The blockchain or “distributed ledger network” was originally conceived as the peer-to-peer technology platform that allows for the transfer of Bitcoin without the need for a trusted intermediary.  However, the blockchain protocol is being implemented across many industries and in many applications beyond digital currencies. Of course, there are questions about the enforceability of blockchain-based transactions and related, self-executing “smart contracts.”

Late last month, Arizona Governor Doug Ducey signed HB 2417 into law. This law clarifies some of the enforceability issues associated with the use of blockchain and smart contracts under Arizona law, in particular with respect to transactions relating to the sale of goods, leases, and documents of title governed respectively under UCC Articles 2, 2A and 7.

For years, craigslist has aggressively used technological and legal methods to prevent unauthorized parties from violating its terms of use by scraping, linking to or accessing user postings for their own commercial purposes.  In its latest judicial victory, on April 13, 2017, craigslist obtained a $60.5 million judgment against Radpad on various claims relating to harvesting content from craigslist’s site and sending unsolicited commercial emails to craigslist users. (Craigslist, Inc. v. RadPad, Inc., No. 16-01856 (N.D. Cal. Apr. 13, 2017)).

The blockchain protocol (a form of a ‘distributed ledger system’) was originally designed as a platform to process Bitcoin transactions.  The protocol enables peer-to-peer transactions and eliminates the need for a trusted intermediary to verify and process the transactions.

The blockchain protocol as a platform is actually independent of Bitcoin, and is therefore transferable to other applications. Naturally, because blockchain was conceived of as supporting a specific digital payment system, the initial and most obvious use of the blockchain outside of Bitcoin is “fintech” – technology-based payment and financial transaction systems.  The goal of recent experimentation and development in fintech is to reduce inefficiencies in the existing payments, clearance and settlement systems. Conceivably, many of these functions could be conducted through a “smart contract” – a completely automated process, executed via a software application that runs “on chain.”  In pursuit of these goals, many in the financial services area have made significant investments in research, development, and pilot programs, in many cases through coalitions or in partnership with large technology companies as well as with blockchain-focused startup companies.

Beyond fintech, however, blockchain offers many other opportunities. The digital values that are tracked and processed through a blockchain implementation can represent any other type of information or assets.  This capability has evoked the early development of new applications and technological developments involving many industries beyond financial services. 

Update: On March 9, 2017, Google filed a motion requesting the court certify an interlocutory appeal.  In particular, Google contends that the following question satisfies the statutory criteria: whether the term “biometric identifier,” as defined in Illinois Biometric Privacy Act, includes information derived from photographs.

We’ve closely followed the numerous biometric privacy disputes and legislative developments surrounding the Illinois Biometric Information Privacy Act (BIPA), which precludes the unauthorized collection and storing of some types of biometric data.  In the latest ruling, an Illinois district court refused to dismiss a putative class action alleging that the cloud-based Google Photos service violated BIPA by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent.  (Rivera v. Google, Inc., No. 16-02714 (N.D. Ill. Feb. 27, 2017)).

This is the third instance where a district court refused, at an early stage of a litigation, to dismiss BIPA claims relating to the online collection of facial templates for photo-tagging purposes.  Unlike those prior courts’ relatively cursory interpretations, however, the Rivera court’s expansive 30-page opinion is the deepest dive yet into the statutory scheme (and purported vagaries) of the Illinois statute.  The decision is the latest must-read for mobile or online services that collect and store biometric data from users as to what extent their activities might fall under the Illinois biometric privacy statute.  It may well turn out that the plaintiffs’ claims in Rivera (as well as the ongoing biometric privacy litigation going on in California) may prove unsuccessful on procedural or statutory grounds, yet, these initial takes on the scope of BIPA stress the importance of examining current practices and rollouts of new services that feature biometrics. 

We’ve written extensively about the numerous lawsuits, dismissals and settlements surrounding the Illinois Biometric Information Privacy Act (BIPA). The statute, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s “biometric identifier” or “biometric information,” unless it satisfies certain notice and consent and data retention requirements. The statute contains defined terms and limitations, and parties in ongoing suits are currently litigating what “biometric identifiers” and “biometric information” mean under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute. Moreover, in two instances in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing.

Thus, the epicenter of biometric privacy compliance and litigation has been the Illinois statute. A Texas biometric statute offers similar protections, but does not contain a private right of action.

The biometrics landscape may be about to get more complicated. An amendment has been proposed to the Illinois biometric privacy, and a number of biometric privacy bills mostly resembling BIPA have been introduced in other state legislatures. While most of the new proposed statutes are roughly consistent with the Illinois statute, as noted below, the Washington state proposal is, in many ways, very different. If any or all of these bills are enacted, they will further shape and define the legal landscape for biometrics.

For the second time in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing.  In Vigil v. Take-Two Interactive Software, Inc., No. 15-8211 (S.D.N.Y. Jan. 27, 2017), the court dismissed Illinois biometric privacy claims against a videogame maker related to a feature in the NBA 2K videogame series that allows users to scan their faces and create a personalized virtual avatar for in-game play.  In a lengthy opinion, the New York court provided Take-Two with a resounding victory when it ruled that procedural violations of the notice and consent provisions of the Illinois biometric privacy statute are not in-of-themselves sufficient to confer standing.

Biometric technology such as facial recognition, iris scans, or fingerprint authentication is being used and further developed to improve the security of financial and other sensitive transactions.  At the same time, social media sites, mobile apps, videogame developers and others are employing biometrics for other cutting edge uses to improve services.  The current Vigil ruling is particularly important, however, as it may buoy companies that collect biometric data under reasonable notice and usage policies, as they hope that the approval applied in Vigil is affirmed, if appealed, and followed in other jurisdictions.

Earlier this month, an Illinois state court approved a $1.5 million settlement in a class action against L.A. Tan Enterprises, Inc., operator (directly and through franchisees) of L.A. Tan tanning salons.  The settlement resolved allegations that L.A. Tan violated the Illinois Biometric Information Privacy Act (BIPA) by collecting Illinois members’ fingerprints for verification during check-in without complying with BIPA’s notice and consent requirements. (See Sekura v. L.A. Tan Enterprises, Inc., No. 2015-CH-16694 (Ill. Cir. Ct. Cook Cty. First Amended Class Complaint filed Apr. 8, 2016)).   Under the settlement, approximately 37,000 class members who had their fingerprints scanned at a L.A. Tan location in Illinois between a specified three-year period (Nov. 13, 2013 to August 11, 2016) will receive a pro rata share of the settlement. Moreover, L.A. Tan agreed to comply with BIPA in the future and ensure the compliance of its franchisees.

This past summer, we wrote about two instances in which courts refused to enforce website terms presented in browsewrap agreements.  As we noted, clickthrough agreements are generally more likely to be found to be enforced.  However, even the enforceability of clickthrough agreements is going to depend, in part, on how the user experience leading to the “agreement” is designed.  Two recent decisions illustrate the importance of web design and the presentation of the “call to action” language in determining the enforceability of a site’s clickthrough terms.

In a decision from early November, a D.C. federal court ruled that an Airbnb user who signed up on a mobile device had assented to the service’s Terms and was bound to arbitrate his claims. (Selden v. Airbnb, Inc., 2016 WL 6476934 (D.D.C. Nov. 1, 2016)).   Conversely, in a notable decision from late August, the Second Circuit refused to rule as a matter of law that the plaintiff was bound by the arbitration clause contained in Amazon’s terms and conditions because the plaintiff did not necessarily assent to and was on constructive notice of the terms when he completed the purchase in question. (Nicosia v. Amazon.com, Inc., 2016 WL 4473225 (2d Cir. Aug. 25, 2016)).

In a dispute that touches on the intersection of copyright, contract law and cloud technology, the Second Circuit affirmed the dismissal of copyright claims against Barnes & Noble (“B&N”) related to ebook samples stored on a user’s B&N-provided cloud-based locker. Notably, the Second Circuit dismissed the case on contractual grounds, declining the opportunity to opine on two important modern copyright doctrines that are often implicated when users store copyrighted content on the cloud.

In Smith v. BarnesandNoble.com, LLC, 2016 WL 5845690 (2d Cir. Oct. 6, 2016), an author contracted with Smashwords, an online ebook distributor, to market his book.  In accordance with this contract, the book was offered to B&N, which listed the book for sale on bn.com and made free samples available.  When a B&N customer downloaded a free sample (or purchased an ebook) the content was stored on a cloud-based digital locker associated with the customer’s account from which the content could be downloaded to devices whenever and wherever the user wanted.