Plaintiffs Robert Alexander, David Vito, Michael Clancy and Mario Canario voluntarily dismissed their negligence and breach of contract lawsuit against Bristol Community College, said a Friday notice (docket 1:23-cv-11194) in U.S. District Court for Massachusetts in Boston. The May lawsuit (Ref:2306010061) alleged Bristol failed to invest in adequate data security, enabling hackers to exfiltrate their personally identifiable information during a December data breach.

Parties in four privacy class actions alleging Carnival’s website violates the California Invasion of Privacy Act (CIPA) jointly moved Thursday to consolidate the related actions and set case deadlines, said a filing (docket 3:23-cv-00404) in U.S. District Court for Southern California in San Diego. The related actions pending in Southern California district court are India Price v. Carnival Corp. (docket 3:23-cv-00236), Erica Mikulsky v. Carnival, (docket 3:23-cv-00404), Marilyn Hernandez v. Carnival (docket 3:23-cv-01034) and Ariel Oliver v. Carnival, (docket 3:23-cv-01036). A fifth case brought by Daniel Rubridge in U.S. District Court for Massachusetts has been stipulated for a transfer to the Southern California federal court but the order hasn’t been entered, said the filing. The plaintiffs allege Carnival’s use of session replay software on its website violates state and federal wiretapping prohibitions. Carnival asked Wednesday that Mikulsky’s class action be related to U.S. District Judge Gonzalo Curiel and related to Price because they both involve alleged CIPA violations (see 2306070003).

Plaintiff “Jane Doe” intends to voluntarily dismiss Hey Favor from her privacy claims against it and advertising and analytics companies FullStory, Meta, TikTok and ByteDance, said her Monday motion (docket 3:23-cv-00059) to lift the stay of proceedings in U.S. District Court for Northern California in San Francisco. The court instructed Doe in a May 16 case management conference to file a motion detailing her plan for how the case should proceed against the remaining defendants in light of Hey Favor’s April bankruptcy (see 2304280021). Her plan ensures the case can proceed “expeditiously,” without imposing liability on, or interfering with, Favor’s bankruptcy proceedings, it said. Doe will also dismiss the claim against advertising and analytics defendants for aiding Favor’s “violation” of California’s Confidentiality of Medical Information Act (CMIA) within seven days of the court’s approval of the plan. She plans to file an amended complaint removing Favor and the advertising defendants aiding and abetting Favor’s violation of the CMIA from the action within 14 days of approval. Once discovery opens, Doe plans to seek discovery from Favor as a third party, and the action can proceed against the advertising defendants “without delay” since no claims against them are dependent on the claims against Favor, she said. There's no concern over “overlapping parallel litigation as all remaining claims will proceed in one action” before the court, she said.

Carnival Corp. asks that plaintiff Erica Mikulsky’s wiretapping class action (see 2303060014) be transferred to U.S. District Judge Gonzalo Curiel for Southern California in San Diego and related to another case, Price v. Carnival Corp. (docket 3:23-cv-00236), which was filed about a month earlier, said its notice Tuesday (docket 3:23-cv-00404). The Price and Mikulsky cases are related “because they both involve allegations that the use of session replay on Carnival’s website violates the California Invasion of Privacy Act,” said the notice. The plaintiffs in both cases “seek to represent a class of California residents whose information was allegedly collected via the session replay software,” it said. The parties have agreed to seek consolidation of the Price and Mikulsky cases, plus three additional class actions, “asserting similar claims on behalf of residents of other states under those states’ equivalent laws,” it said. The three additional cases are in the process of being transferred or have recently been transferred to the Southern District of California, it said: “Once the cases have been related, the parties have agreed to jointly move for consolidation of these five matters into the lowest-numbered Price docket.”

U.S. District Judge for Northern Illinois Jorge Alonso denied Old Dominion Freight Lines’ May 26 motion to stay proceedings (see 2306010070) in a Biometric Information Privacy Act (BIPA) suit, said a minute order Friday in U.S. District Court for Northern Illinois in Chicago. The transportation company requested a stay pending the Illinois Supreme Court’s decision on the petition for rehearing filed in Cothron v. White Castle System. Alonso ordered Old Dominion to answer or otherwise plead by June 16. If a motion to dismiss is filed, plaintiff John Kararo’s response is due by July 17, and the defendant’s reply is due July 30, he said. Kararo alleged Old Dominion's time clock system used, collected, stored and “otherwise obtained” Kararo’s unique biometric identifiers without prior consent, in violation of Illinois’ BIPA law.

Plaintiff Jazmine Harris and defendant PBS stipulated to dismiss Harris’ individual Video Privacy Protection Act claims against PBS with prejudice, said their filing Friday (docket 1:22-cv-02456) in U.S. District Court for Northern Georgia in Atlanta. The parties further stipulate to dismissal of any putative class claims asserted by Harris without prejudice because no class was certified by the court, it said. The parties agree to bear their own fees and costs, it said. The court terminated the case Monday. Harris alleged PBS disclosed her PBS.org personal viewing information to Facebook without her consent, in violation of the VPPA (see 2303210016). The judge in the case granted the parties a 45-day stay in the proceeding until June 1 to pursue a potential settlement (see 2304170042).

District of Columbia Superior Court Judge Maurice Ross granted Facebook’s May 17 motion for summary judgment in a Thursday order (docket 2018-CA-008715) dismissing the 2018 lawsuit that alleged Facebook misrepresented privacy protections of users' information. The one-count suit, filed by then-D.C. Attorney General Karl Racine (D), alleged violation of the D.C. Consumer Protection Procedures Act (CPPA). The AG alleged Facebook violated the CPPA by making misleading misrepresentations, omissions and ambiguous statements about how user information could be shared with third-party apps and that it exerted lax oversight in enforcement of third-party apps. The “misleading disclosures” involved friend-sharing, integration partnerships, privacy setting and data-misuse disclosures involving British political consulting firm Cambridge Analytica. In May 2022, Facebook moved the court for summary judgment, saying after “years of discovery,” the District failed to produce any evidence about what misled consumers, and it cited three other cases where the court “considered, and rejected, this very theory challenging Facebook’s disclosure,” Ross said. The court ruled Facebook’s policies “clearly disclosed” all relevant terms in a way that a “reasonable consumer” couldn’t have been misled as a matter of law, Ross said. He cited a section from Facebook’s data use policy (effective 2012-2015) detailing that what users shared could be re-shared “by anyone who can see it.” At the time the suit was filed, Android and iOS hadn't become the primary way users accessed the internet and apps, said Ross, and Facebook had integration partnerships allowing companies such as Apple, Amazon, Blackberry and Yahoo to build Facebook apps for each device. Users had to opt into the integration partnerships by downloading the app and agreeing to terms. He referenced Facebook’s app settings page in privacy settings where users could set parameters for their data down to a customized list of friends. The District didn’t prove Facebook’s enforcement and monitoring efforts were insufficient, Ross said, saying Facebook never guaranteed how it would proceed in an enforcement probe. The social media platform’s data use policy and rights statement “clearly set out Facebook policies and were available for users to read,” it said. A spokesperson for the D.C. AG office said Friday: “We respectfully disagree with the Court’s decision and are considering all of our options.”

Bristol Community College failed to invest in adequate data security, enabling hackers to exfiltrate the personally identifiable information (PII) of 56,400 individuals, said a May 26 class action (docket 1:23-cv-11194) in U.S. District Court for Massachusetts in Boston. As a result of the community college’s failure to implement reasonable security protections, hackers compromised its network and accessed “thousands” of student files with sensitive PII, alleged the complaint. From Dec. 14 to Dec. 23, unauthorized actors accessed Bristol’s network, a breach the community college didn’t detect until April 10, said the complaint. It didn’t notify affected individuals until about May 10. Due to the school’s failures to protect their data, class members face the “real, immediate, and likely danger of identity theft and misuse of their PII,” said the complaint. Plaintiffs Robert Alexander, Fall River, Massachusetts; Michael Clancy and Mario Canario, both Warren, Rhode Island; and David Vito, Warwick, Rhode Island, received letters in May informing them an unauthorized actor had exfiltrated their PII and Social Security numbers. Alexander, a student at Bristol Community College 1996-1997, was the victim of financial fraud in April when unauthorized users accessed his bank account on three occasions and withdrew $250 from his account, said the complaint. The other three plaintiffs have made reasonable efforts to mitigate the impact of the data breach, including reviewing credit reports and financial account statements for indications of attempted identity theft or fraud. Plaintiffs assert claims of negligence, breach of contract, bailment, violation of Massachusetts’ Security Breach Law, state data breach and consumer protection statutes, intrusion upon seclusion and unjust enrichment. They seek compensatory, consequential, statutory, punitive and general damages, plus attorneys’ fees and legal costs.

Old Dominion Freight Line’s motion to stay a Biometric Information Privacy Act case (see 2305300070) “is questionable at best,” said plaintiffs’ Wednesday response (docket 1:23-cv-02187) opposing the defendant’s May 26 motion to stay in U.S. District Court for Northern Illinois in Chicago. Old Dominion seeks to stay proceedings pending the Illinois Supreme Court’s decision on the petition for rehearing filed in Cothron v. White Castle System, saying that decision could “significantly impact” the Old Dominion case, including the viability of certain named plaintiffs’ claims, the size of a putative class, the scope of potential discovery and the extent of damages awarded. In a May 3 hearing, Old Dominion didn’t mention it planned to file a motion to stay rather than an answer or responsive pleading, plaintiffs said. The defendant “appears to have” misled plaintiffs’ counsel and the court “by making no mention of it needing extra time to file a boilerplate motion to stay,” said the response. Old Dominion’s motion is “not well supported,” and absent a “substantial showing of likelihood of success for the Petitioner in Cothron, there is no basis to enter a stay,” it said. “Any potential reversal by the Illinois Supreme Court will not impact the viability” of the second amended complaint, it said. Old Dominion’s arguments supporting a stay “are nothing more than a desperate and evasive smoke screen.” Its motion to stay should be denied, and it should be given “no more than 5 days to answer,” said the response. The BIPA suit claims Old Dominion’s time clock system used, collected, stored and “otherwise obtained” plaintiffs' unique biometric identifiers without prior consent.

U.S. District Judge Manish Shah for Northern Illinois in Chicago signed an order Wednesday (docket 1:22-cv-06924) granting defendant Match Group’s motion to transfer plaintiff Marcus Baker’s Illinois Biometric Information Privacy Act claims to the Northern District of Texas in Dallas. Baker alleges Match Group and its affiliated dating websites collect, analyze and use unique biometric identifiers associated with people’s faces in photos uploaded to their apps and websites without disclosing or acknowledging the collection or requesting consent (see 2212120046). Match Group sought dismissal of the complaint so it could be heard in small claims court. But Baker is seeking at least $20,000 in damages and injunctive relief, and neither the small claims courts in Texas nor in Illinois can issue damages in that amount, or injunctive relief of the kind Baker seeks, said Shah’s order. Baker has shown small claims court “isn’t the right place for this case,” it said. But Baker and Match Group agreed to litigate claims outside of arbitration or small claims court in Texas, and Match Group is “entitled” to the Northern District of Texas as the “agreed-upon forum,” it said.