Duane Morris Privacy Class Action Review – 2024

issued key rulings that will have significant ramifications in this area of the law. In Mayhall, et al. v. Amazon Web Services, Inc., 2023 U.S. Dist. LEXIS 57070 (W.D. Wash. Mar. 31, 2023), the plaintiff filed a class action on behalf of her minor child, D.M., against the defendants, Amazon Web Services and Amazon.com, Inc., alleging violation of the BIPA. The plaintiff alleged that the defendants collected facial feature vectors from these face scans to construct a 3D face geometry of users of particular video games, which is then transmitted to the players’ gaming platforms. The plaintiff contended that the defendants failed to obtain users consent to store the data, and failed to provide any information regarding the data capture or retention. The defendants moved to dismiss the plaintiffs’ claims, and the court denied the motion. As for the plaintiff ’ s allegations under § 15(a) of the BIPA, the court ruled that the plaintiff adequately alleged that the defendants had control over and possessed the biometric data. The court also determined that the plaintiff sufficiently alleged that the defendants took active steps to obtain biometric data in violation of § 15(b). The court stated that the plaintiff provided a reasonable inference that the defendants disseminated biometric data to a third party in violation of § 15(d) and otherwise profited from the information in violation of § 15(c). Accordingly, the court denied the defendants’ motion to dismiss. In Colombo, et al. v. Youtube, LLC, 2023 U.S. Dist. LEXIS 111574 (N.D. Fla. June 28, 2023), the plaintiffs, a group of YouTube users, filed a class action alleging that the defendant violated the BIPA by collecting sensitive biometric identifiers and biometric information through its “Face Blur” and “Thumbnail Generator” video editing tools without first obtaining the necessary informed written consent or providing data retention and destruction policies to consumers. Id. at *2. The defendant filed a motion to dismiss pursuant to Rule 12(b)(6) and the court denied the motion. The defendant ’ s “Face Blur” tool uses facial recognition technology to enable “blur” scanned videos, a process that requires the defendant to capture and store facial scans. Id. at *3. The plaintiff contended that the defendant permanently stored the scans of face geometry and did not disclose that they were collected and stored. The defendant ’ s “Thumbnail Generator” scans and collects facial geometry for each video uploaded and then stores the metadata associated with the videos. Id. The defendant argued that the plaintiff failed to plausibly allege that the data collected from the Face Blur and Thumbnail Generator tools qualified as “biometric identifiers” or “biometric information” within the meaning of the BIPA because the data collected was not used to identify the individuals in the uploaded videos. Id. at *7. The court rejected this argument. It determined that Face Blur and Thumbnail Generator tools capture and store scans of face geometry, which are biometric identifiers as defined in the statute. Additionally, the defendant argued that the plaintiffs’ claims would require an impermissible extraterritorial application of the BIPA and that this interpretation of the statute would run afoul of the dormant commerce clause of the U.S. Constitution. Id. at *9-10. The court also rejected these arguments. It determined that: (i) the plaintiff was an Illinois resident who uploaded multiple videos to YouTube from within Illinois; and (ii) since the conduct arose from an Illinois resident ’ s interactions with YouTube from within his home state it consequently was “deeply rooted in BIPA ’ s native soil of Illinois.” Id. at *11-12. The court concluded that the named plaintiff ’ s claims that the defendant “failed to develop or implement a BIPA- compliant data collection policy,” and “therefore failed to comply with any BIPA-compliant policy in [its] handling of [his] personally identifying information” was plausible to allege that his privacy interests were directly affected by the defendant ’ s conduct. Id. at *13-14. For these reasons, the court denied the defendant ’ s motion to dismiss. In McGoveran, et al. v. Amazon Web Services, 2023 U.S. Dist. LEXIS 53690 (D. Del. Mar. 29, 2023), the plaintiff filed a class action alleging that the defendants, Amazon Web Services and Pindrop Security Inc., violated the BIPA by collecting consumers’ voice data without their consent while processing customer phone calls. The defendants filed a motion to dismiss pursuant to Rule 12(b)(6), and the court granted in part and denied in part the motion. The plaintiffs asserted that the call center utilized Amazon ’ s cloud- based call center service, Amazon Connect, which sent the calls to Amazon servers so that the voice commands could be processed and the caller can be transferred to a live agent. Pindrop is a software developer that offers products on Amazon Connect to help verify callers and offers authentication services for banks and other institutions engaged in financial transactions. The court found that Pindrop was

Made with FlippingBook - professional solution for displaying marketing and sales documents online