One significant issue “unanswered” in the recent $228 million judgment in the first jury verdict issued in an Illinois Biometric Privacy Act class action (see 2210190003) was “what constitutes biometric data” under BIPA, Ogletree Deakins said in an analysis Monday. The case involved a defendant that collected, used and stored actual fingerprint images to identify drivers, the law firm said. BIPA explicitly includes fingerprints “in the definition of protected biometric identifiers,” so the case did not address systems that encrypt or convert stored fingerprints “into a mathematical representation or string of numbers,” it said. “This technology question remains an important, viable defense” in pending and future BIPA cases, it said. The verdict nevertheless was “a wakeup call” for private entities that collect, use or store biometric data “as it demonstrates the potential exposure for failing to follow the statute’s consent requirements,” it said. The jury’s finding that the company’s conduct was intentional or reckless “may be subject to review depending on the evidence elicited at trial,” said the law firm. “A reversal of that finding to reduce the company’s conduct to negligent may reduce the penalty assessed to $1,000 per incident or $45.6 million,” it said. That’s still “an incredibly hefty, but less jaw-dropping sum,” it said.
New York Attorney General Letitia James won a $1.9 million settlement with online retailer Zoetop, owner and operator of the e-commerce brands Shein and Romwe, to resolve allegations that the company violated New York consumer protection laws by mishandling customer data, blogged the Cozen O’Connor law firm Friday. James accused the company of misrepresenting the scope of a 2018 data breach that compromised the payment card information and personal data of millions of consumers worldwide, including 800,000 New Yorkers, it said. Hackers were able to access 39 million customer accounts, “and likely exfiltrated customer payment card information and personal data,” it said. The company failed to promptly notify its customers about the data breach and force a password reset for all account holders, it said. It also allegedly misrepresented the scope of the incident, and declined to fully cooperate with a “forensic investigator,” it said. Besides forfeiting the $1.9 million in penalties and costs, the company agreed to “maintain a comprehensive information security program that documents specific security measures and controls,” it said.
The plaintiffs who brought a class action Sept. 1 in U.S. District Court for Middle North Carolina alleging their medical privacy was violated by Facebook’s Pixel tracking tool agree with Meta that the case should be severed and transferred to Northern California, said the parties in a joint motion filed Saturday in docket 1:22-cv-00727. The suit also names Duke University and the WakeMed health system as defendants. The complaint is a putative class action with a nationwide class of all Facebook users who are current or former patients of medical providers in the U.S. with “web properties through which Facebook acquired patient communications relating to medical provider patient portals, appointments, phone calls, and communications associated with patient portal users,” and did so without “valid” consent, said the motion. Four other class actions have been filed against Meta in Northern California, and a fifth was transferred there from the Northern District of Illinois and a sixth was transferred there from the Western District of Pennsylvania, it said: “All six of these actions allege similar facts and events and bring similar claims to those that Plaintiffs allege in this action.” Northern California granted a motion Oct. 12 to consolidate all the California actions into a single case (“In re Meta Pixel Healthcare Litigation”) in docket 22-cv-04680, said the motion. The North Carolina plaintiffs agreed “it would conserve resources and promote judicial economy” to sever and transfer the case to Northern California, it said.
The first U.S. jury trial under the 2008 Illinois Biometric Information Privacy Act “ended with a bang” when the BNSF Railway was hit with a $228 million judgment Oct. 12 for “recklessly or intentionally” violating the statute, the Perkins Coie law firm said in a Tuesday update. Plaintiff Richard Rogers sued BNSF in April 2019. He was a truck driver who dropped off and picked up loads at BNSF-operated rail yards. He was required to register with an automated gate system and to provide his fingerprint each time he entered the railyard. Rogers didn't give written consent to the collection of his fingerprints, nor was he informed of how long his fingerprint data would be stored, as required under the BIPA, said Perkins Coie. Court records show about three dozen BIPA lawsuits at various stages of disposition. In one of the more recent cases, Amazon and Amazon Web Services said last month they “expressly deny” the allegations in a complaint in U.S. District Court for Northern Illinois that they violated the BIPA by using the company’s Rekognition facial-imaging technology to monitor employees in Amazon fulfillment centers (see [Ref:2209220050[).
The Aug. 22 decision at the 5th Circuit U.S. Appeals Court in U.S. v. Morton giving law enforcement broad discretion in searching individuals’ cell phones, was “a setback to the privacy protections for cell phones recognized” in the 2014 Supreme Court case Riley v. California, blogged Jennifer Lynch, Electronic Frontier Foundation surveillance litigation director. “Cell phones contain deeply personal information that should be afforded strong protections by the Fourth Amendment,” said Lynch. “Courts should not allow law enforcement to have limitless authority in executing search warrants on cell phones,” she said. They should follow the approach of “numerous other courts” and require cellphone warrants “that are narrowly tailored to the crime under investigation,” she said.
The California Superior Court in San Francisco found in a Sept. 30 decision in People v. Dawes that a geofence warrant issued to San Francisco police violated the Fourth Amendment and California’s “landmark electronic communications privacy law,” blogged Jennifer Lynch, Electronic Frontier Foundation director-surveillance litigation. Geofence warrants aid law enforcement in identifying an unknown suspect by obtaining geolocation data of all electronic devices at the location, on the date and at the time of the criminal activity. A geofence warrant captures all the users located within that area during the time period specified. The court “suppressed evidence stemming from the warrant, becoming the first court in California to do so,” said Lynch Tuesday. “EFF filed an amicus brief early on in the case, arguing geofence warrants are unconstitutional.” Though EFF was disappointed that the ruling was “narrow,” the decision “does place important limits on future police use of these warrants,” she said. “Not only will San Francisco police now be required to ensure the scope of their warrants is extremely narrow, officers must go back to the court for a new warrant at each step of the geofence process. This is at least a step in the right direction.”