-user data being stored only on a user’s local device, (2) the use of alleged facial recognition, and (3) end-user data being encrypted.  Defendants argued that these were “accurate statements” and thus could not serve as the basis for consumer fraud claims.  The Court disagreed, ruling that Plaintiffs sufficiently alleged that the storage, encryption, and facial recognition statements may have misled a reasonable consumer.  Accordingly, the Court granted in part and denied in part Defendants’ motion to dismiss.

Implications For Corporate Counsel

The most significant aspect of Sloan v. Anker Innovations Limited is the Court’s analysis of Plaintiffs’ Wiretap Act claims, given the rapidly emerging trend among the plaintiff class action bar of using traditional state and federal laws – including the Wiretap Act – to seek relief for alleged privacy violations.  In applying modern technologies to older laws like the Wiretap Act (passed in 1986), courts have grappled with issues such as the determination of who is a “party to the communication” such that an entity is exempt from the statute’s scope.  As data exchanges and data storage become more complex, the “party to the communication” determination reciprocally becomes more nebulous.

In Sloan, the “communication” was the eufy products transmitting data to Plaintiffs’ device and “contemporaneously intercept[ing] and sen[ding] [the data] to [Defendant’s] server.”  Id. at 8 (citation omitted).  Because Plaintiffs had to use the eufy Security app to access the data, and because Defendants owned and operated the app, the Court determined that Defendants necessarily participated in the communication.  But the result may have been different if, for instance, Plaintiffs could use a different app (one not owned by Defendants) to access the data, or if unbeknownst to Plaintiffs, the eufy Securty app was actually owned and operated by a third-party entity.  The upshot is that corporate counsel should keep these principles in mind with respect to any data-flow processes regarding end-user or employee data.

Illinois Trial Court Grants Class-Wide Summary Judgement In BIPA Privacy Lawsuit

By Gerald L. Maatman, Jr., Alex W. Karasik, and Christian J. Palacios

Duane Morris Takeaways:  In Thompson, et al., v. Matcor Metal Fabrication (Illinois), Inc., Case No. 2020-CH-00132 (Ill. Cir. Ct. 10th Dist. Dec. 8, 2023), a class of metal fabricators prevailed on a motion for summary judgment against their employer in what is believed to be the first summary judgment ruling for a certified class under the Illinois Biometric Information Privacy Act (BIPA). An Illinois state court, determining there was no dispute of material fact, entered the pre-trial liability judgment against the defendant employer for collecting employee biometric data through its timekeeping system in violation of BIPA.

This decision highlights the danger that companies face under state privacy “strict liability” statutes, and should serve as a warning for employers that lack robust policies governing the way they collect biometrics data from their employees.

Background

In September of 2019, Matcor Fabrication rolled out a new timekeeping policy whereby it collected its employees’ fingerprints using “biometric scanners” for the purposes of determining when employees clocked in and out of work. Id. at 3. The scanners that collected this information were connected to Matcor’s timekeeping vendor – ADP – and the company sent finger-scan data to ADP every time an employee scanner their fingertips. The named Plaintiff and class representative William Thompson subsequently brought the lawsuit in May of 2020, alleging the company’s timekeeping policy violated the Illinois BIPA. Nearly one year after the lawsuit had commenced, Matcor implemented BIPA-compliant policies, which included distributing a “Biometric Consent Form” to employees that stated that the company’s vendors “may collect, retain, and use biometric data for the purposes of verifying employee identity and recording time” as well as describing Matcor’s policies for retaining and destroying employee data. Id. at 4. The Court previously had certified a class of Matcor employees who enrolled in the company’s finger-scan timekeeping system between May 13, 2015 and June 16, 2021, prior to the policy update. After a lengthy discovery period, both parties filed motions for summary judgement.

The Court’s Ruling

The Court held that there was no genuine dispute of material fact that Matcor’s timekeeping policies during the class-wide time period violated the BIPA. In its ruling, the Court dismissed a series of defenses offered by the company, including that in order for the BIPA to apply, Matcor’s timeclocks needed to “collect” and store its employees’ fingerprints, rather than just transmit it to a third-party vendor. The Court was unconvinced. It opined that the BIPA also applied when timeclocks collected biometric information “based on” a fingerprint. Id. at 7. Matcor further argued that there was a difference between the “fingertip” scans it took and the “fingerprint” scans covered by the BIPA, but it was unable to cite authority that showed a meaningful difference between the two. Finally, Matcor argued that the Court needed “expert testimony” to assess the type of information the company’s timeclocks collected. The Court rejected this contention. It observed that collecting employee’s fingertip information clearly fell under the BIPA’s definition of biometric information.

Based on the facts, the Court determined that it was undisputed that Matcor began using biometric timeclocks to collect employee’s fingerprints in 2019, and the company did not implement a BIPA-compliant policy until one year after the Plaintiff commenced his suit. The record also clearly showed that Matcor failed to obtain its employees consent before collecting their fingerprints, and only obtained BIPA releases 2 years after the suit was initiated. Accordingly, the Court granted the Plaintiff’s motion for summary judgement and the lawsuit will now proceed to the damages stage.

Implications

As this ruling emphasizes, employers can be held strictly liable for any period of time in which they collect their employees’ biometric data without having a corresponding BIPA-compliant policy. State privacy statutes like the BIPA pose unique dangers for unwary employers who do not keep up-to-date with evolving legal requirements relating to the collection, retention, and use of biometric data. Although Illinois was one of the first early adopters of such stringent privacy laws, it will certainly not be the last, and companies should begin taking preventative measures to limit liability associated with such statutes.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress