Last month, a California district court granted a web-based service’s motion to compel arbitration of a putative class action brought by a user whose personal information was allegedly accessed in a massive 2016 data breach that involved 339 million user accounts. (Gutierrez v. FriendFinder Networks Inc., No. 18-05918 (N.D. Cal. May 3, 2019)). While the opinion noted that courts in the Ninth Circuit are traditionally “reluctant to enforce browsewrap agreements against individual consumers,” the outcome of the case suggests that enforcement of website terms is not just a straight up-or-down analysis of the method used to present the terms to the user but may involve tangential, yet important interactions between the user and the site outside the initial registration process.
UPDATE: Subsequent to the introduction of the New York City Council biometric privacy bill, on March 5, 2019 members of the Florida legislature introduced the “Florida Biometric Information Privacy Act” (SB 1270). The statute generally follows the Illinois Biometric Information Privacy Act (BIPA) regarding notice and consent requirements and notably provides for a private right of action and the availability of statutory damages. As with the New York City bill, we will follow the progress of the Florida bill, as well as other pending biometric privacy legislation (e.g., Montana’s HB 645, which was introduced on March 1, 2019 and is another BIPA-like bill, but only allows enforcement by the state attorney general).
UPDATE: Both the Florida and Montana bills died in committee this past spring.
In light of the recent decision by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), it is worth remembering that late last year, New York City Council members Ritchie Torres (and additional co-sponsors) introduced a bill for the city council to consider that would regulate the use of biometric technology in New York City. Bill Int. No. 1170 (the “Bill”) would amend Section 1, Chapter 5 of Title 20 of the Administrative Code of the City of New York and require businesses (but not governmental actors) to give notice to customers if they are collecting “biometric identifier information.” The Bill, which contains some similar provisions to the Illinois Biometric Information Privacy Act (“BIPA”), includes a private right of enforcement but avoids the statutory standing issue litigated in Rosenbach by providing that “any person who[se] biometric identifier information was collected, retained, converted, stored or shared in violation of [the law] may commence an action.” If enacted, this bill could lead to a deluge of individual and class action suits in New York based on biometric activity.