New Media and Technology Law Blog

Illinois Biometric Privacy Suit Survives Dismissal Based on Harm from Alleged Disclosure of Data to Outside Vendor

Last December, an Illinois appellate court, in the Rosenbach v. Six Flags decision (2017 IL App (2d) 170317 (Dec. 21, 2017)), dismissed biometric privacy claims lodged against theme park operators for collecting fingerprints to authenticate season-pass holders allegedly in violation of the notice and consent provisions of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information.  BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party.  In interpreting what “aggrieved” means under BIPA, the Rosenbach court ruled that a “person aggrieved by a violation of [the] Act” must allege some harm (“[A] plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under…the Act”).  While federal courts have weighed in on whether litigants have Article III standing when asserting mere procedural violations of BIPA’s consent and data retention requirements, it was not clear if such procedural violations, without any showing of harm or data misuse, were actionable under the statute.  Rosenbach was the first time an Illinois appellate court weighed in on the meaning of an “aggrieved” party under BIPA.

Following Rosenbach, we speculated whether the decision would curb the wave of BIPA class actions asserting procedural violations filed against employers and businesses that used biometrics to authenticate employees or customers; the answer to that question remains in flux, with subsequent rulings falling both ways.  For example, at least two Illinois trial courts followed Rosenbach in dismissing BIPA claims, though without intensive analysis of the issue. See: Rottner v. Palm Beach Tan, Inc., No. 15-CH-16695 (Ill. Cir. Ct. Mar. 2, 2018) (bound by Rosenbach‘s holding that neither liquidated damages nor injunctive relief is authorized under BIPA when the only injury alleged is a statutory violation; court stated that plaintiff allowed defendants to scan her fingerprint and there had been no publication of plaintiffs private information to sustain injury to a privacy right); Sekura v. Krishna Schaumburg Tan, Inc., No. 16-CH-04945 (Ill. Cir. Ct. Jan. 16, 2018) (brief order dismissing claims “[f]or the reasons outlined in Rosenbach”) (on appeal).

However, the recent California district court ruling in the Facebook biometric privacy litigation parted company with a reading of Rosenbach that would require a litigant to show an “actual” injury beyond the invasion of privacy rights outlined under BIPA and instead ruled that the plaintiffs had “sufficiently alleged” an intangible injury to a privacy right to be “aggrieved” under BIPA. It should be noted that the California court did look differently at Rosenbach and other cases involving voluntary fingerprinting where individuals knew that their biometric data would be collected before they accepted services as opposed to the social media photo tagging situation where such plaintiffs allege that they were not put on adequate notice that biometric data could be collected from uploaded photos.

This past month, in a notable ruling, an Illinois appellate court followed Rosenbach yet still declined to dismiss a suit brought by a former employee who asserted BIPA and negligence claims, among others, against a senior living center (“Defendant” or “Smith”) and its time clock vendor over the scanning of her fingerprints onto an employee biometric timekeeping device. (Dixon v. The Washington and Jane Smith Community – Beverly, No. 17-8033 (N.D. Ill. May 31, 2018)).  Specifically, the complaint alleged that Smith required new employees to have their fingerprints scanned by the defendant Kronos’s fingerprint scanner and entered into a database so employees could be authenticated when clocking in and out.  According to the plaintiff, Smith, among other things, failed to give adequate notice or obtain written consent before colleting her fingerprints, or post a biometric data retention policy.  Moreover – and really the allegation that pushed the complaint over the line – plaintiff claimed that, in addition to collecting and storing her biometric information, Smith also “systematically disclosed” that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric time clocks, without informing her that it was doing so. Continue Reading

Court Denies TRO against Data Scraper That Accessed Private Database via Registered Accounts

This past week, a Texas district court denied a bid from a web service for a temporary restraining order (TRO) to enjoin a competitor that allegedly scraped a large amount of proprietary data from its closed site via several user accounts. (BidPrime, LLC v. SmartProcure, Inc., No. 18-478 (W.D. Tex. June 18, 2018)). While tempting to draw a general legal conclusion about the permissibility of scraping from this decision, the decision was in fact based on the judgement of the court that scraping was unlikely to continue during the pendency of the litigation.

Nonetheless, the dispute highlights the host of legal issues that can arise when an entity accesses a website or database to scrape data for competitive or other reasons using user credentials or fake accounts or proxies to mask its true identity. For example, the plaintiff BidPrime, LCC (“BidPrime”) sought injunctive relief based upon claims under the federal Computer Fraud and Abuse Act (CFAA) and state law counterpart, state trade secret law, and breach of contract, among others. Whether such claims are viable are of course dependent on the specific facts and circumstances of the dispute, the restrictions contained in the website terms of use, what countermeasures and demands the website owner made to the web scraper to prevent unwanted access, and the state of the current interpretation of applicable law. This decision did not analyze these factors beyond concluding that ongoing scraping was unlikely. Continue Reading

New York State Court Declines to Compel Arbitration, Cites Purported Ambiguities in Mobile Contracting Process

Courts are increasingly taking a magnifying glass to electronic contracting processes, particularly how the presentation of the terms of service and call to action are displayed.  As such, companies might take a second look at their own user registration and e-commerce purchase processes to ensure they offer reasonably conspicuous notice of the existence of contract terms and obtain manifestation of assent by the user to those terms.  Courts will generally enforce clickwrap style agreements as long as the layout and language of the site or mobile app give the user reasonable notice that a click will manifest assent to an agreement.  Last year, the Second Circuit, in the notable Meyer opinion, blessed Uber’s mobile contracting process, but in considering a similar Uber platform, a New York state court late last month declined to compel the arbitration of user claims due to what the court considered an “ambiguous registration process.”  (Ramos v. Uber Technologies, Inc., 2018 NY Slip Op 28162 (N.Y. Sup. Ct. Kings Cty. May 31, 2018)).  Such conflicting rulings highlight the importance of web design in determining if a service’s terms are deemed enforceable. Continue Reading

A Busy Month in the Facebook Photo Tagging Biometric Privacy Dispute

As discussed in past posts about the long-running Facebook biometric privacy class action, users are challenging Facebook’s “Tag Suggestions” program, which scans for and identifies people in uploaded photographs for photo tagging. The class alleges that Facebook collected and stored their biometric data without prior notice or consent in violation of the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq.  While other technology companies face BIPA actions over photo tagging functions, In Re Facebook is the headliner of sorts for BIPA litigation, being the most closely-watched and fully-litigated.

There have been a host of new developments in this case as the parties continued to joust when the prospect of a trial was looming.  Earlier this month, a California district court denied both parties’ motions for summary judgment and found that a “multitude of factual disputes” barred judgment as a matter of law for either side.   (In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal. May 14, 2018)).  The court’s prior orders over the past several years provide the context for the denial of summary judgment and the court’s refusal to revisit procedural rulings. See: In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016) (declining to enforce California choice of law provision in user agreement and applying Illinois law and refusing to find that the text of BIPA excludes from its scope all information involving photographs); Patel v. Facebook Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018) (declining to dismiss based on lack of Article III standing); In re Facebook Biometric Info. Privacy Litig., No. 15-03747, 2018 WL 1794295 (N.D. Cal. Apr. 16, 2018) (certifying Illinois user class and refusing Facebook’s renewed arguments to dismiss on procedural grounds).  Continue Reading

Unanticipated Mobile Data Leaks Remain an Ongoing Issue

There has been a lot of attention in the media lately with respect to the Facebook/Cambridge Analytica issue and its fall-out (including today’s coverage of the announcement that Facebook suspended almost 200 apps pending a more complete investigation in whether any user data was misused). As part of that discussion, Apple’s CEO Tim Cook has been one of many voices criticizing Facebook’s practices.  It is interesting then to note then that Apple is quietly beginning to enforce long-standing and long-ignored rules in the Apple iOS developer’s agreement and App Store Review Guidelines that, except for two limited exceptions, precluded an app publisher from sharing information collected from users on their phones with third parties. According to a recent article in 9to5mac.com, Apple is now removing those apps from the app store that are sharing data in violation of these restrictions.

It will be interesting to see how this all plays out and whether this development captures the media’s attention the way the Facebook episode did.  This latest episode highlights that instances of consumer data accessed by third parties in the mobile context is an issue that may be broader than first thought.

Researchers May Challenge the Constitutionality of the CFAA “Access” Provision as Applied to Web Scraping

Such Scraping “Plausibly Falls within the Ambit of the First Amendment”

The Ninth Circuit is currently considering the appeal of the landmark hiQ decision, where a lower court had granted an injunction that limited the applicability of the federal Computer Fraud and Abuse Act (CFAA) to the blocking of an entity engaging in commercial data scraping of a public website.  While we wait for that decision, there has been another fascinating development regarding scraping, this time involving a challenge to the CFAA brought by academic researchers.  In Sandvig v. Sessions, No. 16-1368 (D.D.C. Mar. 30, 2018), a group of professors and a media organization, which are conducting research into whether the use of algorithms by various housing and employment websites to automate decisions produces discriminatory effects, brought a constitutional challenge alleging that the potential threat of criminal prosecution under the CFAA for accessing a website “without authorization” (based upon the researchers’ data scraping done in violation of the site’s terms of use) violates their First Amendment rights.

In a preliminary decision, a district court held that the plaintiffs have standing and allowed their as-applied constitutional challenge to the CFAA to go forward with regard to the activity of creating fictitious accounts on web services for research purposes.  The decision contains vivid language on the nature of the public internet as well as how the plaintiffs’ automated collection and use of publicly available web data would not violate the CFAA’s “access” provision even if a website’s terms of service prohibits such automated access (at least with respect to the facts of this case, which involves academic or journalistic research as opposed to commercial or competitive activities). Continue Reading

Illinois Considering Amendments to Biometric Privacy Law (BIPA) That Would Create Major Exemptions to Its Scope

We have written before about the issues presented by the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”).  BIPA is still the only state biometric privacy statute with a private right of action. It has garnered national attention and become the epicenter of biometrics-based litigation, with dozens of cases pending alleging violations of the statute (defendants include employers of all types, social media platforms, service providers, and many other businesses that interact with Illinois residents).  Just as the privacy concerns surrounding the collection and storage of biometric data have come into sharper focus with more and more companies employing such technologies for digital authentication, security and other uses, the litigation surrounding BIPA has garnered much controversy and the legislature has previously been called upon to amend the statute to limit its reach.  The Illinois legislature is now considering a bill (SB3053) that would fundamentally alter the privacy protections under BIPA Continue Reading

FOSTA Signed into Law, Amends CDA Section 230 to Allow Enforcement against Online Providers for Knowingly Facilitating Sex Trafficking

Today, the President signed H.R. 1865, the “Allow States and Victims to Fight Online Sex Trafficking Act of 2017” (commonly known as “FOSTA”).  The law is intended to limit the immunity provided under Section 230 of the Communications Decency Act (“CDA Section 230”) for online services that knowingly host third-party content that promotes or facilitates sex trafficking. As drafted, the law has retroactive effect and applies even with respect to activities occurring prior to its enactment. Continue Reading

Facebook Granted Dismissal of Biometric Privacy Claims Brought by “Non-Users”

This week, the District Court for the Northern District of California dismissed the Gullen putative class action asserting Illinois biometric privacy claims brought by “non-users” based on evidence that the social media site did not use its facial recognition technology on business or organizational accounts (as opposed to personal social media pages).  (Gullen v. Facebook, Inc., No. 16-00937 (N.D. Cal. Apr. 3, 2018)).  This ruling on the merits follows a decision last month where the court refused to dismiss the action due to lack of standing.  In Gullen, the plaintiff alleged that Facebook violated the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq. (“BIPA”), by collecting his biometric identifiers without notice or consent via Tag Suggestions, its facial recognition-based system of photo tagging.  The plaintiff’s claim was based upon a single photograph uploaded to an organizational page.  A declaration by a software engineer for the defendant confirmed that not all photos uploaded to Facebook undergo facial recognition and that plaintiff’s photo was not scanned, and since plaintiff failed to rebut such evidence, the court granted summary judgment in the site’s favor.

While the Gullen action was dismissed on factual grounds, the companion In re Facebook Biometric Privacy Litig. action involving Facebook users remains ongoing and raises important legal issues surrounding BIPA, including the scope of the statute as it relates to uploaded photographs and the sufficiency of Facebook’s notice and consent procedures, as well as constitutional issues regarding the extraterritorial reach of BIPA to activities and cloud-based transactions that allegedly occurred outside of Illinois.

Federal Circuit Again Reverses California Court in Oracle-Google Copyright Dispute over Java APIs – Releases a Major Ruling on Fair Use in the Software Context

In this long-running dispute that has been previously dubbed “The World Series of IP cases” by the presiding judge, Oracle America Inc. (“Oracle”) accuses Google Inc. (“Google”) of unauthorized use of some of its Java-related copyrights in Google’s Android software platform. Specifically, Oracle alleges that Google infringed the declaring code of certain Java API packages for use in Android, including copying the elaborate taxonomy covering 37 packages that involves multiple classes and methods.  Google had declined to obtain a license from Oracle to use the Java APIs in its platform or license the same under an open source GPL license; instead it copied the declaring code from the 37 Java API packages (over 11,000 lines of code), but wrote its own implementing code.  Google designed it this way, believing that Java application programmers would want to find the same 37 sets of functionalities in the new Android system callable by the same names as used in Java. Continue Reading

LexBlog