Illinois Supreme Court Endorses Broad Interpretation Of The BIPA’s “Health Care Exception”

By Gerald L. Maatman, Jr. and Tyler Zmick

Duane Morris Takeaways:  In the latest ruling in the biometric privacy class action space, the Illinois Supreme Court embraced a broad reading of the “health care exception” in the Illinois Biometric Information Privacy Act (“BIPA”) in Mosby v. Ingalls Memorial Hospital, 2023 IL 129081 (Ill. Nov. 30, 2023).  The Illinois Supreme Court held that the statute excludes from its scope data collected in two separate and distinct scenarios: (1) “information captured from a patient in a health care setting”; and (2) information collected “for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).”  Unlike clause (1), the Supreme Court held that the exception in clause (2) is not limited to data obtained from patients and serves to exclude information that originates from any source.

The Mosby ruling is welcome news to BIPA defendants and companies operating in the health care space.  In the wake of the decision, courts likely will be asked to define the exact contours of the BIPA’s broadened “health care exception” in cases presenting facts that are less obviously tied to health care treatment, payment, or operations compared to the facts at issue in Mosby.

Case Background

The Plaintiffs in Mosby were nurses who claimed that their hospital-employers required them to use a fingerprint-based medication-dispensing system to verify their identities.  Plaintiffs sued their employers and the company that distributed the medication-dispensing system, alleging that Defendants violated §§ 15(a), 15(b), and 15(d) of the BIPA by using the medical-station scanning device to collect, use, and/or store their “finger-scan data” without complying with the BIPA’s notice-and-consent requirements and by disclosing their purported biometric data to third parties without first obtaining their consent.

Defendants moved to dismiss in the trial court, arguing that the claims failed because Plaintiffs’ data was specifically excluded from the BIPA’s scope under § 10 of the statute, which states that “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].”  740 ILCS 14/10.  Defendants argued that the latter clause applied in that Plaintiffs’ fingerprints had been used in connection with Plaintiffs providing medicine to patients, meaning their fingerprints were “collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].”  Id.

The trial court denied Defendants’ motions. It ruled that § 10’s “health care exception” was limited to patient information protected under the HIPAA and that the exclusion does not extend to information collected from health care workers.

On appeal, the First District of the Illinois Appellate Court affirmed the denial of Defendants’ motions to dismiss.  Echoing the trial court, the Appellate Court determined that the biometric data of health care workers is not excluded from the BIPA’s scope and that the relevant provision of § 10 excluded from the BIPA’s protections “only patient biometric information.”  Mosby, 2023 IL 129081, ¶ 16; see id. ¶ 17 (“[T]he appellate court held that ‘the plain language of the statute does not exclude employee information from the [BIPA’s] protections because they are neither (1) patients nor (2) protected under HIPAA.’”) (citation omitted).

Appellate Court Judge Mikva dissented from the majority’s opinion.  Judge Mikva opined that the legislature meant to exclude from the BIPA’s scope the biometric data of health care workers “where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by the HIPAA.”  Id. ¶ 19 (citation omitted).  Judge Mikva expressed the view that the first part of § 10’s “health care exception” excludes from the BIPA’s coverage information from a particular source (i.e., patients in a health care setting) and that the second part excludes information used for particular purposes (i.e., health care treatment, payment, or operations), regardless of the source of that information.

The Illinois Supreme Court’s Decision

On further appeal, the Illinois Supreme Court agreed with Appellate Court Judge Mikva’s dissent, unanimously holding that the BIPA’s exclusion for “information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA]” can apply to the biometric data of health care workers (not only patients).

The Supreme Court determined that the relevant sentence of § 10 excludes from the definition of “biometric identifier” data that may be collected in two distinct (rather than overlapping) scenarios – namely, biometric identifiers do not include (i) information captured from a patient in a health care setting or (ii) information collected, used, or stored for health care treatment, payment, or operations under HIPAA.  Id. ¶ 37 (“[T]he phrase prior to the ‘or’ and the phrase following the ‘or’ connotes two different alternatives.  The Illinois legislature used the disjunctive ‘or’ to separate the [BIPA’s] reference to ‘information captured from a patient in a health care setting’ from ‘information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].’  Pursuant to its plain language, information is exempt from the [BIPA] if it satisfies either statutory criterion.”) (internal citations omitted).

The Supreme Court agreed with Defendants that the two categories of information are different because information excluded under the first clause originates from the patient, whereas information excluded under the second clause may originate from any source.  Regarding the second clause, the Supreme Court observed that the Illinois legislature borrowed the phrase “health care treatment, payment, and operations” from the federal HIPAA regulations.  Accordingly, the Supreme Court determined that “the legislature was directing readers to the HIPAA to discern the meaning of those terms,” which meanings “relate to activities performed by the health care provider – not by the patient.”  Id. ¶ 52.

Thus, the Supreme Court held that a health care worker’s data used to permit access to medication-dispensing stations for patient care qualifies as “information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA]” and is exempt from the statute’s scope.

Implications Of The Decision

After the recent slew of plaintiff-friendly BIPA decisions issued by both state and federal courts, the Illinois Supreme Court’s decision in Mosby comes as welcome news for companies facing privacy-related class actions – particularly those operating in the health care space.

Relying on Mosby, defendants will likely add the BIPA’s “health care exception” to their arsenal of defenses in a wider array of cases moving forward.  Importantly, for purposes of the second “HIPAA prong” of the statute’s “health care exception,” federal HIPAA regulations govern the definitions of the terms “health care treatment,” “payment,” and “operations.”  Given that the regulatory definitions of those terms are broad, see 45 C.F.R. § 160.103; id. § 164.501, defendants will likely test the breadth of the exception in future cases presenting facts that may be less obviously tied to health care treatment, health care payment, and/or health care operations compared to the facts at issue in Mosby.

Illinois Federal Court Allows Amazon “Alexa” Privacy Class Action To Proceed

By Gerald L. Maatman, Jr. and Tyler Zmick

Duane Morris Takeaways:  In Wilcosky, et al. v. Amazon.com, Inc., et al., No. 19-CV-5061 (N.D. Ill. Nov. 1, 2023), the U.S. District Court for the Northern District of Illinois issued a decision embracing a strict interpretation of the notice a private entity must provide before collecting a person’s biometric data in compliance with the Illinois Biometric Information Privacy Act (“BIPA”).  The decision underscores the importance of not only obtaining written consent before collecting a person’s biometric data, but also of the need to be as specific as possible in drafting privacy notices to inform end users that the company is collecting biometric data and to describe the “specific purpose and length of term for which” biometric data is being collected. 

In light of the potentially monumental exposure faced by companies defending putative BIPA class actions, companies that operate in Illinois and collect data that could potentially be characterized as “biometric” should review and, if necessary, update their public-facing privacy notices to ensure compliance with the BIPA. 

Background

Plaintiffs’ BIPA claims in Wilcosky were premised on their respective interactions with Amazon’s “Alexa” device – a digital assistant that provides voice-based access to Amazon’s shopping application and other services.  According to Plaintiffs, Alexa devices identify individuals who speak within the vicinity of an active device by collecting and analyzing the speaker’s “biometric identifiers” (specifically, “voiceprints”).

In their complaint, Plaintiffs claimed that Amazon identifies people from the sound of their voices after they enroll in Amazon’s “Voice ID” feature on the Alexa Application.  To enroll in Voice ID, a user is taken to a screen notifying him or her that the Voice ID feature “enables Alexa to learn your voice, recognize you when you speak to any of your Alexa devices, and provide enhanced personalization.”  Order at 3.  A hyperlink to the Alexa Terms of Use is located at the bottom of the enrollment screen, which Terms state that Voice ID “uses recordings of your voice to create an acoustic model of your voice characteristics.”  Id. at 8.  Before completing the Voice ID enrollment process, a user must agree to the Alexa Terms of Use and authorize “the creation, use, improvement, and storage” of his or her Voice ID by tapping an “Agree and Continue” button.  Id. at 3.

Among the four named Plaintiffs, three had enrolled in Voice ID using their respective Alexa devices (the “Voice ID Plaintiffs”).  One Plaintiff, Julia Bloom Stebbins, did not enroll in Voice ID; rather, she alleged that she spoke in the vicinity of Plaintiff Jason Stebbins’s Alexa device, resulting in Alexa collecting her “voiceprint” to determine whether her voice “matched” the Voice ID of Plaintiff Jason Stebbins.

Based on their alleged interactions with Alexa, Plaintiffs claimed that Amazon violated Sections 15(b), 15(c), and 15(d) of the BIPA by (i) collecting their biometric data without providing them with the requisite notice and obtaining their written consent, (ii) impermissibly “profiting from” their biometric data, and (iii) disclosing their biometric data without consent.

Amazon moved to dismiss Plaintiffs’ complainton the basis that: (1) the Voice ID Plaintiffs received the required notice and provided their written consent by completing the Voice ID enrollment process; and (2) Plaintiff Bloom Stebbins never enrolled in Voice ID – meaning she was a “total stranger” to Amazon such that Amazon could not possibly identify her based on the sound of her voice.

The Court’s Decision

The Court denied Amazon’s motion to dismiss in a 15-page order, focused primarily on Amazon’s arguments relating to Plaintiffs’ Section 15(b) claim.

Sufficiency Of Notice Provided To Voice ID Plaintiffs

Regarding the requirements of Section 15(b), the Court noted that a company collecting biometric data must first: (1) inform the individual that biometric data is being collected or stored; (2) inform the individual of the specific purpose and length of term for which the biometric data is being collected, stored, and used; and (3) receive a written release signed by the individual.

In moving to dismiss the Voice ID Plaintiffs’ Section 15(b) claim, Amazon argued that those three Plaintiffs received all legally required notices during the Voice ID enrollment process.  During that process, Amazon explained how Voice ID works and informed users that the technology creates an acoustic model of a user’s voice characteristics.  Amazon maintained that notice language need not track the exact language set forth in Section 15(b) because the BIPA does not require that any particular statutory language be provided to obtain a person’s informed consent.  Id. at 6 (noting Amazon’s argument that “Voice ID Plaintiffs’ voiceprints were collected in circumstances under which any reasonable consumer should have known that his or her biometric information was being collected”).

The Court adopted Plaintiffs’ stricter reading of Section 15(b). It held that the complaint plausibly alleged that Amazon’s disclosures did not fully satisfy Section 15(b)’s notice requirements.  While Amazon may have informed users that Voice ID enables Alexa to learn their voices and recognize them when they speak, Amazon did not specifically inform users that it is “collecting and capturing the enrollee’s voiceprint, a biometric identifier.”  Id.at 8.  As a result, and acknowledging that it was “a close call,” the Court denied Amazon’s motion to dismiss the Section 15(b) claim asserted by the Voice ID Plaintiffs.

Application Of The BIPA To “Non-User” Plaintiff Julia Bloom Stebbins

The Court next turned to Plaintiff Bloom Stebbins, who did not create an Alexa Voice ID but alleged that Amazon collected her “voiceprint” when she spoke in the vicinity of Plaintiff Jason Stebbins’s Alexa device.  Amazon argued that her Section 15(b) claim failed because the BIPA was not meant to apply to someone in her shoes – that is, a stranger to Amazon and “who Amazon has no means of identifying.”  Id. at 11.

The Court rejected Amazon’s argument.  In doing so, the Court refused to read Section 15(b)’s requirements as applying only where a company has some relationship with an individual.  According to the Court, that interpretation would amount to “read[ing] a requirement into the statute that does not appear in the statute itself.”  Id. at 12; see also id. (“[C]ourts in this Circuit have rejected the notion that to state a claim for a Section 15(b) violation, there must be a relationship between the collector of the biometric information and the individual.”).

Conclusion

Wilcosky is required reading for corporate counsel of companies that are facing privacy-related class actions and/or want to ensure their consumer or employee-facing privacy disclosures contain all notices required under applicable law.

The Wilcosky decision endorses a strict view regarding the notice a company must provide to individuals to fully comply with Section 15(b) of the BIPA.  To ensure compliance, companies should provide end users with language that is as specific as possible regarding the type(s) of data being collected (including the fact that the data may be “biometric”), the purpose the data is being collected, and the time period during which the data will be stored.  The notice should closely track the BIPA’s statutory text, and companies should also require individuals to affirmatively express that they have received the notice and agree to the collection of their biometric data.  (Despite a footnote stating that the Court’s order in Wilcosky should not “be interpreted to mean that . . . a disclosure must parrot the exact language of BIPA in order to satisfy Section 15(b),” id. at 8 n.3, the Court does not explain how a disclosure could satisfy Section 15(b) without tracking the statute’s language verbatim.)

Moreover, Wilcosky raises the question whether a company should characterize data it collects as “biometric” data in its privacy notice – even if the company maintains (perhaps for good reason) that the data does not constitute biometric data subject to regulation under the BIPA.  Further complicating this question is the fact that the precise contours of the types of data that qualify as “biometric” under the BIPA are unclear and are currently being litigated in many cases.  Companies may wish to err on the “safe side” and refer to the data being collected as “biometric” data in their privacy notices.

The Class Action Weekly Wire – Episode 30: The State Of BIPA Privacy Class Action Litigation

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and associate Tyler Zmick with their discussion of a $7 million BIPA class action settlement announced this month and analysis of developing trends in biometric privacy litigation spurred by cutting-edge technology and the ever-evolving innovation of the plaintiffs’ class action bar.

Episode Transcript

Jerry Maatman: Hello, loyal blog readers and listeners. Welcome to our Friday weekly podcast, the Class Action Weekly Wire. I’m joined by my colleague Tyler Zmick today, one of our BIPA thought leaders, to discuss privacy class action litigation in general and Illinois BIPA lawsuits in particular. Welcome, Tyler.

Tyler Zmick: Great to be here, Jerry. Thanks for having me.

Jerry: I look on the docket every day, and there seems to be just a mushroom cloud explosion of BIPA class action filings. What’s going on there, and what’s driving the plaintiffs’ bar to file so many of the BIPA cases?

Tyler: Sure, I mean, that’s absolutely accurate. It seems for years now that plaintiffs’ lawyers on the class action side have been filing BIPA cases on seemingly a daily basis. The impetus, the sort of driving force, I believe, is really just the possibility of very high levels of damages. It could be a lot of money involved for both class members and plaintiffs’ counsel, especially in the wake of very plaintiff-friendly Illinois Supreme Court decisions. We have just plaintiffs’ lawyers really just looking to cash in and join the many high dollar settlements that have been come into play in recent years.

Jerry: One of the areas of focus of the Duane Morris Class Action Review has been our tracking of settlements. I’m a believer that success begets copycats, and big settlements result in more filings and more plaintiffs’ lawyers attracted to the area. Recently in the news there was a large BIPA class action settlement preliminarily approved in federal court here in Illinois, about a Little Caesars. Could you tell us a little bit about that, and share your thoughts about what was going on in that case?

Tyler: Sure, Jerry, so this is a settlement between Little Caesars, the Pizza company, and thousands of employees who targeted the company’s finger scanning time clock. It’s a fairly old case filed initially in 2019, so it’s been pending for over four years now. The employees in the case asserted that Little Caesars violated BIPA by requiring employees to scan their fingerprints to clock in and out of work without first providing the necessary disclosures, or obtaining their express written consent. Little Caesars denied all allegations of wrongdoing, and denied that it violated BIPA.

This type of case – probably by and large, if you were to count by the numbers the factual context of different BIPA cases – employee timekeeping cases involving fingerprint scanning is probably the most common fact pattern, although far from the only fact pattern you would find in BIPA cases that are being filed.

Jerry: Can you explain to our listeners where you would peg this $7 million settlement kind of on the range of what large-scale BIPA cases have been settling for – either on an aggregate basis or on a per claimant per class member basis?

Tyler: I would say that this settlement of just under $7 million for a class of approximately 8,500 class members is right in the middle of the range of recoveries that we have seen over the past couple of years. When all fees for administrative costs and plaintiffs’ attorney fees are taken out of the picture, each class member will receive roughly $545 each – and that is really consistent with a number we’ve seen in a lot of BIPA class action settlements. And, importantly, if that number of class members stated in the settlement agreement turns out to be higher, the gross settlement fund will increase by $832 for each class member, just to make sure that the per class member payments do not change.

Jerry: You had mentioned this as an older case. Could you provide your analysis to our listeners about kind of the average length of time it takes for BIPA cases to work through either the state court system as compared to the federal system? This one, of course, was in the federal court.

Tyler: Yeah, sure, Jerry. So I think it’s hard to come up with an average lifespan for a BIPA case, just because some can be dismissed very early on if the fact investigation done by plaintiffs’ counsel reveals that there actually is no biometric data at issue in the in the case, and their allegations and complaint were actually untrue, then they’ll voluntarily dismiss the case. Other cases can reach settlements on an individual basis early on, or even on a class basis, early on. Whereas other defendants, this case Little Caesars, for a good period of time opt instead to litigate the case, and really to prove, either at the summary judgment stage or trial stage, that they did not, in fact, violate BIPA for a number of different reasons.

Jerry: Well, in following that mantra of ‘success begets copycats,’ and more of these cases get filed, could you share with corporate counsel what you view as the future of BIPA litigation, the types of claims apt to be brought? I know that in talking you to before, claims are divided into two boxes, one being employee-related cases and others being non-employee related cases.

Tyler: Yeah, absolutely. And that’s a great question. I think, as I mentioned, the most common type of BIPA case, historically, has been the employee. Timekeeping context and facts involving employees clocking in and out – either with fingerprints or face scans. I think, moving forward, we are likely to see non-employee BIPA class actions, and we can also expect to see BIPA cases brought against people that are further downstream than you might think. For example, a company like Amazon Web Services that provides cloud storage services, and is pretty far removed from any “collection” of biometric data that may have occurred relative to an end user. So it may have been collected by one entity, whether it’s an employer or timekeeping vendor, and then sent to another company and ultimately sent to some kind of cloud of storage service provider that really has no idea what’s on its servers. And we are seeing companies like that being sued under BIPA or other companies in similar situations, that are one step or two steps removed from consumers or employees, being named as defendants in BIPA cases.

Jerry: That’s an interesting perspective. I’d call that “BIPA 2.0: The Next Generation.” And the plaintiffs’ bar, I’ve found in my experience, is nothing if not innovative, and is pressing the envelope of statutes like BIPA. Well, Tyler, thank you so much for sharing your analysis and your thought leadership in this area. Loyal listeners, that signs off on another Friday weekly podcast – thanks so much for joining us.

Tyler: Thanks for having me, Jerry, always great to be here.

Court Dismisses VPPA Class Claim Alleging That General Mills Shared Consumer Data With Facebook And Google

By Gerald L. Maatman, Jr. and Tyler Zmick

Duane Morris Takeaways:  In Carroll v. General Mills, Inc., No. 23-CV-1746 (C.D. Cal. Sept. 1, 2023), Judge Dale Fischer of the U.S. District Court for the Central District of California issued a decision dismissing (for a second time) a class claim brought against General Mills under the Video Privacy Protection Act (“VPPA”).  In its decision, the Court ruled that General Mills – a company that manufactures and sells cereals and other food products – did not qualify as a “video tape service provider” under the VPPA, and that even if it did, Plaintiffs’ claim would still fail because they did not show they were “consumers” covered by the statute’s privacy protections.  Carroll v. General Mills is the latest decision involving the VPPA – a long dormant statute that class action plaintiffs have recently turned to in attempting to seek redress for alleged privacy violations.

Case Background

Plaintiffs Keith Carroll and Rebeka Rodriguez alleged that they watched videos on General Mills’ website and that General Mills subsequently disclosed their “video viewing behavior” to Facebook and Google.  Specifically, Carroll claimed that General Mills sent Facebook the video he watched online and his identifying information in connection with General Mills’ use of a Facebook advertising feature.  Similarly, Rodriguez claimed that General Mills disclosed her “video viewing behavior” and other website analytics data to Google through General Mills’ use of the Google Marketing Platform.

Based on these allegations, Plaintiffs filed a class action that alleged General Mills violated the Video Privacy Protection Act (“VPPA”) by knowingly disclosing their personally identifiable information (“PII”) to Facebook and Google.  See 18 U.S.C. § 2710(b)(1).

The District Court’s Decision

The Court granted General Mills’ motion to dismiss Plaintiffs’ VPPA claim. It held that Plaintiffs failed to satisfy the first two prongs of the four-step pleading test applicable to VPPA claims.

In analyzing the allegations, the Court explained that to state a VPPA claim, a plaintiff must allege that: (1) a defendant is a “video tape service provider”; (2) the defendant disclosed PII concerning a consumer to another person; (3) the disclosure was made knowingly; and (4) the disclosure was not authorized by the “safe harbor” provision set forth in 18 U.S.C. § 2710(b)(2).

Like the claim asserted in the previous version of their complaint, the Court determined that Plaintiffs’ VPPA claim failed at step (1) because Plaintiffs did not adequately allege that General Mills is a “video tape service provider,” and that even if the Court were to proceed to step (2), Plaintiffs would also fail at that step based on their inability to show that they qualify as “consumers” under the statute.

“Video Tape Service Provider”

Regarding step (1), the VPPA defines a “video tape service provider” as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”  18 U.S.C. § 2710(a)(4).  Importantly, the Court noted that the statute does not apply to every company that “delivers audio visual materials ancillary to its business” but only to companiesspecifically in the business of providing audio visual materials.”  See Order at 6.

Based on the allegations at hand, the Court held that Plaintiffs failed to allege that General Mills – who manufactures and sells cereals, yogurts, dog food, and other products – is “engaged in the business of delivering, selling, or renting audiovisual material.”  Id.  The Court rejected Plaintiffs’ attempt to satisfy step (1) by adding allegations in their amended complaint regarding General Mills posting on its website links to professionally made videos.  In the Court’s words, these “allegations do no more than show that videos are part of General Mills’ marketing and brand awareness,” which does not suggest “that the videos are profitable in and of themselves” or that the videos “are the business that General Mills is engaged in.”  Id. at 6-7.

“Consumer”

The Court next held that even if Plaintiffs had satisfied the first step, they nonetheless would have failed at step (2) based on their failure to allege facts establishing that they are “consumers” under the VPPA.

The VPPA defines “consumer” as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”  18 U.S.C. § 2710(a)(1).  Read in the statute’s full context, courts have held that “a reasonable reader would understand the definition of ‘consumer’ to apply to a renter, purchaser or subscriber of audio-visual goods or services, and not goods or services writ large.”  See Order at 7 (citation omitted).  That is, the definition of “consumer” “mirrors the language used to define a ‘video tape service provider’ as one who is in the business of ‘rental, sale, or delivery’ of audiovisual material.”  Id.; see also id. at 7-8 (“‘[C]onsumer’ is obviously meant to be cabined in the same way [as ‘video tape service provider’] – as a renter, purchaser, or subscriber of prerecorded video cassette tapes or similar audio visual materials.”).

The Court determined that Plaintiffs’ prior purchase of General Mills’ food – an “unrelated product” – does not make them “consumers of audiovisual material.”  Id. at 8.  The Court further noted that Plaintiffs’ failure at step (2) highlights “the fundamental issue” with their VPPA claim – namely, Plaintiffs struggle to plead that they are consumers of General Mills’ audiovisual material because General Mills is not in the business of offering audiovisual material to consumers.  See id. at 8-9 (“If General Mills were in such a business, Plaintiffs would not be referring to purchases of General Mills’ food products to establish themselves as consumers.”).

Implications For Corporate Counsel

The decision in Carroll v. General Mills reflects the recent trend among class action plaintiffs’ lawyers of using traditional state and federal laws – including the long dormant VPPA – to seek relief for alleged privacy violations.  In applying modern technologies to older laws like the VPPA (passed in 1988), courts have grappled with, among other issues, determining who qualifies as a “video tape service provider” or a “consumer” under the statute.

The Carroll decision may suggest that the definitions of “video tape service provider” and “consumer” are relatively straightforward, but other cases can present close calls (e.g., whether a social media platform that delivers various services to users, including video content, is a “video tape service provider”).  Indeed, courts have recently faced challenges in interpreting the VPPA’s definitions in cases involving, inter alia, whether individuals who download a free app through which they view videos qualify as “subscribers” (and therefore “consumers”) under the statute.

Given this uncertainty, companies that provide audio visual materials in connection with their business operations should take advantage of the “safe harbor” amendment, adopted in 2013, under which “video tape service providers” may lawfully disclose PII with the informed written consent of consumers.  To do so, companies should update their online consent provisions as needed to specifically address the VPPA.

Maryland Federal District Court Dismisses Class Action Alleging Website Privacy Violations For Lack Of Article III Standing

By Gerald L. Maatman, Jr., Jennifer A. Riley and Rebecca S. Bjork

Duane Morris Takeaways: On September 1, 2023, Judge Deborah Chasanow of the U.S. District Court for the District of Maryland granted a motion to dismiss a class action alleging that the website of defendant Jetblue Airways violated users’ privacy rights under the Maryland Website and Electronic Surveillance Act (“MWES”A).  Finding that the named Plaintiff lacked Article III standing to bring the lawsuit, the Court relied upon the lack of any allegations in the Complaint that any of Plaintiff’s personal information was captured by the alleged use of a session replay code.  As a result, his Complaint lacked any allegation of a concrete harm that is necessary to bestow standing by virtue of suffering an injury-in-fact.  Employers are well-served to examine their websites for the level of risk they might pose of exposure to litigation of this kind, which is currently being filed in more and more courts around the country.   

Case Background

Jetblue Airways Corp. (“Jetblue”) was sued by Matthew Straubmuller in the U.S. District Court for the District of Maryland, alleging that he and a putative class of website users who had visited Jetblue’s website were entitled to damages from Jetblue for violation of the MWESA.  Slip Op. at 2.  The purpose of that statute is two-fold: both to be a useful tool in crime prevention; and to ensure that “interception of private communications is limited.”  Id. at 8.

Plaintiff alleged Jetblue’s website uses a “session replay code” and that this allows for Jetblue to track users electronic communications with the website in real time, and also can enable reenactments of a user’s visit to the website, and that these constitute actionable privacy violations under the provisions of the MWESA.

JetBlue filed a motion to dismiss. It asserted that that Plaintiff lacked Article III standing to bring his claims.  It contended that Plaintiff alleged a mere procedural violation of the MWESA and did not allege a concrete harm necessary to establish an injury-in-fact to confer standing.

The District Court’s Decision

Judge Chasnow granted Jetblue’s motion to dismiss.  Relying on the Supreme Court’s decision in TransUnion v. Ramirez, 141 S. Ct. 2190 (2021), she rejected Plaintiff’s argument that a statutory violation alone is a concrete injury.  The Judge opined that “Courts must independently decide whether a plaintiff has suffered a concrete harm because a plaintiff cannot automatically satisfy the injury-in-fact requirement whenever there is a statutory violation.”  Slip Op. at 5-6 (quoting TransUnion (“under Article III, an injury in law is not an injury in fact.”).  And more to the point, she cited case law interpreting the MWESA itself to this effect, which Plaintiff had not cited.  Id.

As a way of underlining its ruling, the Court noted that Jetblue had submitted a June 12, 2023 decision coming to the exact same conclusion involving a nearly identical complaint filed against Jetblue in the Southern District of California in Lightoller v. Jetblue Airways Corp.  Id. at 4.n.1. Other cases involving similar rulings are presently percolating throughout the federal district courts.  Id. at 7 (collecting cases).

Implications For Employers

Judge Chasnow’s decision in Straubmuller v. Jetblue Airways Corp. provides corporate counsel with a good opportunity to set up a time to talk with their company’s information technology officers to discuss litigation risks related to websites and how they interact with employees, prospective employees and customers.  As more plaintiffs-side attorneys file lawsuits alleging privacy violations like the ones alleged against Jetblue in both state and federal courts around the country, many have a good chance of surviving motions to dismiss.  Preventing class action lawsuits are far superior to defending them.

Tennessee Federal Court Dismisses Class Action Under the Video Privacy Protection Act Because Plaintiff Failed to Allege He Accessed Video Content

By Brandon Spurlock and Jennifer A. Riley

Duane Morris Takeaways: On July 18, 2023, in Salazar v. Paramount Global d/b/a 247Sports, No. 3:22-CV-00756 (M.D. Tenn. July 18, 2023), Judge Eli Richardson of the U.S. District Court for the Middle District of Tennessee dismissed a class action lawsuit against Paramount Global because the Plaintiff failed to state a claim under the Video Privacy Protection Act (“VPPA”) where Plaintiff’s allegation that his subscription to an online newsletter made him a “subscriber” under the statute was insufficient because he did not allege that he accessed audio visual content through the newsletter.  The VPPA is a law from 1980’s stemming from the failed Supreme Court nomination of Robert Bork, which involved his video rental history being published during the nomination process.  In the ensuing decades, companies are seeing an increase in class action lawsuits under the VPPA and other consumer privacy statutes where plaintiffs seek to levy heavy penalties against businesses with an online presence.  This ruling illustrates that some federal courts will closely examine such statutes to ensure that a plaintiff adequately states a claim based on the underlying statutory definitions before allowing a class action to proceed.

Case Background

Plaintiff filed a putative class action against Defendant Paramount Global d/b/a 247Sports alleging a violation of the VPPA.  Id. at 1.  According to Defendant, 247Sports.com is an industry leader in content for college sports, delivering team-specific news through online news feeds, social platforms, daily newsletters, podcasts, text alerts and mobile apps.  Id. at 2.  Plaintiff alleged that Paramount installed a Facebook tracking pixel, which allows Facebook to collect the data on digital subscribers to 247Sports.com who also have a Facebook account.  Id. at 3-4.  So if a digital subscriber of 247Sports.com is logged-in to his or her Facebook account while watching video content on 247Sports.com, then 247Sports.com sends to Facebook (via the Facebook pixel) the video content name, its URL, and, most notably, the digital subscriber’s Facebook ID.  Id. at 4.  Plaintiff claimed that Paramount violated the VPPA when it installed the Facebook pixel, which caused the disclosure to Facebook of Plaintiff’s personally identifying information.  Id. at 5.  Paramount moved to dismiss for lack of subject-matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1), and for failure to state a claims for relief under Rule 12(b)(6).

The Court’s Decision That Plaintiff Had Standing Under The VPPA

First, Paramount argued that Plaintiff did not have standing because Plaintiff failed to adequately allege either a concrete injury in fact or the traceability of the injury to Paramount’s conduct, because the alleged disclosure of Plaintiff’s information to Facebook did not constitute a concrete injury.  Id. at 9.  Rejecting Paramount’s standing argument, the Court noted that the VPPA created a “right to privacy of one’s video-watching history, the deprivation of which – through wrongful disclosure, or statutory violation alone – constitutes an injury sufficient to confer Article III standing.”  Id. at 11-12.  In other words, the VPPA created a statutory right to have personally identifiable information remain private by prohibiting disclosure to third parties.  Id. at 12.  Thus, the Court ruled that Plaintiff’s allegation that his personally identifiable information was transmitted to Facebook in violation of the VPPA identified a concrete harm for standing purposes.  Id. at 14.

Plaintiff Failed To State A Claim Under The VPPA

Paramount also asserted that Plaintiff had no claim under the VPPA because he was not a “consumer,” meaning “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”  Id. at 17.  Because Plaintiff was not a “consumer” within the meaning of the VPPA, Paramount argued he was not a “subscriber of goods or services from a video tape service provider,” and Plaintiff did not state a claim under the VPPA because the statute only protects individuals who are “consumers” under the statute.  Id. at 18.

The Court noted that although the VPPA does not define “subscriber,” the dictionary definition indicates that “subscriber” is a person who “imparts money and/or personal information in order to receive a future and recurrent benefit.”  Id. at 19.  Further interpreting the statute, the Court reasoned that a consumer is only a “subscriber” under the statute when he or she subscribes to audio visual materials.  Id. at 21.  Completing the analysis, the Court reasoned that under the VPPA, because Plaintiff’s subscription to the newsletter was not sufficient to establish that the he had subscribed to audio visual materials, Plaintiff’s position was unavailing in claiming that his subscription to the newsletter renders him a “subscriber.”  Id. at 22.

The Court, therefore, dismissed Plaintiff’s VPPA class action lawsuit because Plaintiff failed to allege that he actually accessed audio visual content, which necessarily meant that Plaintiff was not a subscriber under the VPPA.  Id. at 22.

Implications For Businesses

This past year has seen an uptick in VPPA class action filings against businesses that operate websites offering online videos and using third-party tracking tools.  These lawsuits represent an ongoing pattern of increased consumer privacy class litigation throughout the country exposing companies to significant risk across a wide array of industries.  Corporate counsel should note this ruling is a positive indication that some courts will closely examine the plain language and legislative intent of a privacy statute to ensure that a plaintiff actually states a viable claim before allowing class litigation to proceed.

Illinois Supreme Court Refuses To Reconsider “Per-Scan” BIPA Accrual Ruling In Cothron v. White Castle

By Gerald L. Maatman, Jr. and Tyler Zmick

Duane Morris Takeaways:  As we previously blogged, on February 17, 2023 the Illinois Supreme Court held in Cothron v. White Castle, 2023 IL 128004 (2023), that a separate claim for damages accrues under the Biometric Information Privacy Act (“BIPA”) each time a private entity scans or transmits an individual’s biometric data in violation of Sections 15(b) or 15(d) of the statute.  On July 18, 2023, the Illinois Supreme Court denied White Castle’s petition for hearing, resulting in the February 17 ruling becoming the final “law of the land” in Illinois.  The Court’s decision to deny White Castle’s rehearing petition was not unanimous, however, as reflected by the blistering dissent penned by Justice Overstreet and joined by Chief Justice Theis and Justice Holder White. For companies involved in BIPA class action litigation, the dissent is required reading, as it foreshadows an array of defense-oriented arguments over damages issues in privacy litigation.

Illinois Supreme Court’s Majority Decision In Cothron

In a 4-3 split ruling, the Illinois Supreme Court held on February 17, 2023 that a separate claim accrues under the BIPA each time a private entity scans or transmits an individual’s biometric data in violation of Sections 15(b) or 15(d), respectively.

Relying on the statute’s plain language and the fact that the actions of “collecting” and “disclosing” biometric data can occur more than once, the Supreme Court agreed with Plaintiff’s interpretation – namely, that Section 15(b) “applies to every instance when a private entity collects biometric information without prior consent” and that Section 15(d) “applies to every transmission to a third party.”  Cothron, 2023 IL 128004, ¶¶ 19, 23, 28.  The Supreme Court acknowledged that this interpretation – coupled with the statute allowing prevailing plaintiffs to recover up to $1,000 or $5,000 for each “violation” – could lead to astronomical damages awards that may be “harsh, unjust, absurd or unwise,’” id. ¶ 40 (citation omitted), but noted that it must apply the statute as written and that policy-based concerns should be addressed by the Illinois legislature.

Dissent To Majority’s Decision To Deny White Castle’s Rehearing Petition

On July 18, 2023 the Illinois Supreme Court denied White Castle’s petition for rehearing in Cothron v. White Castle, effectively leaving White Castle with no further avenues for challenging the ruling.

Three Justices (the same three who dissented to the February 17 majority decision) disagreed with the decision to deny White Castle’s petition for rehearing.  In opining that the Supreme Court should have granted rehearing, the Dissent focused on three issues, including: (1) the majority’s “per scan” theory of liability subverting the intent of the Illinois legislature; (2) the majority’s “per scan” theory of liability threatening the survival of Illinois businesses and raising “significant constitutional due process concerns,” id. ¶ 70; and (3) the majority’s decision in failing to provide trial courts with criteria to use in exercising their discretion whether to award statutory damages for BIPA violations.

First, the Dissent stated that the Illinois legislature meant for the BIPA to be a straightforward remedial statute that allows individuals to choose to provide (or not to provide) their biometric data after being informed that the data is being collected, stored, and potentially disclosed.  The Dissent rejected the majority’s “flawed construction” of the statute, which mistakenly presumes that the legislature meant for the BIPA to “establish a statutory landmine” and “destroy commerce in its wake when negligently triggered.”  Id. ¶ 73; see also id. (“The majority’s construction of the [BIPA] does not give effect to the legislature’s true intent but instead eviscerates the legislature’s remedial purpose of the [BIPA] and impermissibly recasts [it] as one that is penal in nature rather than remedial.”).

Second, the Dissent opined that by construing the statute to allow for awards of statutory damages that bear no relation to any actual monetary injury suffered, the majority’s decision raises due process concerns that “raise doubt as to [the BIPA’s] validity.”  Id. ¶ 74; see also id. ¶ 75 (“The legislature’s authority to set a statutory penalty is limited by the requirements of due process.  When a statute authorizes an award that is so severe and oppressive as to be wholly disproportioned to the offense and obviously unreasonable, it does not further a legitimate government purpose, runs afoul of the due process clause, and is unconstitutional.”).

Finally, the Dissent took issue with the majority’s refusal to clarify its February 17 holding with respect to the discretionary (rather than mandatory) nature of liquidated damages under the statute.  Specifically, the Dissent noted that the majority opinion did not provide trial courts with standards or criteria to apply in determining whether to award statutory damages in a particular BIPA case and, if so, in what amount.  The Dissent asserted that the Supreme Court should have agreed to clarify “that statutory damages awards must be no larger than necessary to serve the [BIPA’s] remedial purposes” and to “explain how lower courts should make that determination.”  Id. ¶ 85.  Per the Dissent, “[w]ithout any guidance regarding the standard for setting damages, defendants, in class actions especially, remain unable to assess their realistic potential exposure.”  Id.

Implications For Corporations

Assuming White Castle cannot convince the U.S. Supreme Court to grant review of the Cothron decision based on constitutional issues, Cothron is now the final law of the land in Illinois.  White Castle and other BIPA defendants may, however, attempt to raise constitutional challenges to the statute in other BIPA cases moving forward based on the same concerns expressed by the three dissenting Justices in Cothron.

The denial of White Castle’s rehearing petition indicates that the well is beginning to dry for businesses in terms of potential BIPA defenses.  While employers and other BIPA defendants can still explore novel defenses, such as the exception for information captured from a patient in a health care setting or challenges to personal jurisdiction, many companies caught in the crosshairs of BIPA class actions will face pressure to settle due to the risk of facing monumental potential damages.  Moreover, attempts to reform the BIPA statute failed in 2023, and the Illinois legislature likely will not consider any further reform proposals until 2024.  Given the bleak outlook of the law as it stands, it is imperative that businesses immediately ensure they are compliant with the BIPA.

Illinois Federal Court Grants Motion To Compel Arbitration In “Close Call” For Illinois Biometric Privacy Act Claim

By Gerald L. Maatman, Jr., Tyler Z. Zmick, and George J. Schaller

Duane Morris Takeaways: In Kashkeesh v. Microsoft Corp., No. 1:21-CV-03229, 2023 U.S. Dist. LEXIS 109559 (N.D. Ill. Jun. 26, 2023), Judge Manish Shah of the U.S. District Court for the Northern District of Illinois granted Microsoft’s motion to compel arbitration regarding the claims of two Uber rideshare drivers asserting a class action under the Illinois Biometric Information Privacy Act. The Court held that Microsoft could enforce the rideshare contracts as a third-party beneficiary and that Microsoft did not expressly waive its right to arbitrate.

For employers seeking  to compel arbitration, especially in lawsuits involving third-party beneficiary situations, this decision is instructive in terms of how courts determine waiver of the right to arbitrate and third-party beneficiaries in agreements with arbitration clauses, particularly where the agreement provides a description of a class to which a party belongs and does not identify the beneficiary by name.

Case Background

Plaintiffs Emad Kashkeesh and Michael Kormorksi (collectively “Plaintiffs”) were drivers for the ridesharing and food delivery company Uber. Id. at 2. In addition to providing other identifying information for Uber as part of their work, Plaintiffs were required to take pictures of their faces through Ubers “Real Time ID Check” software. Id.  Uber’s software utilized Microsoft’s Face Application Programming Interface to identify drivers. Id. After Uber drivers, like Plaintiffs, submitted their photographs to Uber’s software program, Microsoft’s software extracted facial biometrics to create geometric templates, and compared these templates with information corresponding to the employees, for identification. Id at 2-3.

Plaintiffs claimed that they never agreed that Microsoft could capture, store, or disseminate their facial biometrics, were never told that Microsoft was gathering their information, and Microsoft never published a policy about the company’s retention and deletion of biometric information. Id. at 3.  However, Plaintiffs contracted with Uber to work as rideshare drivers and signed the Company’s 2020 Platform Access Agreement (“Uber Agreement”). Id.  Within the Uber Agreement, an arbitration clause required Plaintiffs to arbitrate any dispute between Plaintiffs and Uber, and “any other entity [other than Uber] .. arising out of or related to our application for use of an account to use [Uber’s] Platform and Driver App as a driver.” Id.

In May 2021, Plaintiffs filed a lawsuit alleging Microsoft violated the Illinois Biometric Privacy Act. Id.  Microsoft removed the case on June 16, 2021, and filed its own motion to dismiss for lack of personal jurisdiction. Id. Plaintiffs filed a motion to remand two of their claims. Id. Microsoft opposed Plaintiffs motion, but Plaintiffs’ motion was granted, and some of Plaintiffs’ claims remained in federal court with limited jurisdictional discovery conducted. Id.  Subsequently, Microsoft’s motion to dismiss was denied on December 13, 2022. Id. at 3-4. On that same day, Uber informed Microsoft for the first time that Plaintiffs agreed to the 2020 Uber Agreement. Id. at *4.  In answering Plaintiffs’ complaint, Microsoft asserted that Plaintiffs claims had to be arbitrated. In February 2023, Microsoft filed its motion to compel arbitration. Id.

The Court’s Decision

The Court granted Microsoft’s motion to compel arbitration. In doing so, the Court provided standards on compelling arbitration such that Microsoft was required to show “(1) an agreement to arbitrate, (2) a dispute within the scope of the arbitration agreement, and (3) a refusal by the opposing party to proceed to arbitration.” Id. at 1. Declaring that there was no dispute that the arbitration agreements are valid and enforceable, the Court turned to the following issues: (i) whether Microsoft (a non-signatory) can enforce the contracts as a third-party beneficiary, and (ii) whether Microsoft waived its right to compel arbitration. Id.

On the third party beneficiary status, the Court noted the strong presumption against “conferring contractual benefits on non-contracting third parties.” It reasoned that this presumption could be defeated if “the contract strongly suggest[s] that it applies to third parties – so strongly as to be practically an express declaration.” Id. at 5. Further, the Court opined that “to create a third-party beneficiary, the contract must have been made for the direct benefit of the third party, an intention which ‘must be shown by express provision in the contract identifying the third party beneficiary by name or by description of a class to which the party belongs.’” Id. Additionally, the third party bears the burden of showing the parties to the contract intended to confer a direct benefit. Id.

The Court determined that Microsoft was identifiable as a third party beneficiary “by description of a class to which the party belongs,” because Microsoft was “an entity,” and engaged in a dispute with Plaintiffs “arising out of or related to Plaintiffs use of an account to use [Uber’s] Platform and Driver App as a driver.” Id. The Court disagreed with Plaintiffs’ argument that this “entity” class was not defined specifically enough. Id. at *6. The Court also rejected Plaintiffs’ contention that the Uber Agreement limited any arbitration claims to Uber, its agents, and employees because the agreement included an address for Uber where plaintiffs could demand arbitration in writing. Id. The Court held “the agreement in this case also expressly identifies third parties for whom no contact information was provided, so including contact information for an entity is not a conclusive sign of the parties intent to confer third-party beneficiary status.” Id. at 7.  Therefore, the description of the class at issue showed the agreement applied to third parties, including Microsoft, and the parties intended to confer a direct benefit on Microsoft, so Microsoft could enforce the Uber Agreement. Id.

As to waiver, the Court reasoned the right to arbitrate a dispute can be expressly or implicitly waived. Id. However, based on the circumstance here, the Court ruled that there was no evidence that Microsoft expressly gave up its right to arbitrate with these Plaintiffs. Id. Instead, the Court analyzed whether Microsoft implicitly waived its right to arbitrate by considering the totality of the circumstances and whether Microsoft acted inconsistently with arbitration. Id. at 8.  The Court considered Microsoft’s diligence in seeking arbitration and whether Microsoft participated in litigation, substantially delayed its request for arbitration, participated in discovery, and whether Plaintiffs were prejudiced by the delay in seeking arbitration. Id.

Microsoft argued that “a party can only be found to have given up its right to arbitrate if it had actual knowledge of that right. Id. at 9. The Court disagreed based on the notion that a party could implicitly waive or forfeit the right to arbitrate by failing to adequately investigate the possibility of arbitration. Id.  Indeed, the Court stated “a reckless indifference to a right to arbitrate and the use of judicial dispute resolution instead is a strong sign that a party wasted time, and should not be allowed to invoke the right that it could have asserted sooner.” Id. at 9. Looking to the chronology of the case, the Court reasoned that Microsoft demonstrated a lengthy delay in waiting to mention arbitration until January 2023 when its initial removal of the case to federal court occurred in June 2021. Id..

 

The Court also did not find Microsoft’s arguments persuasive that it could not have done more to figure out whether Plaintiffs agreed to arbitrate. Id. at 10.  In part, the Court looked to the sophistication of both Microsoft and Uber, as well as, the diligence in communications between the two companies. Id.  The Court determined that “Microsoft’s lack of diligence, removal, and (limited) participation in litigation [were] all inconsistent with arbitration.” Id. at 11.  Additionally, the ruling on Microsoft’s motion to dismiss made factual findings that may be relevant to Microsoft’s defenses and Microsoft’s delay in seeking arbitration had led to some “limited prejudice to [P]laintiffs.” Id.  Even still, the Court recognized “while invoking judicial process presumptively waives a right to arbitration, that presumption can be rebutted in abnormal cases” and it considered this case to be “one of them.” Id.

In sum, the Court noted that Microsoft could have been more diligent in identifying its right to arbitrate this dispute and Microsoft’s participation in litigation was not merit-based, so while the case was “a close call,” the Court held that “the context here does not demonstrate an untimely assertion of a right amounting to forfeiture.” Id. at 14. Therefore, the Court granted Microsoft’s motion to compel arbitration.

Implications For Employers

Employers that are confronted with litigation involving arbitration claims and beneficiary classifications should take note that the Court in Kashkeesh relied heavily on the description conferring benefits to Microsoft and that Microsoft’s actions demonstrating it waived its right to arbitrate was a “close call” for the Court. Further, from a practical standpoint, employers should carefully evaluate any entered agreements with other parties that contain arbitration clauses to ensure it is properly conferred a benefit to arbitrate.

 

 

 

Tennessee Becomes Eighth State To Enact Comprehensive Privacy Legislation

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Zmick

Duane Morris Takeaways: As efforts to enact comprehensive privacy protection continue to stall on the federal level, states have stepped up to create a patchwork quilt of protections for those doing business with consumers within their borders.  Tennessee recently became the eighth state – following Indiana, California, Colorado, Connecticut, Iowa, Utah, and Virginia – to enact comprehensive privacy legislation.  At least 15 other states have introduced similar bills during the current legislative session, and Montana’s comprehensive consumer privacy statute awaits the signature of its Governor.  Companies doing business in Tennessee or with Tennessee consumers should take heed of the new law and review their policies and processes for compliance.

Tennessee Legislation

After receiving overwhelming support from both houses of the General Assembly, on May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act into law.  With this law, Tennessee became the eighth state to institute comprehensive consumer privacy legislation.  The law is set to take effect on July 1, 2024.

The act applies to businesses that conduct business in Tennessee or produce products or services that are targeted to Tennessee residents and that: (1) control or possess the personal information of at least 175,000 consumers; or (2) control or process personal information of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal information.  The law contains exemptions for certain types of entities, such as governmental entities, certain financial institutions, non-profit organizations, and higher education institutions.  The law also exempts certain types of data, such as personal information regulated by the Family Educational Rights and Privacy Act, and protected health information under HIPAA.

Similar to other comprehensive state privacy laws, the Tennessee law grants Tennessee residents certain rights in their personal information.  It allows for consumers to confirm whether a company is processing their personal information, to access their personal information, to correct inaccuracies in their personal information, to delete their personal information, to obtain copies of their personal information, and to opt out of future sales or targeted advertising.

The law allows a consumer to invoke his or her rights (and the rights of his or her children) at any time by submitting a request to a controller of the personal information specifying the rights that the consumer wishes to invoke, and it requires the respondent to comply with an authenticated request without undue delay but, in all cases, within 45 days.

The law imposes various requirements on persons and entities who “determine[] the purpose and means” of processing personal information.  For example, it requires such persons and entities to limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed; to establish, implement, and maintain reasonable data security practices; and, if the controller processes or sells personal information for targeted advertising, to clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.

The Tennessee law does not provide for a private right of action and vests exclusive enforcement authority in the Tennessee attorney general.  It allows a court to impose civil penalties of up to $7,500 per violation, and allows treble damages for willful or knowing violations.  The law requires that, prior to initiating an action, the attorney general must provide a 60-day notice period during which the recipient may cure the noticed violation to avoid an enforcement action. The law also creates an affirmative defense under certain circumstances for a company that creates, maintains, and complies with a written privacy policy that reasonably conforms to documented policies, standards, and procedures designed to safeguard consumer privacy.

Implications for Businesses

Covered persons and entities who do business in Tennessee or who target Tennessee consumers should start reviewing their policies and developing processes to comply with the Tennessee law.  Although the law is not set to take effect until July 1, 2024, the law adds another challenge to the already complex compliance landscape for companies seeking to operate on a nationwide basis.

Indiana Joins The Bandwagon In Passing A Comprehensive Privacy Law

By Gerald L. Maatman, Jr., Jennifer A. Riley, Alex W. Karasik, and Shaina Wolfe

Duane Morris Takeaways: The United States currently has no comprehensive data privacy law. Rather, a patchwork quilt of various privacy laws cover different types of data, such as information in credit reports (the Fair Credit Reporting Act), student records (Family Educational Rights and Privacy Act), and consumer financial products (Gramm-Leach-Bliley Act).  In an attempt to fill the void of federal legislation, Indiana recently joined six other states – California, Colorado, Connecticut, Iowa, Utah, and Virginia – in enacting a comprehensive privacy statute, the Indiana Consumer Data Protection Act (“ICDPA”). At least nineteen states have introduced similar privacy bills this legislative session. Montana and Tennessee have comprehensive consumer privacy statutes pending signature by their governors. Businesses in Indiana should start immediately reviewing their policies and implementing processes for complying with ICDPA to avoid enforcement litigation by the Indiana Attorney General.

Indiana Legislation

On May 1, 2023, Indiana Governor Holcomb signed Senate Bill 5, known as the ICDPA. This new law will take effect on January 1, 2026.

The ICDPA applies to companies that conduct business in Indiana or produce products or services that are targeted to residents of Indiana and during a calendar year: (1) control or process the personal data of 100,000 consumers (who are Indiana residents) or (2) control or process personal data of at least 25,000 consumers (who are Indiana residents) and more than 50% of gross revenue from the sale of personal data. Significantly, the ICDPA does not apply to data processed or maintained in the course of applying to or being employed by a business. Moreover, the ICDPA does not apply to government entities, non-profit organizations or higher education institutions.

The ICDPA provides consumers with rights to their personal data, including:

– opt-out rights related to the sale of personal data, targeted marketing and profiling (automated decision making that could have significant legal effects, such as those related to employment and benefits);
– access rights, including a right to confirm whether a company is processing any data at all;
– deletion rights;
– correction rights, limited to data the consumer previously provided;
– appeal rights; and
– data portability rights (summary of the personal data sent to the consumer must be in a portable and readily usable format).

“Personal data” is broadly defined as information that is “linked or reasonably linkable to an identified or identifiable individual.” Personal data does not include de-identified data, publicly available information, or data related to a group or category of customers that is not linked or reasonably linked to an individual customer. The ICDPA also provides consumers the right to opt-out of the collection and processing of their sensitive personal data. “Sensitive personal data” includes: (1) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a healthcare provider, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual; (3) personal data collected from a known child; and (4) precise geolocation data. Certain personal data that is covered by other statutes like the Fair Credit Reporting Act or Family Educational Rights and Privacy Act is exempt.

Once the ICDPA takes effect, companies must respond to a consumer personal data request within 45 days of receipt of the request. Companies may also seek a 45-day extension to respond. If a consumer appeals a company’s decision to deny the consumer’s request, the appeal response must be delivered within 60 days. If the appeal is denied, the company must provide the consumer with a method for contacting the state attorney general.

Importantly, the ICDPA does not provide individuals with a private right of action against businesses that violate the Indiana Law. Rather, the Indiana Attorney General will have exclusive enforcement authority. Prior to any enforcement action, the business will be allowed 30 days to cure the alleged violation. Only after the thirty days pass will the Indiana Attorney General be permitted to bring an enforcement action for the alleged violation. If the Indiana Attorney General decides to bring an enforcement action, the business may be fined up to $7,500 per violation.

Implications for Businesses

The ICDPA does not take effect until January 1, 2026. Covered businesses should start reviewing their policies and implementing processes for complying with the ICDPA to avoid enforcement by the Indiana Attorney General.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress