Illinois

Actual Injury Required for Biometric Suits

** Biometric Plaintiffs Face Significant Setback in Illinois **                                                                                                                                                                                                             

By: Brent E. Johnson

In a growing number of states, biometric information has become a new type of protected data.  This form of information has been of particular concern to legislators spurred by its adoption in everyday uses — for example, in fingerprint scanners and facial recognition technology in smart phones — and its increasing use by employers tracking and verifying their employees’ hours.  The use of biometric information poses unique privacy and security challenges, not the least of which is that — unlike other types of personal identifiers (like a PIN or Social Security Number) — biometric information is permanent and cannot be changed if it falls into the wrong hands.

Background: Illinois was the first state to enact biometric data protections.  Its Biometric Information Privacy Act (740 ILCS 14) (BIPA) passed in 2008, created a “notice and consent” regime wherein: (i) private entities may collect, use or store biometric information only after obtaining a written release by the persons whose biometric information is sought; (ii) private entities are required to notice persons in writing about the specific purposes for and the length of time during which their biometric information will be collected, used or stored; and (iii) private entities must follow notice and consent requirements before disclosing a person’s biometric information to a third party.  Under BIPA, individuals have the right to sue private party violators and recover a minimum of $1,000 for a negligent violation and $5,000 for each violation recklessly or intentionally committed. Plaintiffs may also collect attorneys’ fees and costs.  Texas passed a similar law in 2009 (Capture or Use of Biometric Identifier Act) (Bus & Com § 503.001), and in 2017, Washington state passed a biometric law (H.B. 1493).  During the 2017 legislative session, bills dealing with biometric notice and consent regimes similar to BIPA were introduced in several states, including Alaska (H.B. 72), Arizona, Connecticut (H.B. 5522), Massachusetts (H.B. 1985 ), Montana (H.B. 518), Missouri, New Hampshire (H.B. 523) and New York – but all failed to pass.  The Washington and Texas statutes only allow for enforcement by the attorney general’s office.  Accordingly, Illinois remains the only state with a biometric statute that includes a private right of action – and it is thus the only state that has so far caught the attention of the class action bar.

While the Illinois statute has been in force since 2008, it received little attention until the last two years.  In 2016 and 2017, BIPA actions were brought against companies that use facial-recognition technology, such as FacebookShutterflyGoogleSnapchat, and others, as well as companies that use fingerprint scans, such as L.A. Tan.  Employee suits have also become popular, stemming from the use of biometric information in the workplace, such as fingerprint-operated time clocks.  Hotel chain InterContinental Hotels Group, broadband company Zayo Group, and convenience store chain Speedway LLC have all been the subject of employee lawsuits under BIPA.

For the defense bar dealing with BIPA claims, two major questions have been: (i) Can a company be sued for technical violations of the Act where no damages were sustained by the plaintiffs’ class? and (ii) Does BIPA have extraterritorial application?

The first question recently received attention by the Illinois Court of Appeals.  In Rosenbach v. Six Flags Entm’t Corp., 2017 WL 6523910 (Il. Ct. App., Dec. 21, 2017), Stacy Rosenbach, whose son’s thumbprint was taken by Six Flags after he purchased a season pass for one of its Great America theme parks, sued the company for violating BIPA based on her allegation that it failed to properly obtain written consent or disclose Six Flag’s plan for the collection, storage, use or destruction of her son’s biometric identifiers or information.  Six Flags moved to dismiss, arguing that under Section 20 of BIPA any right of action is limited to a “person aggrieved,” which excludes Plaintiff because she failed to allege any actual injury.  The lower court denied the theme park company’s motion to dismiss, but later certified to the appellate court two questions relating to whether individuals “aggrieved by a violation of the act” can rely solely on alleged violations of the notice and consent requirements or whether they must allege some actual harm.  In answering these questions, the Court of Appeals held that in order to meet the definition of an aggrieved person under the statute, plaintiffs must claim some actual harm. The Court noted, “if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word ‘aggrieved’ and stated that every violation was actionable.  A determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous. Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under section 20 of the Act.”  2017 WL 6523910 at ¶ 23. The court rejected Plaintiff’s argument that biometric privacy, itself, is a right that is injured by violation of the statute.  Id. at ¶ 20.  This decision has the potential to foreclose on scores of current BIPA class actions – specifically those that have recently been filed and are seeking statutory penalties for naked violations of BIPA without a clear nexus to any consequential harm or injury.

The second question remains unsettled. To be sure, courts appear clear that an Illinois “statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute” (Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 852 (2005)) and recognize that none of BIPA’s express provisions indicate that the statute was intended to have extraterritorial effect (see Monroy v. Shutterfly, Inc., No. 16 C 10984, 2017 WL 4099846, at *5 (N.D. Ill. Sept. 15, 2017) (finding that BIPA does not apply extraterritorially). But what does that mean in the internet age?  For example, in Monroy, Plaintiff was acknowledged to be a resident of Florida and Defendant Shutterfly was acknowledged to be a Delaware Corporation – but the allegations of the Complaint were that Plaintiff’s friend, located in Illinois, uploaded his photo to Shutterfly’s servers triggering the alleged biometric violation.  In those circumstances, was the Florida resident entitled to the protections of BIPA?  The federal district court could not decide, noting that it was unclear where the actual scan of plaintiff’s face geometry took place, where the scan was stored once it was obtained, and, when stored in cyberspace, how physical location is to be determined – thus finding that the ultimate answer to the extraterritorial question raised a question of fact not suited for dismissal under Rule 12.

Good Vibrations

** Class Plaintiff not Feeling Data Collection Practices of Intimate Personal Consumer Products Maker **

By: Brent E. Johnson                                                                                                                                             _

Digital Data Privacy Protection Searching Concept

In the “You Can’t Make This Stuff Up” file is the putative class action filed on September 2, 2016 against Standard Innovation (U.S.) Corp. in the U.S. District Court for the Northern District of Illinois.  N.P. v. Standard Innovation (US) Corp. d/b/a We-Vibe, Case No. 1:16-cv-08655, (N.D. Ill. Sept. 2, 2016). According to the complaint, Standard Innovation “is a ‘sensual lifestyle products’ company that sells a high-end vibrator called the We-Vibe.”  The We-Vibe distinguishes itself from its competitors in the marketplace by its smart phone application – “We-Connect,” which can be downloaded from Apple App and Google Play stores.  Why would one care to download such an application?  According to the complaint, “With We-Connect, users can ‘pair’ their smartphone to the We-Vibe, allowing them — and their partners — remote control over the vibrator’s customizable settings and features” – bringing a whole new meaning to the phrase, “phone sex.”  For those who like to teeter on the cutting edge, this technology is referred to as “teledildonics.”  — Seriously.

The problem?  According to the complaint, “Unbeknownst to its customers . . . Defendant designed We-Connect to (i) collect and record highly intimate and sensitive data regarding consumers’ personal We-Vibe use, including the date and time of each use and the selected vibration settings, and (ii) transmit such usage data — along with the user’s personal email address—to its servers in Canada.”  While Americans may be jaded to the systematic gathering and exploitation of their personal information by internet companies for marketing purposes, this case asks the question: “Is our choice of the ‘pulse,’ ‘wave,’ ‘echo,’ ‘tide,’ ‘crest,’ ‘bounce,’ ‘surf,’ ‘peak,’ or ‘cha cha cha’ settings of our ‘sensual lifestyle products’ anybody’s business but our own (and our digital partner’s)?”

The complaint alleges causes of action for violation of the federal Wiretap Act, 18 U.S.C. § 2510, et seq.; the Illinois Eavesdropping Statute, 720 ILCS 5/14-1 et seq.; the common law tort of intrusion upon seclusion; and violation of the Illinois Consumer Fraud and Deceptive Business Practice Act,815 ILCS 505/1 et seq.  The eavesdropping claims are premised on the allegation that “Defendant designed and programmed We-Connect to continuously and contemporaneously intercept and monitor the contents of electronic communications that customers send to their We-Vibe devices from their smartphones, such as operational instructions regarding the users’ desired vibration intensity level and desired vibration ‘mode’ or pattern.”  In other words, Standard Innovation intercepts communications between a user’s cell phone and his or her vibrator.  Plaintiff’s consumer fraud claim arises from the “connect lover” feature of We-Connect that allows “partners [to] exchange text messages, engage in video chats, and . . . control a paired We-Vibe device.”  When a device user initiates a We-Connect session, the screen encourages: “Connect and share control of your We-Vibe from anywhere.  Create a secure connection between your smartphones.”  The complaint alleges that this screen lulls the user into a false sense of security and fails to disclose Standard Innovation’s data collection practices.

The collection of personal data transmitted between devices through an application and representations regarding user privacy make this a “sexy” case – and one to watch.

Lawyers Don’t Always Win

** Purported Class of Lawyers Suing for Misappropriation of Image and Likeness Fails at First Hurdle  **

By: Brent E. Johnson

                                                                                                                                                                                                                                                                                                                                                                                                                  crsfkvk5jmarrd3ls7emnw-avvo_logo-color_blue_taglineBucking the popular notion that the legal system protects its own – a recent putative class action in Illinois bought by and for a class of lawyers – failed.  Vrdolyak v. Avvo, Inc., No. 16 C 2833, 2016 WL 4765716, at *1 (N.D. Ill. Sept. 12, 2016).  The defendant in the lawsuit,  Avvo.com, publishes a directory that includes “profile pages” for millions of U.S. attorneys.   Most lawyers, however, have never asked avvo.com to create profile pages for them – let alone had any input into them (or even know they exist) – rather the machine generated profiles are created using data gleaned from public records such as bar admissions and court records.  The generated “profile page” contains identifying information and a rating calculated by an algorithm (which, rather crudely, primarily uses the number of years in practice as its measure).  But some lawyers purchase from avvo.com special “sponsored listings” which promote their avvo.com profile above the unwashed mass.  It appears that avvo.com’s business model relies on its critical mass of (involuntary) profiles and the ability to allow lawyers willing to pay a fee, to appear more prominently (i.e. what Google does!).  Plaintiff John Vrdolyak (a University of Chicago law school graduate) cried foul.  He claimed that his identity (and that of every other involuntarily avvo.com profiled lawyer) was misappropriated for commercial purposes without consent in violation of the Illinois Right of Publicity Act (“IRPA”), 765 ILCS 1075/1 et seq.

The Court sided with avvo.com – agreeing with its argument that the profile pages were speech that is fully protected by the First Amendment.  The court reasoned that what avvo.com does is akin to a yellow pages directory, which receives First Amendment protection.  Dex Media West, Inc. v. City of Seattle, 696 F.3d 952, 962 (9th Cir. 2012) (concluding that publications like yellow pages directories and newspapers receive full First Amendment protection because, as a threshold matter, they do not constitute commercial speech.)  The Court also analogized the avvo.com profiles to those of a magazine, like Sports Illustrated, that publishes non-commercial information (i.e. articles about athletes) and sells and places advertisements within and around that information.  The articles are fully protected non-commercial speech – the advertisements are (less protected) commercial speech.  In this case the “Sponsored Listings” were the commercial speech – but they were authorized and not at issue.  Those profiles that were at issue – the unauthorized profiles – were protected speech and their placement with the sponsored listing did not convert the entire website into commercial speech – the court opined.  Gallingly, the court not only refused to side with the lawyers – but used the Constitution to do so.