New Media and Technology Law Blog

Biometric Suits Continue, Including Recent Action Against IoT Company

By Jeffrey Neuburger on Posted in Biometrics, Privacy

Last December, we noted the continuing robust wave of Illinois biometric privacy suits.  At that time, dozens of suits had been filed in Illinois state court against Illinois-based employers and other businesses alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which generally regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, and encourages businesses that collect such personal data to employ reasonable safeguards.  More and more BIPA actions against employers and businesses based upon alleged violations of the notice and consent provisions of the statute continue to be filed, even as the Illinois Supreme Court considers the appeal of the Rosenbach decision.  In that case, the Illinois Supreme Court will presumably answer the question of whether a person “aggrieved” by a violation of BIPA must allege some injury or harm beyond a procedural violation.  The ruling will certainly have an effect on the pending lawsuits alleging mere procedural BIPA violations.

Beyond the myriad of BIPA-related lawsuits against employers that used biometric timekeeping devices to track employees clocking in and out, and the suits against social media companies for photo tagging or similar functions, some recent lawsuits have been filed against companies that use biometrics as part of their core products and services.

One example is a recent case which addresses BIPA in connection with IoT-enabled devices.  In Komorski v. U-Tec Group Inc., No. 2018-CH-11884 (Ill. Cir. Ct., Cook Cty filed Sept. 20, 2018), the plaintiff brought suit against U-Tec Group Inc., a company that manufactures biometric-enabled “keyless” door locks, alleging that U-Tec’s technology required users to upload, store and transmit their fingerprints to open the smart door locks without U-Tec first obtaining the proper notice and consent and without informing users of U-Tec’s data retention policy.  Moreover, the plaintiff also claimed that U-Tec did not obtain consent to transmit plaintiff’s biometrics to third party data storage and equipment vendors.

Also, in a pair of similar complaints filed this past summer, BIPA allegation were asserted against companies using biometrics to verify the identity of their customers. In Glynn v. eDriving LLC, No. 2018-CH-7116 (Ill. Cir. Ct., Cook Cty filed June 5, 2018) (subsequently removed to the Northern District of Illinois, No. 18-cv-04645)), the plaintiffs’ alleged that an online driving education provider’s capture and storage of student voiceprints was in violation of BIPA’s notice and disclosure requirements. In Viot v. Prometric LLC, No. 2018-CH-08512 (Ill. Cir. Ct., Cook Cty filed July 9, 2018, an educational testing company was alleged to have violated BIPA when it used biometric devices to collect fingerprints to authenticate the identity of test takers to prevent cheating and impersonation.

Some clarification of the legal landscape in this area may arrive, but it may take time. While the Illinois legislature introduced a bill back in February that, among other things, would have placed limits on BIPA suits against employers for biometric collection for HR and security purposes, legislators subsequently proposed several amendments that would have significantly narrowed BIPA’s reach in other ways, prompting the bill to be re-referred back to the Senate Assignment Committee (where it has languished since April).  We will also have to wait for the Illinois Supreme Court’s decision in Rosenbach to interpret questions surrounding statutory standing under BIPA (though, even a pro-defendant ruling affirming the appellate court may not be a cure-all for the wave of suits, as we discuss in a companion blog post). Regardless, to the extent a business activity involves the collection and use of biometric information, it is prudent to understand the requirements of BIPA as well as other state or federal laws that may be relevant.

Tags: biometric privacy, BIPA, consumer products, IoT

Illinois Appellate Court Reinstates Biometric Privacy Action, Finding Potential Harm in Alleged Disclosure of Fingerprint to Outside Vendor

By Jeffrey Neuburger on Posted in Biometrics, Privacy

Late last month, an Illinois appellate court reversed a lower court’s dismissal of biometric privacy claims against a tanning salon franchisee that had collected the plaintiff’s fingerprint to allow entry in its own salon and any L.A. Tan salon location nationwide.  (Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175 (Ill. App. Sept. 28, 2018)).  The plaintiff alleged that the tanning salon violated the Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, by collecting her fingerprints without obtaining the required written release and providing the required disclosure concerning its retention policy, and further by disclosing her fingerprints to a third-party vendor. [Note: In 2016, in a separate suit, the same plaintiff settled BIPA claims with L.A. Tan Enterprises, Inc., operator (directly and through franchisees) of L.A. Tan tanning salons].

In allowing the suit to go forward, the appellate court held that a litigant may sue for a violation of BIPA without proving additional harm.  BIPA expressly provides that “any person aggrieved by a violation” of the statute may pursue money damages and injunctive relief against the offending party.  Notably, the Sekura court distinguished the Rosenbach decision – the only Illinois state appellate panel to rule on the “aggrieved” party issue under BIPA, and which held that a person “aggrieved” by a violation of the Act must allege an injury or harm in addition to the violation of the Act. In Sekura, the court held that even it were to follow its sister court’s decision in Rosenbach, the plaintiff’s allegations that the tanning salon disclosed her fingerprint to a third-party vendor constituted harm enough to make plaintiff an “aggrieved” party.

“To be clear, we find that the statutory violations to plaintiff’s privacy constituted harm even without disclosure, but the disclosure in the case at bar makes it distinguishable from Rosenbach.”

Interestingly, the Sekura court also stated that the plaintiff’s allegations of mental anguish over what would happen to her biometric data if the tanning salon went bankrupt also constituted an injury or adverse effect.

The outcome of Sekura is in line with the Dixon case from this summer, where an Illinois federal court followed Rosenbach yet still declined to dismiss a BIPA suit brought by a former employee who asserted BIPA and negligence claims against a senior living center, among others, over the scanning of her fingerprints onto an employee biometric timekeeping device and the alleged disclosure of the data to an out-of-state vendor.  The Dixon court noted that the allegation that the defendant disclosed plaintiff’s fingerprint data to its third-party vendor without informing her distinguished this case from others in which alleged violations of BIPA were determined insufficiently concrete.

Looking ahead, it remains to be seen how courts will interpret the meaning of “aggrieved” under BIPA (and how such interpretation will affect class certification issues).  Regardless, we will likely see more plaintiffs’ lawyers drafting complaints, where factually appropriate, to allege third-party disclosure of biometric data and mental anguish claims to overcome standing and statutory challenges.  Some clarity will presumably arrive soon, as this past May the Illinois Supreme Court accepted the appeal of the Rosenbach decision where the high court will answer the question of whether a person “aggrieved” by a violation of BIPA must allege some injury or harm beyond a procedural violation (Note: the appeal is fully briefed, including numerous amicus briefs submitted in support of both parties; oral argument has not been scheduled).

Still, even if the Illinois Supreme Court returns a business-friendly ruling that an aggrieved party must show a harm beyond a procedural violation of BIPA, we will likely be left with a dichotomy of sorts – what we might call Rosenbach claims and Rosenbach+ claims.  The current appeal will likely resolve issues of pure procedural violations (Rosenbach claims), where plaintiffs are generally on notice about the collection and use of biometric data but do not allege any purported harms beyond violations of statutory rights under BIPA, but may not answer exactly what is a concrete harm under the statute.  Indeed, as we’ve seen in the Sekura decision, litigants have adapted since the decision and have managed, in several instances, to survive dismissal motions by asserting that employers or companies not only failed to follow BIPA’s procedural notice and consent requirements but also disclosed biometric data to outside vendors for processing without consent (Rosenbach+ claims).  It is the latter harm (and now perhaps even claims of mental anguish as well) where courts may distinguish Rosenbach to allow BIPA suits to survive dismissal.  Ultimately, perhaps the Sekura decision will be appealed and joined with the Rosenbach appeal, but we will have to wait and see.

We will continue to monitor these emerging developments in biometric privacy litigation, including the important biometric privacy litigation still ongoing in California.

Tags: aggrieved person, biometric privacy, BIPA, fingerprints, standing

Common Software Licensing Language at Issue in IP Dispute

By Jeffrey Neuburger on Posted in Contracts, Licensing, Software

Licensors of software typically utilize software license agreements providing for their ownership of the licensed software and related IP, as well as restrictions barring licensees from reverse engineering the code at issue.  The scope of protection, of course, depends on the final language of the licensing agreement and disputes can arise when licensees decide to develop similar software in-house, or with a third party.  Indeed, a recent case, Ford Motor Co. v. Versata Software Inc., No. 15-10628 (E.D. Mich. Sept. 7, 2018), tackled some of these issues.  Continue Reading

Tags: IP claims, reverse engineering, software licensing dispute, trade secrets

Site Cannot Compel Arbitration Based upon Later-Amended Terms without Showing Adequate User Notification of Change

By Jeffrey Neuburger on Posted in Contracts, Online Commerce

A D.C. district court ruled that an eBay user did not assent to a later-added arbitration clause to the user agreement by virtue of a provision that stated eBay could amend the agreement at any time, as the user may not have received sufficient notice of the amendment. (Daniel v. eBay, Inc., No. 15-1294 (D.D.C. July 26, 2018)). Notably, the court declined to find adequate notice sufficient to demonstrate an agreement to arbitrate merely based on the fact that the amended user agreements were posted on eBay’s website (at least under Utah, Louisiana or Texas law). This case is interesting as many websites and services have added mandatory arbitration clauses to their terms in recent years, yet may have a stable of legacy users that agreed to a prior set of terms that did not contain such a provision. Continue Reading

Tags: amendment, arbitration clause, later-amended terms, user agreement

In a Divided Opinion, California Supreme Court Squashes End Run around CDA Immunity That Sought to Compel a Non-Party Online Platform to Remove Defamatory Content

By Jeffrey Neuburger on Posted in Defamation, Internet, Online Content, Social Media

In a closely-followed dispute, the California Supreme Court vacated a lower court order, based upon a default judgment in a defamation action, which had directed Yelp, Inc. (“Yelp”), a non-party to the original suit, to take down certain consumer reviews posted on its site. (Hassell v. Bird, No. S235968, 2018 WL 3213933 (Cal. July 2, 2018)).  If the plaintiffs had included Yelp as a defendant in the original suit, such a suit would have likely been barred by Section 230 of the Communications Decency Act (“CDA” or “CDA Section 230”); instead, the plaintiffs adopted a litigation strategy to bypass such legal immunities.  In refusing to allow plaintiff’s “creative pleading” to avoid the CDA, the outcome was a win for online companies and platforms that host user-generated content (“A Case for the Internet,” declared Yelp). Continue Reading

Tags: CDA immunity, CDA Section 230, non-party online platform, online defamation, removal order

Illinois Biometric Privacy Suit over Employee Fingerprinting Remanded for Lack of Standing

By Jeffrey Neuburger on Posted in Biometrics, Privacy

An Illinois district court remanded to state court for lack of standing a biometric privacy suit brought by employees over the collection and storage of individuals’ fingerprints allegedly in violation of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 (“BIPA”). (Aguilar v. Rexnord, LLC, No. 17 CV 9019 (N.D. Ill. July 3, 2018)).  This decision echoes other recent rulings where federal courts have found a lack of Article III standing in disputes where employees claimed procedural violations of BIPA over the knowing collection of fingerprints for timekeeping purposes, absent any claims of wrongful sharing or disclosure.  See e.g., Howe v. Speedway LLC, No. 17-07303 (N.D. Ill. May 31, 2018) (even if failing to provide certain disclosures and obtain his written authorization prior to collecting and storing plaintiff’s fingerprints may constitute a violation of BIPA, such procedural violations did not cause an injury in fact where the employee was aware of the nature and purpose of collection); Goings v. UGN, Inc., No. 17-9340 (N.D. Ill. June 13, 2018) (remanding BIPA claims for lack of Article III standing because claims were too abstract and employee was aware he was providing fingerprint data to his employers and did not claim any non-consensual disclosure of such data).  Continue Reading

Tags: biometric privacy, BIPA, employee biometric privacy, fringerprints, standing

CFAA and Breach of Contract Claims Dismissed in Website Data Scraping Suit

By Jeffrey Neuburger on Posted in Computer Fraud and Abuse Act, Contracts, Online Content, Screen Scraping

This past week, an Illinois district court dismissed, with leave to amend, claims relating to a competitor’s alleged scraping of sales listings from a company’s website for use on its own site. (Alan Ross Machinery Corp. v. Machinio Corp., No. 17-3569 (N.D. Ill. July 9, 2018)).

The court dismissed a federal Computer Fraud and Abuse Act (CFAA) claim that the defendant accessed the plaintiff’s servers “without authorization,” finding that the plaintiff failed to plead with specificity any damage or loss related to the scraping and did not allege that the unlawful access resulted in monetary damages of $5,000 or more as required to maintain a civil action under the CFAA.  In the court’s view, the “mere copying of electronic information from a computer system is not enough to satisfy the CFAA’s damage requirement.”  The court also dismissed plaintiff’s breach of contract claims, concluding that defendant did not have notice of the plaintiff’s website terms and conditions based upon an unenforceable browsewrap agreement. Continue Reading

Tags: CFAA civil liability, sales listings, screen scraping, terms of service violation, web scraping

Illinois Biometric Privacy Suit Survives Dismissal Based on Harm from Alleged Disclosure of Data to Outside Vendor

By Jeffrey Neuburger on Posted in Biometrics, Privacy

Last December, an Illinois appellate court, in the Rosenbach v. Six Flags decision (2017 IL App (2d) 170317 (Dec. 21, 2017)), dismissed biometric privacy claims lodged against theme park operators for collecting fingerprints to authenticate season-pass holders allegedly in violation of the notice and consent provisions of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information.  BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party.  In interpreting what “aggrieved” means under BIPA, the Rosenbach court ruled that a “person aggrieved by a violation of [the] Act” must allege some harm (“[A] plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under…the Act”).  While federal courts have weighed in on whether litigants have Article III standing when asserting mere procedural violations of BIPA’s consent and data retention requirements, it was not clear if such procedural violations, without any showing of harm or data misuse, were actionable under the statute.  Rosenbach was the first time an Illinois appellate court weighed in on the meaning of an “aggrieved” party under BIPA.

Following Rosenbach, we speculated whether the decision would curb the wave of BIPA class actions asserting procedural violations filed against employers and businesses that used biometrics to authenticate employees or customers; the answer to that question remains in flux, with subsequent rulings falling both ways.  For example, at least two Illinois trial courts followed Rosenbach in dismissing BIPA claims, though without intensive analysis of the issue. See: Rottner v. Palm Beach Tan, Inc., No. 15-CH-16695 (Ill. Cir. Ct. Mar. 2, 2018) (bound by Rosenbach‘s holding that neither liquidated damages nor injunctive relief is authorized under BIPA when the only injury alleged is a statutory violation; court stated that plaintiff allowed defendants to scan her fingerprint and there had been no publication of plaintiffs private information to sustain injury to a privacy right); Sekura v. Krishna Schaumburg Tan, Inc., No. 16-CH-04945 (Ill. Cir. Ct. Jan. 16, 2018) (brief order dismissing claims “[f]or the reasons outlined in Rosenbach”) (on appeal).

However, the recent California district court ruling in the Facebook biometric privacy litigation parted company with a reading of Rosenbach that would require a litigant to show an “actual” injury beyond the invasion of privacy rights outlined under BIPA and instead ruled that the plaintiffs had “sufficiently alleged” an intangible injury to a privacy right to be “aggrieved” under BIPA. It should be noted that the California court did look differently at Rosenbach and other cases involving voluntary fingerprinting where individuals knew that their biometric data would be collected before they accepted services as opposed to the social media photo tagging situation where such plaintiffs allege that they were not put on adequate notice that biometric data could be collected from uploaded photos.

This past month, in a notable ruling, an Illinois district court followed Rosenbach yet still declined to dismiss a suit brought by a former employee who asserted BIPA and negligence claims, among others, against a senior living center (“Defendant” or “Smith”) and its time clock vendor over the scanning of her fingerprints onto an employee biometric timekeeping device. (Dixon v. The Washington and Jane Smith Community – Beverly, No. 17-8033 (N.D. Ill. May 31, 2018)).  Specifically, the complaint alleged that Smith required new employees to have their fingerprints scanned by the defendant Kronos’s fingerprint scanner and entered into a database so employees could be authenticated when clocking in and out.  According to the plaintiff, Smith, among other things, failed to give adequate notice or obtain written consent before colleting her fingerprints, or post a biometric data retention policy.  Moreover – and really the allegation that pushed the complaint over the line – plaintiff claimed that, in addition to collecting and storing her biometric information, Smith also “systematically disclosed” that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric time clocks, without informing her that it was doing so. Continue Reading

Tags: aggrieved person, biometric privacy, BIPA, employee biometric privacy, fingerprints

Court Denies TRO against Data Scraper That Accessed Private Database via Registered Accounts

By Jeffrey Neuburger on Posted in Computer Fraud and Abuse Act, Screen Scraping

This past week, a Texas district court denied a bid from a web service for a temporary restraining order (TRO) to enjoin a competitor that allegedly scraped a large amount of proprietary data from its closed site via several user accounts. (BidPrime, LLC v. SmartProcure, Inc., No. 18-478 (W.D. Tex. June 18, 2018)). While tempting to draw a general legal conclusion about the permissibility of scraping from this decision, the decision was in fact based on the judgement of the court that scraping was unlikely to continue during the pendency of the litigation.

Nonetheless, the dispute highlights the host of legal issues that can arise when an entity accesses a website or database to scrape data for competitive or other reasons using user credentials or fake accounts or proxies to mask its true identity. For example, the plaintiff BidPrime, LCC (“BidPrime”) sought injunctive relief based upon claims under the federal Computer Fraud and Abuse Act (CFAA) and state law counterpart, state trade secret law, and breach of contract, among others. Whether such claims are viable are of course dependent on the specific facts and circumstances of the dispute, the restrictions contained in the website terms of use, what countermeasures and demands the website owner made to the web scraper to prevent unwanted access, and the state of the current interpretation of applicable law. This decision did not analyze these factors beyond concluding that ongoing scraping was unlikely. Continue Reading

Tags: CFAA, data scraping, private website, screen scraping, software

New York State Court Declines to Compel Arbitration, Cites Purported Ambiguities in Mobile Contracting Process

By Jeffrey Neuburger on Posted in Contracts, Mobile

Courts are increasingly taking a magnifying glass to electronic contracting processes, particularly how the presentation of the terms of service and call to action are displayed.  As such, companies might take a second look at their own user registration and e-commerce purchase processes to ensure they offer reasonably conspicuous notice of the existence of contract terms and obtain manifestation of assent by the user to those terms.  Courts will generally enforce clickwrap style agreements as long as the layout and language of the site or mobile app give the user reasonable notice that a click will manifest assent to an agreement.  Last year, the Second Circuit, in the notable Meyer opinion, blessed Uber’s mobile contracting process, but in considering a similar Uber platform, a New York state court late last month declined to compel the arbitration of user claims due to what the court considered an “ambiguous registration process.”  (Ramos v. Uber Technologies, Inc., 2018 NY Slip Op 28162 (N.Y. Sup. Ct. Kings Cty. May 31, 2018)).  Such conflicting rulings highlight the importance of web design in determining if a service’s terms are deemed enforceable. Continue Reading

Tags: arbitration, clickwrap agreement, mobile contracting, mobile user interface
LexBlog