New Media and Technology Law Blog

Google App Disables Art-Selfie Biometric Comparison Tool in Illinois and Texas

We have been closely following the legal and legislative developments relating to biometric privacy, and in particular, the flow of litigation under the Illinois biometrics privacy law.   It was interesting to see how the Illinois law (as well as a similar Texas law) influenced Google’s  offering of a new facial recognition feature on the Google Arts & Culture app. (It is also interesting to note that the media coverage of the app has made the Illinois and Texas laws subjects of mainstream discourse.)

The Google Arts & Culture app, which was originally released a couple years ago, offers users virtual tours of museums and a searchable database of other art-related content.  What recently made it one of the hottest free apps is a new entertaining tool that compares a selfie to a database of great works of art and presents the results that most closely match the user’s face.  [Note: My classical art doppelgänger is “Portrait of a Gentleman in Red” by Rosalba Carriera. What’s yours?].  However, out of an apparent abundance of caution, Google has disabled this art-twinning function in Illinois and Texas, presumably because those states have biometric privacy laws that regulate the collection and use of biometric identifiers like facial templates; while the Texas statute can only be enforced by the state attorney general, Illinois’s Biometric Information Privacy Act (BIPA) contains a private right of action and remedies that include statutory damages. Interestingly, Washington users are able to access this tool, despite Washington having enacted its own biometric privacy law last year.  Perhaps that is because, as described in the referenced blog post, compliance under the Washington statute is less demanding than under the Illinois or Texas statutes. Continue Reading

Litigants Alleging Procedural Violations of Illinois Biometric Privacy Statute (BIPA) Are Not “Aggrieved” Parties That May Seek Legal Remedies

As 2017 drew to an end, we noted the continuing flood of Illinois biometric privacy suits filed over the past year.  There are literally dozens of cases pending, most in Illinois state courts, alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information.  The suits initially targeted the use of biometrics on social media platforms, but, perhaps reflecting the increased use of biometrics in the workplace, have increasingly been asserted against businesses that collect biometric data to authenticate customers or employees.

While federal courts have weighed in on whether litigants have standing for asserting procedural violations of BIPA, it was not clear if mere procedural violations of BIPA’s consent and data retention requirements, without any showing of actual harm or data misuse, were actionable under the statute (i.e., whether persons pleading procedural violations are “aggrieved” under the statute, as BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party).

As the year came to a close, an Illinois appellate court may have cooled the New Year’s Eve celebrations of BIPA class action lawyers a bit, as the court issued a decision which could provide defendants with a shield against BIPA suits.  The court ruled that if a party alleges only a technical violation of BIPA without alleging any injury or adverse effect, then such a party is not “aggrieved” under the Act and may not seek remedies (i.e., monetary damages or injunctive relief).  (Rosenbach v. Six Flags Entertainment Corp., No. 2-17-0317, 2017 IL App (2d) 170317 (Ill. App. Dec. 21, 2017)). Continue Reading

Reflections on Technology-Related Legal Issues: Looking Back at 2017; Will 2018 Be a Quantum Leap Forward?

As we approach the end of 2017, it is a time to reflect on the dizzying pace of technology evolution this year, and the amazing array of legal issues it presented. Similarly, it is a time to look forward and anticipate what technology-related issues we will be thinking about in the coming year.

For 2017, the list is long and varied.

This year, the true potential of blockchain was recognized by many in the commercial sector. While recent blockchain-related headlines have focused on the rise (and regulation) of cryptocurrencies, a great deal of the blockchain action has been in back office applications in financial services, supply chain and other areas.  Industry wide consortia have been formed, trials and proof of concepts have been run, and, as evidenced by the recent announcement by the Australian Stock Exchange to replace its clearing and settlement system with a blockchain based system, we are moving into full production implementations of blockchain systems.

Cybersecurity garnered major attention in 2017. Unfortunately, data breaches continued to be a constant headline item, as were related class action litigation. As a result, cybersecurity was a “top of the agenda” item for state and federal agencies, state legislatures, regulators, corporate boards, GCs and plaintiffs’ lawyers.

As a related matter, privacy issues were also front and center this year. In particular,  we saw increased activity in some of the cutting edge areas of privacy law, including biometrics-related litigation (particularly under the Illinois Biometric Information Privacy Act (known as BIPA)), video streaming privacy (particularly under the Video Privacy Protection Act, or the VPPA)) and mobile-related privacy issues.

There are many other issues that occupied our minds this year, including artificial intelligence, virtual and augmented reality, online copyright liability (including application of the DMCA in online contexts), and publisher/distributor liability for third party content online (under Section 230 of the Communications Decency Act).  Additionally, parties involved in agreements of all types have been increasingly focused on technology-related legal risk, and were more intent on addressing and shifting technology-related risks with very specific contractual provisions. Continue Reading

Proskauer Launches “Blockchain and The Law” Blog

I am pleased to announce that Proskauer has recently launched a new blog focused exclusively on the use of blockchain in business. The blog will be wide ranging in nature, covering the legal issues associated with blockchain as applied to financial services, health care, real estate, supply chain management, media and entertainment, advertising, content delivery, e-commerce and many other areas. We will also cover legal developments in the cryptocurrency space and ICO developments, “smart contracts” and the like.  The issues span all areas of law. The blog will be a companion blog to this one, which will continue to cover legal developments in the tech and  media space generally.

So check it out, blockchainandthelaw.com, and subscribe to that blog as well as this one!

No Liability for Self-Publishing Platforms over Author’s Use of Unauthorized Cover Photo

In a brief, unpublished opinion, the Sixth Circuit affirmed the dismissal of right of publicity and privacy claims against a host of self-publishing platforms and service providers for distributing an erotic (and purported “less than tasteful”) book whose cover contained an unauthorized copy of the plaintiffs’ engagement photo because the plaintiffs failed to plead more than an “incidental” use of the photo by the service providers. (Roe v. Amazon.com, No. 16-3987 (6th Cir. Nov. 21, 2017) (unpublished)).

This dispute initially raised our interest because it raised the larger issues of how to define a “publisher” and “distributor” in the modern e-commerce environment and to what extent an ebook platform or print-on-demand service could be protected for distributing third-party content by the immunity provided by Section 230 of the Communications Decency Act (“CDA Section 230”).  While we anticipated that such issues would get a full examination on appeal, the Sixth Circuit sidestepped these novel issues and decided the case on the merits of the privacy claims.  Continue Reading

Wave of Illinois Biometric Privacy Suits Continues Unabated

After noting the flood of Illinois biometric privacy suits in September, it appears that the flow of such suits remains robust.  Dozens of suits have been filed in Illinois state court against Illinois-based employers and other businesses alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which generally regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, and encourage businesses that collect such personal data to employ reasonable safeguards.

In recent years, biometric privacy suits initially involved social media services and video game makers, but have increasingly been asserted against businesses that collect biometric data to authenticate customers or employees, especially Illinois-based employers that use biometric timekeeping devices to verify employees when clocking in and out.   Continue Reading

Ninth Circuit Rejects VPPA Claims of Roku Channel User, Declining to Adopt Broad Definition of PII

In a decision that clarified aspects of the video privacy landscape, the Ninth Circuit affirmed the dismissal of an action alleging a violation of the Video Privacy Protection Act (VPPA) based on an assertion that ESPN’s WatchESPN Roku channel had shared a user’s Roku device number and video viewing history with a third-party analytics company for targeted advertising purposes.  (Eichenberger v. ESPN, Inc., No. 15-35449 (9th Cir. Nov. 29, 2017)).  The appeals court found that such a disclosure of a device identifier did not constitute “personally identifiable information” (PII) under the VPPA.  In doing so, the court declined to take a broad interpretation of the 1980s era statute originally aimed at video stores, but which in recent years has been applied to online video streaming services and mobile and video streaming apps. Continue Reading

U.S. Court Orders Coinbase to Share Information about Account Holders with the IRS but Limits to Transactions over $20,000

A U.S. federal district court judge on Tuesday, November 29 ordered Coinbase Inc., the largest cryptocurrency exchange and storage platform in the world, to provide information about certain of its account holders to the U.S. Internal Revenue Services (IRS).  Information pertaining to as many as 14,355 account holders and 8.9 million transactions could be covered in this order, according to estimates provided by Coinbase.  The full order by Judge Jacqueline Scott Corley of the U.S. District Court for the Northern District of California can be found here.

While a significant milestone in a protracted legal battle between Coinbase and the IRS, the order handed down by Judge Corley is considerably narrower than what the IRS had originally requested.  The information Coinbase must provide is limited to the holder’s name, date of birth, taxpayer identification number (TIN), and address; the date, amount, type of transaction, post-transaction balance, and names of counterparties to any transaction covered by the order; and periodic account statements for the covered accounts.  Significantly, only account holders that have bought, sold, sent, or received cryptocurrency worth $20,000 or more in any tax year from 2013 to 2015 are covered by the order.  Continue Reading

Third Class Action for Tezos ICO

For the third time this month, the Tezos blockchain project is the subject of a class action complaint for claims arising from their $232 million July initial coin offering (“ICO”). Consistent with both prior lawsuits, the plaintiffs allege that the Tezos ICO constituted the unregistered, non-exempt offer and sale of securities in violation of the federal securities laws.

As a general rule ICO tokens may be securities and, if so, must be registered with the SEC or qualify for an exemption in order to be offered or sold within the United States. Violations expose issuers not just to the risk of SEC enforcement, but also the possibility of liability under Section 12(a)(1) of the Securities Act, a private right of action that provides recessionary damages on a strict liability basis for those that purchase their tokens directly from the issuer of an unregistered public offering.

Recent remarks by SEC Chairman Jay Clayton have led to speculation that meaningful SEC intervention in the ICO marketplace may be soon forthcoming. If this spate of Tezos lawsuits is any indication, the plaintiff’s bar could get there well before the regulators do.

Appeals Court Affirms Dismissal on Standing Grounds of Biometric Privacy Suit over Videogame Facial Scan Feature

With the flood of Illinois biometric privacy suits lodged against employers in recent months, and multiple biometric privacy suits against social media and other mobile platforms currently pending over the use of photo tagging functions, 2017 has been a busy year in this area.  In a notable circuit court level ruling this week, the Second Circuit affirmed the dismissal of Illinois biometric privacy claims against a videogame maker related to a feature in the NBA 2K videogame series that allows users to scan their faces and create a personalized avatar for in-game play. (Santana v. Take-Two Interactive Software, Inc., No. 17-303 (2nd Cir. Nov. 21, 2017) (Summary Order)).

Although the court remanded the case to give plaintiffs leave to amend the complaint, the dismissal is still a resonant victory for Take-Two and demonstrates that the Article III standing requirements under Spokeo can be an important limitation on claims based on bare procedural violations of the notice and consent provisions of the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”).

As discussed in our prior post on the lower court’s opinion, the Santana case concerns the MyPlayer feature in the NBA 2K15 and NBA 2K16 videogames, which allows users to scan their own faces to create personalized virtual basketball avatars that can be used during gameplay (including during multiplayer games, if the gamer so chooses). To create the avatars, the game platform’s cameras scan the user’s face and head from various angles and then convert this data into a virtual player that resembles the user.

To create a MyPlayer avatar, a gamer must first agree to the following terms, which are presented on the viewer’s television screen or monitor:

Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement. www.take2games.com/eula

The plaintiffs made no allegations that their faceprints were disseminated or used for any other purpose outside of the game (for which they gave consent), or that their biometric data was wrongfully accessed by hackers or other third parties. Rather, they contended that Take-Two failed to comply with various provisions of BIPA, such as providing written notice of its data retention policies regarding gamers’ faceprints and maintaining adequate data security.

Generally speaking, under BIPA an entity cannot collect, capture, purchase, or otherwise obtain a person’s “biometric identifier” or “biometric information,” unless it first:

(1) informs the subject in writing that a biometric identifier is being collected;

(2) informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(3) receives a written release executed by the subject.

Take-Two moved to dismiss for lack of Article III standing and for failure to state a cause of action under the statute.  The district court granted the motion on both grounds and dismissed the action with prejudice.   Plaintiffs appealed, and in a summary order, the Second Circuit affirmed on standing grounds and remanded with instructions to enter a dismissal without prejudice, granting plaintiffs leave to amend.

The court initially found that Take-Two’s alleged procedural violations of BIPA’s notice provisions failed to raise a material risk of harm that would give plaintiffs Article III standing. It concluded that Take-Two indisputably informed users that the MyPlayer feature required a “face scan” that would be visible to other players during online gameplay and that such notice was sufficient to meet BIPA’s notice requirements.

The court similarly held that Take-Two’s alleged violations of related BIPA provisions failed to raise a material risk of harm:

“Plaintiffs allege that Take-Two did not inform them of the duration that it would hold their biometric data, as BIPA requires. However, plaintiffs have not shown that this violation, if true, presents a material risk that their biometric data will be misused or disclosed. Plaintiffs have not alleged that Take-Two has not or will not destroy their biometric data within the period specified by the statute, and accordingly have alleged only a bare procedural violation. Likewise, although Take-Two did not notify the plaintiffs of its [data retention schedule], plaintiffs do not allege that Take-Two lacks such protocols, that its policies are inadequate, or that Take-Two is unlikely to abide by its internal procedures. There is accordingly no material risk that Take-Two’s procedural violations have resulted in plaintiffs’ biometric data being used or disclosed without their consent.”

Going forward, the plaintiffs may have a difficult time filing an amended complaint that can survive dismissal, particularly given the lower court’s previous adverse opinion and the appeals court’s language finding “unpersuasive” plaintiffs’ “attempt to manufacture an injury.”

Although not the first court to dismiss a lawsuit allegedly technical violations of BIPA for lack of Article III standing, Santana is the first appeals court to do so, and such reasoning, even if contained in a non-precedential summary order, may be influential in other jurisdictions considering similar issues under BIPA.

We will continue to monitor developments in biometric privacy and technology.

LexBlog