Privacy and data security remain top concerns for companies and their counsel as the vast privacy law landscape is constantly evolving with new trends, laws, and emerging issues. This year’s update addresses significant legal developments in privacy and data security: private litigation, record-breaking class action settlements, and federal regulation and enforcement actions. Part II discusses data misuse cases brought using a patchwork of laws in the absence of clear statutory guidance. Part III provides an update on biometric privacy, specifically discussing litigation under the Illinois Biometric Information Privacy Act. Cy pres settlements are covered in Part IV. Lastly, in Part V, this essay delves into federal enforcement actions.1
In the past year, plaintiffs filed suits using a mix of federal statutes, state wiretap laws, and common law tort doctrines.
In re Facebook, Inc. Consumer Privacy User Profile Litigation,2 which stems from the Cambridge Analytica scandal, consolidated several proposed class actions against Facebook in the federal district court for the Northern District of California.3 Plaintiffs principally alleged that Facebook shared sensitive personal information of its users with various third parties and failed to prevent those same third parties from selling or misusing the data.4 Facebook filed a motion to dismiss the lawsuit, which the district court granted in part and denied in part.5 Plaintiffs alleged a multitude of claims; the court’s decision focused on what the court understood to be the core allegations concerning Facebook’s sharing of sensitive user information.6 The court held, with respect to those core allegations, that plaintiffs held a privacy interest in information they chose to share with a limited audience and that they had adequately alleged an injury sufficient to confer Article III standing based solely on that privacy interest.7 The court also rejected Facebook’s argument that the pleadings established that users had consented to the information sharing.8 The court went on to consider the plaintiffs’ individual claims, and it held that most of them survived the motion to dismiss.9
In In re Google Location History Litigation,10 the U.S. District Court for the Northern District of California ruled that the allegations that Google secretly tracked and stored geolocation data were too speculative to proceed.11 California Android users brought suit against Google claiming the company tracked their locations even after users turned off “Location History” on their phones.12 Plaintiffs claimed they believed that Google would no longer collect and store location information if they managed their privacy settings and Location History was disabled.13
In In re Facebook, Inc. Internet Tracking Litigation,21 the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a decision by the U.S. District Court for the Northern District of California, which had granted defendant Facebook’s motion to dismiss. Facebook users sued in 2012, alleging that Facebook unlawfully tracked users’ browsing when they were logged out of Facebook by embedding plug-ins, such as the “Like” button, on third-party websites.22 Through these plug-ins, Facebook purportedly included bits of code that could “replicate and send . . . user data to Facebook . . . in a manner undetectable by the user.”23 Plaintiffs’ complaint asserted various state and federal claims.24 The district court granted Facebook’s motion to dismiss, finding that plaintiffs lacked standing and failed to state a claim.25 The appellate court focused on two issues: whether Facebook users satisfied Article III standing for the privacy-related claims, and whether plaintiffs adequately pleaded claims regarding Facebook’s tracking-and-collection practices when users logged out of Facebook.
The appellate court first found that plaintiffs had asserted concrete privacy harms required to establish Article III standing to pursue invasion of privacy, breach of contract, breach of the duty of good faith, Wiretap Act, and CIPA claims.26 The appellate court determined that plaintiffs had adequately alleged that Facebook’s tracking-and-collection practices would cause harm or a material risk of harm to their interest in controlling their own personal information, a privacy interest that both the statutes and the common law privacy claims were designed to protect.27 Further, the appellate court found that the Facebook users had adequately pleaded economic injury, sufficient to establish Article III standing to bring claims for common law trespass to chattels and fraud, larceny, and violation of California’s Computer Data Access and Fraud Act.28 Plaintiffs’ allegation that browsing histories carry value and that Facebook sold this data to advertisers stated a claim under California law for the profits Facebook unjustly earned, and this injury was sufficient for standing.29
Next, the Ninth Circuit held that plaintiffs had adequately alleged that Facebook’s tracking-and-collection practices violated the federal Wiretap Act and CIPA.30 In doing so, the appellate court rejected Facebook’s argument that it fell into an exemption from liability within each of the statutes. Both statutes create an exception for those who are a “party” to the communications of interest; however, Facebook did not constitute a “party” to the communications between plaintiffs and third-party websites with embedded Facebook plug-ins.31 Additionally, the appellate court allowed the users’ claims for intrusion upon seclusion, invasion of privacy, larceny, and three other claims under California law to move forward, finding that the plaintiffs had adequately alleged a reasonable expectation of privacy and that Facebook’s undetected tracking practices could be“highly offensive” to a reasonable person and an “egregious breach of the social norms.”32
Finally, the Ninth Circuit refused to revive the remaining claims under the Stored Communications Act (“SCA”) and for breach of contract and breach of the implied covenant of good faith and fair dealing. The appellate court agreed with the district court that plaintiffs’ claims to relief were insufficient because they had failed to allege that their data was in “electronic storage” as defined by the SCA or to assert the existence of a contract that was breached.33
A district court in the Northern District of California laid out, in In re Google Assistant Privacy Litigation,34 a potential roadmap for surviving a motion to dismiss on privacy-related causes of action. This case is a consolidated putative class action against Google related to its Google Assistant product. Google Assistant is voice-activated software used in mobile and home devices that listens for “hot-words” in order to answer questions or follow user commands.35 This suit is based on Google’s alleged use of improper or accidental audio recordings to create personalized advertising or to improve and analyze the accuracy of the software.36 Plaintiffs argue that Google’s use of such audio recordings is an invasion of privacy.37 The court granted Google’s motion to dismiss with leave to amend on all counts as to which Google moved.38 In the process, the court acknowledged that a number of plaintiffs’ claims are likely to survive, depending on plaintiffs’ ability to allege that recorded conversations were confidential communications and that the recordings took place in reasonably private settings.39
Plaintiffs alleged privacy (or privacy-related) violations under federal and California state laws including the federal Wiretap Act, SCA, CIPA, the common law, the California Unfair Competition Law, as well as contract and warranty.40 This array of claims signals the breadth of privacy issues relevant to voice-activated technology.
In 2008, Illinois implemented a comprehensive biometric privacy regime called the Biometric Information Privacy Act (“BIPA”).41 Illinois is the only state that provides a private right of action for violations of biometric privacy. In the past year, courts have decided several cases that (1) analyzed Article III standing with regard to alleged violations of BIPA; (2) clarified which parties have obligations under BIPA; and (3) addressed preemption of BIPA by federal law. These cases are discussed below in more detail.
In early 2019, the Illinois Supreme Court held, in Rosenbach v. Six Flags Entertainment Corp., that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under [BIPA], in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”42 During the survey period, two cases—outlined here—further demonstrated that biometric information need not actually be provided to third parties for there to be a viable BIPA claim.
Building upon Rosenbach, the Ninth Circuit, in Patel v. Facebook, Inc.,43 expanded plaintiffs’ ability to pursue claims for technical violations of BIPA and incentivized plaintiffs to pursue class actions. The Ninth Circuit held that BIPA protects the plaintiffs’ concrete privacy interests, and that any BIPA violation amounts to a violation of those substantive privacy rights and, as such, constitutes a concrete and particularized harm to establish Article III standing.44
Plaintiffs alleged that Facebook’s practice of unlawfully collecting and storing the biometric data of Facebook users without prior notice or consent constituted a violation of BIPA.45 The claims at issue arose from Facebook’s “Tag Suggestions” feature, which identifies other Facebook users by using facial-recognition technology on photographs.46 Plaintiffs alleged that Facebook then stored face templates of people’s faces on its servers.47 The district court held that the plaintiffs had standing because Facebook’s alleged failure to provide the notice required by BIPA, which deprived them of the ability to withhold their consent to the data collection, was a concrete injury.48
Facebook appealed, but the Ninth Circuit affirmed the district court’s decision, holding that plaintiffs had alleged a harm sufficient to confer standing.49 Facebook then filed a petition for a writ of certiorari with the U.S. Supreme Court, claiming the plaintiffs experienced no tangible injury, which the Court denied.50 Shortly thereafter, Facebook announced that it will pay $550 million to settle this class-action suit.51 After the federal judge overseeing this case expressed skepticism and concern over the adequacy of the settlement, Facebook increased its settlement offer to $650 million in July 2020.52
In Bryant v. Compass Grp. USA, Inc.,53 the U.S. Court of Appeals for the Seventh Circuit held that an Illinois plaintiff had standing to sue in federal court for an alleged violation of BIPA, despite the fact that she did not allege a harm beyond violation of the Act. This case aligns with the recent standing decisions by the Supreme Court of Illinois and in the Ninth Circuit, but deepens the circuit split on whether procedural violations, without more, raise a “material risk of harm” sufficient to meet federal standing requirements for claims under the Act.54
The plaintiff was a call center employee who voluntarily scanned her fingerprint to create an account to use on-site vending machines that were owned and operated by defendant.55 Plaintiff sued the defendant for allegedly violating BIPA by failing to (1) develop and publicize a policy concerning retention and destruction of biometric information it collects, in violation of section 15(a), and (2) make disclosures to plaintiff and obtain her informed consent to collect, store, and use her fingerprint scan, in violation of section 15(b).56 The plaintiff brought a putative class action in Illinois state court, but Compass removed the lawsuit to federal court under the Class Action Fairness Act.57 The district court found that both alleged violations of BIPA were bare procedural harm, or put another way, not concrete harms to plaintiff.58 The district court remanded the action to state court and Compass appealed.59
Looking to the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robins,60 the Seventh Circuit distinguished between two kinds of cases: cases where “a private plaintiff asserts a violation of her own rights,” and cases where “a private plaintiff seeks to vindicate public rights.”61 The Seventh Circuit found that plaintiff ’s first claim concerned a duty owed to the public generally, which in turn led the court to conclude that plaintiff did not suffer a concrete and particularized injury.62 She therefore lacked standing under Article III to pursue the section 15(a) claim in federal court.63 On the other hand, the appellate court found that the plaintiff ’s second claim, regarding Compass’s failure to obtain her informed consent before it collected fingerprint scans, was an assertion of the plaintiff ’s own rights. The appellate court stated that a violation of BIPA’s informed consent requirement is not a purely procedural requirement, but rather a concrete and particularized harm.64 Defendant’s failure to provide plaintiff with notice deprived her of the ability to give informed consent, and this deprivation is sufficient for the plaintiff to satisfy Article III standing requirements in the Seventh Circuit.65
Beyond standing, there are additional unresolved issues on the merits of BIPA claims. One such issue is the question of which entities have a duty to seek consent from consumers.
In Heard v. Becton, Dickinson & Co.,66 the U.S. District Court for the Northern District of Illinois granted the defendant’s motion to dismiss for failure to state a claim, but not without first offering some insight as to who must comply with BIPA. The plaintiff was a respiratory therapist who sued the manufacturer of an automated medication dispensing system that plaintiff used at work.67 The defendant’s product allegedly stored a scan of the plaintiff ’s fingerprint, and it could subsequently recognize the plaintiff ’s fingerprint to dispense medication.68 However, the plaintiff did not allege that the defendant ever subsequently accessed its product or the plaintiff ’s fingerprint.69 Defendant moved to dismiss, arguing that, as the manufacturer of the fingerprint-scanning device used by other companies, it did not actively collect biometric information, even if its product may have been used by others to do so.70
The court held that BIPA’s requirement to obtain informed consent only applied to entities that actively collected information themselves, not to a company, like defendant, whose device was merely used for the collection.71 Additionally, the court ruled that the other provisions of BIPA were inapplicable because the plaintiff did not sufficiently plead that defendant had “possession” of the biometric data.72 The court noted that there were no allegations in the complaint that defendant had any control over the data or disclosed plaintiff ’s biometric data.73
Significantly, in Figueroa v. Kronos, Inc.,74 the judge acknowledged, but rejected, Heard, which was decided by a different judge in the same federal district. The court held that Kronos Inc., a vendor of biometric-based timekeeping systems used by employees to clock in and out of work, could be liable for violations of BIPA.75 More pointedly, the court held that plaintiffs had sufficiently alleged that Kronos “collect[ed]” users’ biometric data and, therefore, Kronos was required to obtain employee consent.76 Unlike the court in Heard, the court in Kronos did not find that section 15(b) liability required “active” collection, instead requiring only that defendant had “obtained” biometric data within the ordinary meaning of the word.77 The decision is notable because it signals a new category of defendant in BIPA consent cases and potentially invites an increase in third-party contribution claims brought by employers against the vendors of biometric time clocks.
A recent ruling demonstrates the reach of state biometric privacy laws and instructs that some employees will need to pursue their claims in an administrative forum because their state law claims are preempted by federal law.
Miller v. Southwest Airlines Co.78 is a consolidated suit brought against Southwest Airlines and United Airlines by Illinois employees of the airlines under BIPA. The Seventh Circuit addressed whether employees could seek relief in court for alleged violations of BIPA when the airlines required employees to provide their fingerprints for timekeeping and identification.79 Plaintiffs argued that the airlines did not obtain their consent or publish protocols to implement the biometric timekeeping; the airlines asserted that the plaintiffs’ unions had consented and that any required notice was provided to the unions.80 The court concluded that the employees could not seek relief in court because they must present their claim to an adjustment board under the Railway Labor Act (“RLA”).81 RLA preemption was a significant victory for the defense. Since Miller, at least two federal district court judges have dismissed BIPA lawsuits brought by union employees as preempted by another federal statute.82
One of the most interesting issues in recent data-related class actions has been the viability of settlements and the adequacy of cy pres distributions. Under Federal Rule of Civil Procedure 23, a district court is required to review a proposed class action settlement for its fairness, reasonableness, and adequacy.83Cy pres distributions refer to settlement funds that are awarded to “nonprofit organizations whose work is determined to indirectly benefit class members” because the funds are not “amenable to individual claims or meaningful pro rata distribution.”84 A recent trend in the context of class action settlements is cy pres-only settlements, where most, if not all, of the settlement proceeds are paid to cy pres recipients.85 Given the difficulty of tracing data to its original source, thereby identifying the entire class, cy pres settlements make sense when it is impracticable or infeasible to distribute money to class members. Nevertheless, they are not without criticism; cy pres relief provides no direct compensation to class members and could create a potential conflict of interest between class counsel and any absent class members.
The Third Circuit sought to determine whether a cy pres-only settlement can satisfy the fairness, reasonableness, and adequacy requirement. The appellate court found that cy pres-only settlements are not unfair per se, but criticized the district court for failing to sufficiently scrutinize the settlement.88 First, the Third Circuit found troubling the Settlement Agreement’s release of all class member claims for money that related to the subject matter of the litigation.89 The Third Circuit believed that the district court had performed a Rule 23(b)(2) analysis to certify an injunction class while permitting a broad class-wide release more typical with a damages class.90 Thus, the appellate court directed the lower court to reassess the settlement under a Rule 23(b)(3) analysis, and to consider whether a class-wide release of claims for money damages required “a heightened form of notice.”91
Second, the Third Circuit was troubled by the fact that Google regularly donated to four of the cy pres recipients and that one class counsel sat on another recipient’s board.92 The appellate court noted that the lower court did not conduct any fact finding to determine the nature of the relationships between the cy pres recipients, the defendant, and class counsel.93 To address this, the Third
Circuit held that, when a cy pres settlement is challenged on the basis of a preexisting relationship between parties and recipients, the district court must consider whether cy pres recipients have any significant prior affiliation with any party, class counsel, or the court, and whether any affiliation “would raise substantial questions [as to] whether the selection of the [cy pres] recipient[s] was made on the merits.”94 Thus, the Third Circuit made apparent that a prior affiliation will not automatically prevent approval of a settlement, but the district court must take any prior affiliations into consideration.
More recently, in In re Google LLC Street View Electronic Communications Litigation, the U.S. District Court for the Northern District of California granted final approval to a proposed $13 million cy pres-only settlement.95 This class action alleged that the company illegally gathered Wi-Fi network data using its Street View car fleet and, after nearly ten years of litigation, a settlement was reached.96 Here, the district court found that a cy pres-only settlement was adequate and expressed awareness of the Supreme Court’s interest in the issue of cy pres-only settlements.97 But it found “no controlling authority holding that settlements providing direct payments to class members are always preferable to cy pres-only settlements,” but rather the contrary.98
In July 2019, the Federal Trade Commission (“FTC”) announced one of its largest settlements in history, in FTC v. Equifax Inc.99 Its settlement with Equifax totaled $575 million to the FTC, Consumer Financial Protection Bureau, and fifty states and territories to resolve allegations that Equifax failed to take reasonable steps to secure its network, leading to a data breach in 2017 that allegedly affected 147 million people.100 To settle civil claims filed by consumers across several states, Equifax agreed to pay additional amounts up to $125 million.101 The settlement resolved numerous claims, including unfair and deceptive trade practices and violation of the Gramm-Leach-Bliley Act Safeguards Rule.102
In addition to the monetary judgment, the settlement requires the credit reporting agency to implement a comprehensive data security program.103 Under the settlement, Equifax must obtain third-party assessments of its data security program every two years and must provide an annual update to the FTC on the status of the consumer claims process.104 In a separate case, the company also agreed to pay at least $380.5 million into a fund for class action benefits and spend an additional $1 billion to improve its data security and related technology over five years.105
In July 2019, the FTC and the U.S. Department of Justice filed a proposed consent order to settle allegations against Facebook for violations of the FTC Act and its prior 2012 FTC settlement order for misleading users about the extent of data sharing with third-party applications and about the control consumers had over such sharing, in addition to failing to maintain a reasonable privacy program.106 The FTC also alleged that Facebook engaged in deceptive practices related to the collection and use of consumer phone numbers for advertisements, rather than their purported use for security features.107 The same day, the Securities and Exchange Commission announced a $100 million settlement with Facebook resolving claims that the company’s public filings contained misleading statements about risks to its business from the misuse of user data.108
On April 23, 2020, the district court approved the FTC’s proposed settlement and entered the parties’ stipulated order.109 As part of the settlement, the company agreed to pay a $5 billion civil penalty and to be subject to various remedial measures, which expand upon the privacy program requirements from the 2012 order, to further enhance oversight and accountability regarding Facebook’s privacy practices.110 The 2020 order also requires recording and reporting of covered incidents to the FTC.111 The order further imposes the requirement that Facebook’s CEO periodically certify that Facebook is in compliance with the order.112
In September 2019, Google, and its subsidiary YouTube, agreed to pay $170 million to the FTC and New York State to settle allegations that the company collected personal data from viewers of child-directed channels without the consent of their parents.113 The $136 million payment allocated to the FTC was the largest penalty ever in a matter brought under the Children’s Online Privacy Protection Act (“COPPA”).114 Despite allegedly knowing that a number of its channels were directed at children, YouTube ran targeted advertisements on these channels and did not comply with COPPA’s requirements to provide notice and obtain parental consent prior to collecting personal information from children.115
As part of the settlement, the companies agreed to “develop, implement, and maintain a system for channel owners” to designate each video as child-directed or not, to ensure compliance with COPPA.116 Additionally, the settlement requires Google and YouTube to notify channel owners that child-directed content may be subject to COPPA, and to provide COPPA training to their employees.117 Lastly, the settlement requires Google and YouTube to provide notice regarding their data collection practices and obtain parental consent prior to collecting personal information from children.118
While privacy and cybersecurity remain rapidly changing fields, recent litigation and enforcement actions make clear that companies will increasingly be expected to keep pace. In the next year, we expect to see a great deal of privacy-related litigation stemming from the COVID-19 crisis as the world has gone remote and switched to online work environments. In order to be successful, these new technologies will need to navigate the constantly shifting landscape of U.S. privacy law too.