Duane Morris Privacy Class Action Review – 2024

Class action litigation in the consumer fraud area has exponentially increased over the past several years. Most consumer fraud class actions come with the possibility of excessive payouts for corporations. We hope the Duane Morris Consumer Fraud Class Action Review – 2023 will demystify some of the complexities of consumer fraud class action litigation through our analysis of trends and significant rulings that enable corporate counsel to make informed decisions in dealing with complex litigation risks.

DISCLAIMER The material in this Review is of the nature of general commentary only. It is not meant as or offered as legal advice on any particular issue and should not be considered as such. The views expressed are solely those of the authors. In addition, the authors disclaim any and all liability to any person in respect of anything and of the consequences of anything done wholly or partly in reliance on the contents of this Review. This disclaimer is from the Declaration of Principles jointly adopted by the Committee of the American Bar Association and a Committee of Publishers and Associations.

CITATION FORMATS All citations in the Duane Morris Privacy Class Action Review are designed to facilitate research. If available, the preferred citation of the opinion included in the West bound volumes is used, such as Baysal, et al. v. Midvale Indemnity Co., 78 F.4th 976 (7th Cir. 2023). If the decision is not available in the preferred format, a Lexis cite from the electronic database is provided, such as Moehrl, et al. v. National Association of Realtors, 2023 U.S. Dist. LEXIS 53299 (N.D. Ill. Mar. 29, 2023). If a ruling is not available in one of these sources, the full case name and docket information is included, such as Yates, et al. v. Traeger Pellet Grills , Case No. 19-CV-723 (D. Utah Sept. 7, 2023). eBOOK HIGHLIGHTS The Duane Morris Privacy Class Action Review is available for use on a smartphone, laptop, iPad, or any personal electronic reader by using any eBook reader application. eBook reading allows users to quickly scroll, highlight important information, link directly to different sections of the Review, and bookmark pages for quick access at a later time. The eBook is designed for easy navigation and quick access to informative data. The eBook is available by scanning the below QR code:

Duane Morris Privacy Class Action Review – 2024

NOTE FROM THE EDITORS Privacy class action litigation ranks near the top of the list of issues that keep corporate counsel up at night. The stakes in these cases are significant by any measure. The price tags attached to settlements of privacy class action lawsuits filed under the Illinois Biometric Information Privacy Act, 740 ILCS 14/15 (“BIPA”) over the past decade have exceeded the $1 billion threshold, and the first BIPA jury trial resulted in a verdict for roughly a quarter of that amount. In February 2023, the Illinois Supreme Court issued two consequential rulings for BIPA defendants. In the first, the Supreme Court set a five-year statute of limitations for BIPA claims and, in the second, it interpreted the BIPA to allow a claim to accrue with each scan or transmission of biometric information. Both decisions are highly favorable to plaintiffs. These rulings follow other plaintiff-friendly decisions from the Illinois Supreme Court, which negated preemption arguments under the Illinois Workers’ Compensation Act and jettisoned any requirement of actual harm. Together, they create a mosaic of decisions that make the defense of BIPA class actions a challenge for corporations. We expect 2024 will see even more privacy class actions filed in both Illinois and throughout the country. The stakes will continue to rise, and the plaintiffs’ class action bar will push the legal envelope in their aggressive pursuit of damages under privacy laws. The Duane Morris Privacy Class Action Review – 2024 is an essential desktop reference for corporate counsel and business decision-makers to identify privacy risks, implement strategies to mitigate those risks, and best understand the significant monetary exposure for organizations that fail to comply with evolving legal requirements. The Review examines the key court rulings that have shaped this high-stakes landscape and provides insight into how businesses can navigate privacy issues through a minefield of adverse rulings. Defense of class actions is a hallmark of the litigation practice at Duane Morris. We hope this book – manifesting the collective expertise of our class action defense group and over 70 years combined class action experience of our Editors – will be the “go to” desktop reference guide for corporate counsel and business decision-makers navigating privacy class actions.

Gerald L. Maatman, Jr.

Jennifer A. Riley

Alex W. Karasik

Editor

iii

Duane Morris Privacy Class Action Review – 2024

CONTRIBUTORS

Elisabeth Bassani

Rebecca Bjork

Emilee Crowther

Ethan Feldman

Derek Franklin

Zev Grumet-Morris

Christian Palacios

George Schaller

Bryan Shapiro

Brandon Spurlock

Gregory Tsonis

Tyler Zmick

Nicolette Zulli

Duane Morris Privacy Class Action Review – 2024

GLOSSARY AND KEY U.S. SUPREME COURT DECISIONS Adequacy Of Representation – Plaintiffs must show adequacy of representation per Rule 23(a)(4) to secure class certification. It requires representative plaintiffs and their counsel to be capable of fairly and adequately protecting the interests of the class. Amchem Products, Inc. v. Windsor, et al. , 521 U.S. 591 (1997) – Windsor is the U.S. Supreme Court decision that elucidated the requirements in Rule 23(b), insofar as common questions must predominate over any questions affecting only individual class members and class resolution must be superior to other methods for the adjudication of the claims. Ascertainability – Although not an explicit requirement of Rule 23, some courts hold that the members of a proposed class must by ascertainable by objective criteria. California Invasion Of Privacy Act (CIPA) – Under the CIPA, it illegal to record conversations, including telephone conversations without consent from all parties. California Privacy Rights Act (CPRA) – The CPRA expands the current CCPA private right of action by authorizing consumers to bring lawsuits arising from data breaches involving additional categories of personal information. Comcast Corp. v. Behrend, et al. , 569 U.S. 27 (2013) – Comcast is the U.S. Supreme Court decision that interpreted Rule 23(b)(3) to require that, for questions of law or fact common to the class, the plaintiffs’ damages model must show damages are capable of resolution on a class-wide basis. Commonality – Plaintiffs must show commonality per Rule 23(a)(2) to secure class certification. This requires that common questions of law and fact exist as to the proposed class members. Class – A group of individuals that has suffered a similar loss or alleged illegal experience on whose behalf one or more representatives seek to bring suit. Class Action – The civil action brought by one or more plaintiffs in which they seek to sue on behalf of themselves and others not named in the suit but alleged to have suffered the same or similar harm. Class Certification – The judicial process in which a court reviews the submissions of the parties to determine whether the plaintiffs have met their burden of showing that class treatment is the most appropriate form of adjudication. In federal courts, the process is governed by Rule 23 of the Federal Rules of Civil Procedure. Illinois Biometric Information Protection Act, 740 ILCS 14/15 (BIPA) – The BIPA regulates the collection, use, and handling of biometric identifiers and information by private entities. Numerosity – Plaintiffs must show that their proposed class is sufficiently numerous that adding each class member to the complaint would be impractical. This is a requirement for class certification imposed by Rule 23(a)(1). Opt-Out Procedures – If a court certifies a class under Rule 23(b)(3), class members are bound by the court ’ s judgment unless they opt-out after receiving notice of the lawsuit. Pennsylvania Wiretapping And Electronic Surveillance Act – The Pennsylvania Act requires all parties to consent prior to being recorded in any manner.

Duane Morris Privacy Class Action Review – 2024

Predominance – The Rule 23(b)(3) requirement that, to obtain class certification, the plaintiffs must show that common questions predominate over any questions affecting individual members. Rule 23 – This rule from the Federal Rules of Civil Procedure governs class actions in federal courts and requires that a party seeking class certification meet four requirements of section (a) and one of three requirements under section (b) of the rule. Rule 23(a) – It prescribes that a class meet four requirements for purposes of class certification, including numerosity, commonality, typicality, and adequacy of representation. Rule 23(b) – To secure class certification, a class must meet one of three requirements of Rule 23(b)(1), Rule 23(b)(2), or Rule 23(b)(3). Rule 23(b)(1) – A class action may be maintained if Rule 23(a) is satisfied and if prosecuting separate actions would create a risk of inconsistent or varying adjudications with respect to individual class members or adjudications with respect to individual class members that, as a practical matter, would be dispositive of the interests of the other members not parties to the individual adjudications or would substantially impair or impede their ability to protect their interests. Rule 23(b)(2) – A class action may be maintained if Rule 23(a) is satisfied and the party opposing the class has acted or refused to act on grounds that apply generally to the class, so that final injunctive relief or corresponding declaratory relief is appropriate respecting the class as a whole. Rule 23(b)(3) – A class action may be maintained if Rule 23(a) is satisfied and questions of law or fact common to class members predominate over any questions affecting only individual members and a class action is superior to other available methods for fairly and efficiently adjudicating the controversy. Superiority – The Rule 23(b)(3) requirement that a class action can be permitted only if class resolution is the superior method of adjudicating the claims. Typicality – The plaintiffs’ claims and defenses must be typical to those of proposed class members’ claims. This is required by Rule 23(a)(3). Wal-Mart Stores, Inc. v. Dukes, et al., 564 U.S. 338 (2011) – Wal-Mart is the U.S. Supreme Court ruling that tightened the commonality requirement of Rule 23(a)(2) and held that judges must conduct a “rigorous analysis” to determine whether there is a “common” contention central to the validity of the claims that is “capable of class-wide resolution.”

Duane Morris Privacy Class Action Review – 2024

TABLE OF CONTENTS

Page Privacy Class Actions ………………………………………………………………………...1 Executive Summary …………………………………………………………………………...1 Top Privacy Class Action Settlements In 2023 ………………………………………...34 Top BIPA Class Action Settlements In 2023 …………………………………………….36

APPENDIX ..…………………………………………………………………………………...38

Table Of 2023 Privacy Class Action Litigation Rulings ……………………………….38

vii

Duane Morris Privacy Class Action Review – 2024

Privacy Class Actions I. Executive Summary

In an increasingly digitalized society, privacy is paramount for both companies and individuals. Businesses across the world purposefully have increased their use and reliance on biometric technology for various innovative purposes, such as to enhance the accuracy of their timekeeping systems, to facilitate consumer transactions, and to augment their security measures. Both the federal government and an increasing number of states anticipated this evolution and passed laws to ensure the security of personal information and to protect against the potentially harmful disclosure of sensitive biometric identifiers. Although some of the first privacy laws were passed decades ago, there has been a rapid rise in privacy class action lawsuit filings over the past few years. With privacy settlement values surging higher than ever before, companies must take heed of this focal point for the plaintiffs’ class action bar. In the rapidly evolving privacy litigation landscape, it is crucial for businesses to understand how courts are interpreting these often ambiguous privacy statutes. In 2023, courts across the country issued a mixed bag of results leading to major victories for both plaintiffs and defendants. Federal courts in New York, Tennessee, and California granted at least five separate Rule 12 motions to dismiss class action complaints brought under the federal Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710. The VPPA, which was originally enacted in 1988, makes it unlawful for a “video tape service provider” to knowingly disclose, to any person, “personally identifiable information” concerning any “consumer” of such provider without their consent. On the state law side, the Illinois Biometric Information Privacy Act (BIPA) remains the most controversial and hotly litigated privacy law in the country. The BIPA, which was originally enacted in 2008, prohibits companies from collecting individuals’ biometric data without the requisite notice and consent. While both defendants and plaintiffs can point to major BIPA victories in 2023, this past year will be remembered for some of the landmark pro-plaintiff rulings that will provide the plaintiffs’ bar with more than enough ammunition to keep BIPA litigation in the headlines for the foreseeable future. In 2023, the Illinois Supreme Court issued two seminal decisions that increased the opportunity for recovery of damages under the BIPA. On February 2, 2023, the Illinois Supreme Court issued its ruling in Tims v. Black Horse Carriers , 2023 IL 127801 (Feb. 2, 2023), and held that a five-year statute of limitations applies to claims under the BIPA. Perhaps even more significantly, on February 17, 2023, the Illinois Supreme Court issued its ruling in Cothron, et al. v. White Castle System, Inc. , 2023 IL 1280004 (Feb. 17, 2023), and held that a claim accrues under the BIPA each time a company collects or discloses biometric information. These rulings have far-reaching implications. Together, they have the potential to increase monetary damages in BIPA class actions in an exponential manner, especially in the employment context, where employees might scan in and out of work multiple times per day across more than 200 workdays days per year. In the wake of these rulings, class action filings more than doubled. From January 1, 2023, to the ruling in Cothron , plaintiffs filed approximately 61 lawsuits in Illinois state and federal courts alleging violations of the BIPA. By contrast, in the same period of time following the ruling, plaintiffs filed 150 lawsuits in Illinois state and federal courts, representing a noteworthy increase of 71%.

Duane Morris Privacy Class Action Review – 2024

Below is a chart outlining this litigation spike:

Throughout the remainder of 2023, lawsuit filings continued to grow in number and sophistication as they targeted more advanced and innovative technologies. Given the five-year statute of limitations, and the potential for enhanced monetary penalties, we anticipate that filings and settlement numbers in BIPA litigation will continue to expand. Despite the Illinois statute being the most controversial privacy law, it is far from the only one on which the courts focused in 2023. Various states are continuing to consider a series of proposed copycat statutes that follow the lead of Illinois, and the federal government continues to consider proposals for a national statute. These factors have transformed biometric privacy compliance into a top priority for businesses nationwide and have promoted privacy class actions to the top of the list of litigation risks facing business today. Against this backdrop, corporate decision-makers can expect to continue to see several key trends in 2024. In terms of lawsuit filings, for nearly a decade following the enactment of the BIPA, activity under the statute was largely dormant. There was an average of approximately two total suits filed per year from 2008 through 2016. Those numbers grew exponentially in 2017 and 2018, as the plaintiffs’ class action bar filed a surge of class action lawsuits. In 2023, companies saw more than five times as many class action lawsuit filings for alleged violations of BIPA than they saw in 2018, and more than the number of class action lawsuit filings that they saw from

Duane Morris Privacy Class Action Review – 2024

2008 through 2018 combined. If other states succeed in enacting similar statutes, businesses can expect similar surges in those states, as the filing numbers in Illinois continue their upward trend. In 2023, there were over 450 privacy class action lawsuits filed in federal courts across the country (excluding BIPA class actions in Illinois). Set out below is a chart showing the states where privacy class actions were most prolific – with California unsurpsiringly at the top. Equally unsurpsising, Illinois and New York finished second and third. These jurisdictions tend to be breeding grounds for class actions generally, and privacy class actions in particular, as they are home to many businesses at the forefront of the modern technological evolution. In 2023, courts referenced the BIPA in 86 rulings, including 75 in federal court and 11 in state court. In 2022, courts referenced the BIPA in 99 rulings, including 93 in federal court and six in state court. This is an increase from the numbers seen in 2021, when the BIPA was referenced only 74 times.

Various provisions of state privacy, anti-surveillance, and wiretap statutes have generated a similar impact, fueling creativity by the plaintiffs’ class action bar as it looks to apply many pre-existing laws to challenge the use of innovative and novel technologies that companies use to collect information about consumers and their online activities. Over the past year, plaintiffs have filed a barrage of class action lawsuits under the federal Video Privacy Protection Act (VPPA). Congress originally passed the VPPA in 1988 to prevent the wrongful disclosure of video tape sale and rental records. Plaintiffs have filed lawsuits under the VPPA against companies that offer video content on their websites. The VPPA prohibits a “video tape service provider” from knowingly disclosing personally identifiable information concerning any consumer of such provider.” 18 U.S.C. § 2710(b)(1). The statute defines a

Duane Morris Privacy Class Action Review – 2024

“video tape service provider” to include any person “engaged in business, or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio-visual materials.” 18 U.S.C. § 2710(a)(4). Some courts have construed “similar audio-visual materials” broadly, generally concluding that its definition encompasses streaming video delivered electronically. Plaintiffs allege that companies that maintain videos on their websites and deploy pixel tracking tools violate the VPPA because their websites track the videos that visitors watch and share the viewing data with third parties. The VPPA provides for damages up to $2,500 per violation in addition to costs and attorneys’ fees for successful litigants, making it an attractive source of filings for the plaintiffs’ class action bar. Indeed, plaintiffs initiated more than 137 class actions under the VPPA over the past year.

Similarly, state wiretapping and anti-surveillance laws are continuing to generate filings by enterprising plaintiffs’ lawyers. Plaintiffs initiated class actions against companies that use third-party software to track user activity on their webpages, or to create and record transcripts of conversations conducted via chat features, based on the theory that such practices potentially violate electronic interception provisions of various state laws. The plaintiffs’ bar grounded these claims in the electronic interception provisions of wiretap statutes like the California Invasion of Privacy Act, the Pennsylvania Wiretapping and Electronic Surveillance Act, and the Florida Security of Communications Act, among other laws, which generally prohibit the unauthorized interception of communications transmitted electronically. The plaintiffs’ bar has targeted technologies that track a user’s interactions with the website ( e.g. , clicking,

Duane Morris Privacy Class Action Review – 2024

scrolling, swiping, hovering and typing) and create a recording of those interactions and inputs through session replay software. It also has attacked coding tools that create and store transcripts of conversations with users in a website’s chat feature. Plaintiffs generally allege that recording users’ interactions with a website and sending that recording to a third party for analysis without their consent is an illegal invasion of their privacy. Over the past year, these lawsuits met mixed results. During 2023, federal district courts in California ruled on the initial round of “chatbot” cases filed under the California Invasion of Privacy Act (CIPA) and several responded with skepticism. Courts granted motions to dismiss on various grounds finding, among other things, that the statutory provisions at issue do not apply to communications over the internet, see, e.g., Licea, et al. v. American Eagle Outfitters, Inc. , 2023 WL 2469630, at *5-6 (C.D. Cal. Mar. 7, 2023); a party cannot “eavesdrop” on its own conversation, see id. at *7-8; Licea, et al. v. Cinmar, LLC , 2023 WL 2415592, at *7-8 (C.D. Cal. Mar. 7, 2023); or that allegations that a defendant used the code embedded in a chat program to “harvest valuable data” were too vague and conclusory to state a claim. See , e.g., Cody, et al. v. Boscov’s, Inc. , 2023 WL 2338302, at *2 (C.D. Cal. Mar. 2, 2023). Other courts denied motions to dismiss similar claims. See, e.g., Valenzuela, et al. v. Nationwide Mutual Insurance Co. , 2023 WL 5266033, at *4-10 (C.D. Cal. Aug. 14, 2023); D’Angelo, et al. v. Penny OpCo, LLC, 2023 WL 7006793, at *2-4, *8-9 (S.D. Cal. Oct. 24, 2023). These rulings contribute to a patchwork quilt of decisions in this space. Given the stakes, we do not anticipate that this initial round of decisions will spell the death knell for suits attacking session replay or chatbot suits, many of which remain in the pipeline before various courts. Instead, we anticipate that plaintiffs will respond with additional creativity as they attempt to plead around these potential issues and identify new technologies at which to target their claims. The landscape of privacy litigation remains very much in flux. In the class actions to date, the plaintiffs’ bar primarily has alleged on behalf of employees and/or consumers that companies improperly collected their biometric data for a host of functions, such as to enhance their timekeeping systems, to promote their security, to increase employee productivity, to increase their sales, or to facilitate consumer transactions. The plaintiffs’ bar is also bringing novel BIPA class actions under evolving case theories, including lawsuits alleging surveillance claims, facial geometry scanning, voiceprint claims, and privacy violations for on-line “virtual try-on” claims. If successful in capitalizing on these claims, companies can expect the numbers of lawsuits alleging violations in these areas to increase in 2024.

Duane Morris Privacy Class Action Review – 2024

While the overwhelming majority of the over lawsuits filed in 2023 alleging privacy violation claims were claims asserting that users’ fingerprints or facial scans were improperly used, there were 31 that referenced claims based on these “non- traditional” BIPA allegations.

These cutting-edge privacy lawsuits have resulted in high-dollar-value settlements. In terms of settlement value, the settlement in the litigation captioned In Re Facebook Biometric Information Privacy Litigation, Case No. 15-CV- 03747 (N.D. Cal. Feb. 26, 2021), approved in February 2021, remains at the top, with a whopping $650 million price tag. In that case, plaintiffs alleged that Facebook collected and stored the biometric data of users in Illinois through its use of “Tag Suggestions” and other features involving facial recognition technology, without providing users proper notice and obtaining consent, in violation of the BIPA. Over the past two years, defendants have entered into several other eight-figure settlements stemming from privacy class

actions against Google ($100 million), TikTok ($92 million), and others. These eye-popping figures demonstrate the continued potency of BIPA litigation in terms of financial exposure and explain the continued interest in BIPA class actions on the part of the plaintiffs’ class action bar. As the BIPA’s parameters begin to settle in to place, these large settlement numbers with continue to pop in the upcoming year. This Review analyzes the key decisions and settlements over the past year, providing companies a one-of- its-kind resource to assess the past, present, and future of complex privacy litigation. 1. Illinois Supreme Court Rules On The Statute Of Limitations For BIPA Violations In early 2023, the Illinois Supreme Court set the tone for what would become a monumental year for BIPA litigation, issuing two key rulings that will have repercussions for decades to come. In Cothron, et al. v. White Castle Systems, 2023 IL 128004 (Ill. Feb. 17, 2023), the plaintiff alleged that after she started working at White Castle in 2004, the company required her to use a fingerprint-based system to access the workplace computer she used in her position as a manager. The plaintiff sued White Castle several years later in 2018, alleging that the company violated §§ 15(b) and 15(d) of the BIPA in connection with the fingerprint-based system by: (i) collecting her biometric data without providing her with the requisite notice and obtaining her written consent, and (ii) disclosing her biometric data without consent. After removing the complaint to the U.S. District Court for the Northern District of Illinois, White Castle moved for judgment on the pleadings on the basis that plaintiff ’ s claims were untimely. Specifically, White Castle argued that the plaintiff ’ s BIPA claims accrued in 2008 (when her first fingerprint scan occurred after the BIPA took effect), yet she did not file her complaint until 2018. The district court rejected White Castle ’ s

Duane Morris Privacy Class Action Review – 2024

one-time-only theory of claim accrual, holding that the lawsuit was timely because each separate unauthorized fingerprint scan constituted an independent violation of the statute, meaning the plaintiff ’ s BIPA claims were timely because her last fingerprint scan occurred within five years of the filing of her complaint. Because the issue presented a close call, however, the district court permitted White Castle to file an interlocutory appeal to the Seventh Circuit regarding whether §§ 15(b) and 15(d) claims accrue each time a private entity scans a person ’ s biometric identifier and each time a private entity transmits a scan to a third party, respectively, or only upon the first scan and first transmission. The Seventh Circuit accepted the interlocutory appeal and explained that the parties’ competing interpretations of claim accrual were reasonable under Illinois law. It ultimately agreed with the plaintiff and held that “the novelty and uncertainty of the claim-accrual question” warranted certification of the question to the Illinois Supreme Court. Id. at 1165-66. The Seventh Circuit “observed that the answer to the claim-accrual question would determine the outcome of the parties’ dispute, this court could potentially side with either party on the question, the question was likely to recur, and it involved a unique Illinois statute regularly applied by federal courts.” Id. After the Illinois Supreme Court received the certified question from the Seventh Circuit, in a 4-3 split ruling, the Illinois Supreme Court held that that a separate claim accrues under the BIPA each time a private entity scans or transmits an individual ’ s biometric identifier or information, in violation of §§ 15(b) or 15(d). In coming to this conclusion, the Illinois Supreme Court first analyzed the certified question with respect to § 15(b), which provides that no private entity “may collect, capture, purchase, receive through trade, or otherwise obtain” a person ’ s biometric data unless it first provides notice and receives written consent. 740 ILCS 14/15(b). Relying on the plain language of the statute and the fact that the actions of “collecting” and “capturing” biometric data can occur more than once, the Illinois Supreme Court agreed with plaintiff ’ s interpretation – namely, that § 15(b) “applies to every instance when a private entity collects biometric information without prior consent.” Id. at 19, 23. As interpreted in the context of the facts of the case, the Illinois Supreme Court further observed that White Castle obtained an employee ’ s fingerprint, stored it in its database, and then compared the fingerprint taken during subsequent scans to verify the identity of the employee. In the Supreme Court ’ s words, White Castle failed “to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.” Id. at 23. Accordingly, consistent with the Northern District of Illinois decision in Cothron , the Illinois Supreme Court held that an entity violates § 15(b) the first time it collects biometric data without having provided the requisite notice and obtaining consent, in addition to “each subsequent scan or collection.” Id. at 24. Closely tracking its analysis of § 15(b), the Illinois Supreme Court similarly held that § 15(d) – which prohibits the disclosure, redisclosure, or dissemination of biometric data without consent – “applies to every transmission to a third party.” Id. at 28. Like the verbs “collect” and “capture” in § 15(b), the Illinois Supreme Court reasoned that the acts of disclosing and redisclosing biometric data occur upon the initial disclosure in addition to any subsequent disclosure or redisclosure of the data. Id. The majority opinion also rejected White Castle ’ s remaining “nontextual” arguments supporting its single- accrual interpretation. White Castle argued that a BIPA claim accrued only upon the initial collection or disclosure of a person ’ s biometric data because an individual loses the right to control his or her biometric data as soon as the data is collected and/or disclosed. In rejecting the argument, the Illinois Supreme Court again relied on the statute ’ s plain language, stating: “[n]o such limitation appears in the statute. We cannot rewrite a statute to create new elements or limitations not included by the legislature.” Id. at 39.

Duane Morris Privacy Class Action Review – 2024

The Illinois Supreme Court also addressed White Castle ’ s argument that in light of the BIPA ’ s liquidated damages provision, interpreting the statute to mean an entity violates §§ 15(b) and 15(d) every time it collects or discloses biometric data means “a party may recover for ‘ each violation,’ allowing multiple or repeated accruals of claims by one individual could potentially result in punitive and ‘ astronomical’ damage awards that would constitute ‘ annihilative liability’ not contemplated by the legislature and possibly be unconstitutional.” Id. at 41. For example, White Castle estimated that if the plaintiff was successful and allowed to bring her claims on behalf of as many as 9,500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion. Once again, the Illinois Supreme Court rejected White Castle ’ s argument. It reasoned that the statutory language is clear and supported plaintiff ’ s position. Importantly, however, the Supreme Court acknowledged that trial courts could exercise their discretion to reduce the amount of statutory damages that can be recovered at trial. Id. at 42. Accordingly, the Illinois Supreme Court concluded that the plain language of §§15(b) and 15(d) showed that a claim accrues under the BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent. While the Illinois Supreme Court ’ s ruling in Cothron has motivated the plaintiffs’ bar to continue to file class action lawsuits under the BIPA, it was far from the only BIPA case to change the landscape of privacy litigation over the past year. In one of the most highly anticipated class action rulings in years, in Tims, et al. v. Black Horse Carriers, Inc. , No. 127801 (Ill. Feb. 2, 2023), the Illinois Supreme Court held that a five-year statute of limitations applies to claims under the BIPA. In March 2019, the plaintiff filed a class action complaint alleging that the defendant violated the BIPA through its timekeeping practices that involved the scanning and storing of employees’ fingerprints. The plaintiff asserted claims under three sub-sections of the law, including: (1) § 15(a) of the BIPA, for failing to institute, maintain, and adhere to a retention schedule for biometric data; (2) § 15(b) of the BIPA, which states that no private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information without notice and consent; and (3) § 15(d) of the BIPA, which involves the unlawful disclosure or dissemination of biometric data without first obtaining consent. Of note, § 15(c) of the BIPA prohibits the sale of a person’s biometric data for a profit, and § 15(e) of the BIPA imposes a duty of reasonable care in storing and protecting biometric data from disclosure. On September 17, 2021, the Illinois Appellate Court held in Tims that a one-year limitations period pursuant to § 13-201 of the Illinois Code of Civil Procedure governs actions under §§ 15(c) and (d) of the BIPA, while a five-year statute of limitations pursuant to § 13-205 applies to §§ 15(a), (b), and (e). The Illinois Appellate Court explained that the BIPA imposes various duties that are separate and distinct from one another. While each of the duties set forth under §§ 15(a)-(e) “concern privacy,” the Appellate Court reasoned that a private entity could violate §§15(a), (b), or (e) “without having to allege or prove that the defendant . . . published or disclosed any biometric data.” Tims v. Black Horse Carriers, Inc. , 2021 IL App (1st) 200563, ¶ 31 (1st Dist. Sept. 17, 2021) . However, the “publication or disclosure of biometric data is clearly an element of an action under” §§ 15(c) and (d). Id. ¶ 32. Accordingly, the Illinois Appellate Court applied the state’s one-year statute of limitations for right of privacy claims for §§ 15(c) and (d), and applied the five-year “catch all” statute of limitations for §§ 15(a), (b), and (e). The Illinois Supreme Court in Tims affirmed in part and reversed in part the Illinois Appellate Court’s decision. First, the Illinois Supreme Court notably opined that it, “agree[d] with the parties that the [A]ppellate [C]ourt erred in applying two different statutes of limitations to the Act.” Tims, 2023 IL 127801, at ¶ 16. It explained that one of the purposes of a limitations period is to reduce uncertainty and create finality and predictability in the administration of justice. Id. ¶ 20. The Illinois Supreme Court thus held that, “applying two different limitations periods or time bar standards to different subsections of § 15 of the Act would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.” Id. ¶ 21.

Duane Morris Privacy Class Action Review – 2024

Having decided that a singular uniform statute of limitations should apply, the Illinois Supreme Court next analyzed whether the statute of limitations should be five years or one year. Analyzing the plain language of the BIPA statute, the Illinois Supreme Court held that all five subsections of § 15 of the Act prescribe rules to regulate the collection, retention, disclosure, and destruction of biometric identifiers and biometric information. Id. ¶ 29. In regard to the Illinois Appellate Court’s holding that §§ 15(a), 15(b), and 15(e) of the Act contained no words that could be defined as involving “publication,” the Illinois Supreme Court held that the Illinois Appellate Court correctly found that subsections (a), (b), and (e) are subject to the five-year “catchall” limitations period codified in § 13-205 of the Code. Id. ¶ 30. Turning to subsections (c) and (d), the Illinois Supreme Court acknowledged that the one-year statute of limitations could be applied. Id. ¶ 32. However, the Illinois Supreme Court held that, “when we consider not just the plain language of § 15 but also the intent of the legislature, the purposes to be achieved by the statute, and the fact that there is no limitations period in the Act, we find that it would be best to apply the five-year catchall limitations period codified in § 13-205.” Id. ¶ 30. The Illinois Supreme Court explained that this outcome would further its goal of ensuring certainty and predictability in the administration of limitations periods that apply to causes of actions under the BIPA. Id. ¶ 32. In support of its conclusion, the Illinois Supreme Court held that Illinois courts have routinely applied this five-year catchall limitations period to other statutes lacking a specific limitations period, such as the BIPA. Id. ¶ 34. Finally, the Illinois Supreme Court examined the Illinois General Assembly’s goals in enacting the BIPA statute. The Illinois Supreme Court opined that in light of the extensive consideration the General Assembly gave to the fears of and risks to the public surrounding the disclosure of highly sensitive biometric information, “it would thwart legislative intent to (1) shorten the amount of time an aggrieved party would have to seek redress for a private entity’s noncompliance with the Act and (2) shorten the amount of time a private entity would be held liable for noncompliance with the Act.” Id. ¶ 39. The opinion also noted that defamation torts such as libel and slander are subject to a short limitations period because aggrieved individuals are expected to quickly become apprised of the injury and act promptly when their reputation has been publicly compromised, while it would be uncertain as to whether an individual would ever become aware of their biometric being improperly disclosed or misappropriated. Id. The Illinois Supreme Court concluded its opinion by holding that the five-year limitations period contained in § 13-205 of the Code controls claims under the BIPA. Therefore, the Illinois Supreme Court affirmed in part and reversed in part the judgment of the Appellate Court, and remanded the case for further proceedings. Looking ahead to 2024, to the extent the plaintiffs’ bar had any hesitation about the scope of the BIPA, these two Illinois Supreme Court rulings removed all doubts, and affirmed the floodgates are wide open. 2. First Illinois BIPA Class Action Jury Verdict In Rogers, et al. v. BNSF Railway Co ., Case No. 19-CV-03083 (N.D. Ill. Oct. 12, 2022), the first federal court jury trial in a case brought under the BIPA, the plaintiffs secured a verdict in favor of the class of 45,600 workers against the defendant BNSF. After a week-long trial in the U.S. District Court for the Northern District of Illinois in Chicago, the jury found that BNSF recklessly or intentionally violated the law 45,600 times, based on the defense expert’s estimated number of drivers who had their fingerprints collected. The court thereafter entered a judgment against BNSF for $228 million. The plaintiff, a truck driver, filed a class action lawsuit alleging that BNSF unlawfully required drivers entering the company’s facilities to provide their biometric information through a fingerprint scanner. He claimed that BNSF collected the drivers’ fingerprints without first obtaining informed written consent and therefore violated § 15(b) of the BIPA. BNSF argued that it did not operate the biometric equipment and instead sought to shift blame to a third-party vendor who operated the biometric equipment that collected drivers’ fingerprints. The case proceeded before a jury in federal court in Chicago. The proceeding was

Duane Morris Privacy Class Action Review – 2024

closely watched, as it represented the first time any class action had gone to a full trial with claims under the BIPA. The trial lasted five days. However, the jurors deliberated for just over an hour. The jurors were asked: (i) to state on the verdict form whether they sided with the plaintiff; and (ii) if so, to indicate how many times BNSF violated the BIPA negligently or how many times the company violated the statute recklessly or intentionally. The BIPA provides for damages of up to $1,000 for every negligent violation, and up to $5,000 in liquidated damages for every willful or reckless violation. At the conclusion of the trial, the jury found that BNSF recklessly or intentionally violated the law 45,600 times. Accordingly, the court entered a judgment against BNSF in the amount of $5,000 per violation, for a total amount of $228 million. On November 9, 2022, BNSF filed a motion for a new trial under Rule 59(a) or to reduce the damages award under Rule 59(e). It argued that none of the 45,600 class members suffered any actual harm. It also raised constitutional concerns about the BIPA. BNSF renewed its motion for judgment as a matter of law pursuant to Rule 50(b), following the court’s denial of BNSF’s Rule 50(a) motion at trial. In the alternative, BNSF moved for a new trial under Rule 59(a), or to reduce the damages award under Rule 59(e). First, BNSF argued that there was insufficient evidence for the jury to find that BNSF violated the BIPA. In support of that argument, BNSF cited testimony from its former Director of Technology Services that BNSF did not collect or obtain biometrics from truck drivers in Illinois, that the biometric data was stored on another entity’s server, and that BNSF did not maintain a copy of any of that data. Second, BNSF argued that it was entitled to judgment as a matter of law or a new trial, or at least a significant reduction in damages, because there was insufficient evidence for a rational jury to conclude that BNSF violated the BIPA recklessly or intentionally 45,600 times. BNSF claimed that there was no evidence that BNSF even learned about the BIPA until April 2019. Therefore, BNSF argued, no rational jury could have inferred from this evidence that BNSF consciously disregarded or intentionally violated the rights of the plaintiff and the class members at any point, much less for the full class period starting in April 2014. Third, BNSF argued that the court’s award of $228 million in damages where the plaintiff admitted he and the members of the class suffered no actual harm violated the due process clause and excessive fines clause of the U.S. Constitution. BNSF pointed out that it was undisputed that neither the plaintiff nor any member of the class had suffered any actual harm from any alleged violation of the BIPA. Accordingly, BNSF asked the court to enter judgment as a matter of law against the plaintiff and in favor of BNSF, or, in the alternative, to grant BNSF a new trial or substantially reduce the damages award against BNSF. In November of 2022, the defendant moved to vacate the judgment or for a new trial. In June of 2023, in Rogers, et al. v. BNSF Railway Co., 2023 U.S. Dist. LEXIS 113278 (N.D. Ill. June 30, 2023), the court granted in part the motion. The court ordered a new trial in which jurors would be informed that damages are optional in BIPA cases, and be provided the chance to determine penalties themselves. The court also stated that a jury should be allowed to determine the amount of penalties in such a case under the U.S. Constitution's Seventh Amendment right to trial by jury. As a result, the new trial would be limited solely to whether BNSF should have to pay damages, and if so, the amount of damages. The court did not vacate the portion of the jury finding that BNSF should be held liable for its fingerprint collection system breaching the BIPA. After this ruling, the parties agreed to settle the case for an undisclosed sum. This landmark verdict showcases the potentially devastating impact of the BIPA statute on unwary businesses in Illinois that collect, use, store, or disemminate biometric information. This outcome serves as a cautionary tale for future privacy action defendants who are considering taking a case to trial before a jury.

Duane Morris Privacy Class Action Review – 2024

3. BIPA Privacy Rulings That Favor Plaintiffs In Dzananovic, et al. v. Bumble, Inc., 2023 U.S. Dist. LEXIS 116806 (N.D. Ill. July 7, 2023), the plaintiff filed a class action alleging that the defendants, Bumble, Inc., Buzz Holdings L.P., and Bumble Trading LLC, violated the BIPA. The plaintiff asserted that the defendant used facial recognition technology to collect biometric information while using the photo verification feature on an online dating application without informing users that they were collecting, storing, and retaining their biometric information. The defendants filed a motion to dismiss for lack of personal jurisdiction pursuant to Rule 12(b)(2), and the court denied the motion. The court explained that for it to exercise specific personal jurisdiction: (i) the “defendants must have purposefully directed their activities at the forum state or purposefully availed themselves of the privilege of conducting business in the forum;” (ii) “the alleged injury must arise out of or relate to the defendants’ forum-related activities;” and (iii) “any exercise of personal jurisdiction must comport with traditional notions of fair play and substantial justice.” Id. at *6. The court first found that the defendants purposely directed their activities at Illinois by marketing to users in Illinois and collecting revenue from paying users in Illinois. The court also stated that the plaintiff ’ s claim was related to the defendants’ forum activities, specifically their marketing and promotion of the dating app, including the photo verification feature, which was a marketing feature designed to attract users. The court reasoned that there was substantial connection between the marketing activity and the collection of biometric data such that the plaintiff ’ s BIPA claim related to the defendants’ forum activities. Finally, the court reasoned that exercising jurisdiction over the defendants, as multi-million dollar entities, was not unreasonable or unfair and Illinois had an interest in providing a forum for residents to seek redress for violations of the BIPA. The court thus concluded that exercising personal jurisdiction over the defendants would align with traditional notions of fair play and substantial justice. Accordingly, the court ruled that personal jurisdiction existed due to the defendants’ purposeful direction of activities at Illinois, the relatedness of the claim to forum activities, and fairness in exercising jurisdiction. In Kyles, et al. v. Hoosier Papa LLC, 2023 U.S. Dist. LEXIS 54996 (N.D. Ill. Mar. 30, 2023), the plaintiff filed a class action alleging that the defendants, Hoosier Papa LLC, and its franchisor, Papa John ’ s International, violated the BIPA by improperly collecting and storing employees’ fingerprints using a proprietary point-of-sale system. Papa John ’ s filed a motion to dismiss pursuant to Rule 12(b)(6), and the court denied the motion. The plaintiff alleged that employees had to use the defendants’ fingerprint scanner for various tasks, and the system compared the fingerprint to stored templates. Papa John ’ s had remote access to these systems, allowing data collection and monitoring of fingerprint-scanner usage. The plaintiff contended that the defendants failed to obtain employees’ consent and failed to provide information about data usage or retention policies. Papa John ’ s argued that the plaintiff failed to plausibly allege possession of biometric data under § 15(a) and active collection under § 15(b) of BIPA. The court found the plaintiff adequately alleged that Papa John ’ s had control over the biometric data, and sufficiently alleged active collection, as it claimed Papa John ’ s required the use of the fingerprint scanner and engaged in data collection and reporting. The court rejected Papa John ’ s argument that the plaintiff only alleged access to information, not the specific biometric data. Papa John ’ s also moved to dismiss the plaintiff ’ s request for heightened statutory damages, arguing that the complaint did not plead recklessness or intent. The court rejected the argument. It found that the plaintiff plausibly asserted that Papa John ’ s acted recklessly or intentionally. For these reasons, the court denied Papa John ’ s motion to dismiss. The plaintiff in Tapia-Rendon, et al. v. United Tape & Finishing Co. , 2023 U.S. Dist. LEXIS 142773 (N.D. Ill. Aug. 15, 2023), alleged that defendant EasyWorkforce Solutions, LLC (EWF), a seller of biometric time clocks, collected her fingerprints while she worked for defendant United Tape & Finishing Co., Inc. without informing her of the data collection and without indicating the purpose of the collection or how long her data would be retained, as required under the BIPA. In its decision, the court certified two classes and rejected EWF’s argument that the possibility of very large damages awards available under the BIPA were a barrier to class certification. EWF noted that the BIPA allows for plaintiffs to collect damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation and that the plaintiff claimed that class members scanned in and out of work more than 2.4 million times – a situation that could

Duane Morris Privacy Class Action Review – 2024

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52

www.duanemorris.com

Made with FlippingBook - professional solution for displaying marketing and sales documents online