Data Dive

The Illinois Supreme Court issued a pair of decisions related to the Illinois Biometric Information Privacy Act (BIPA) that continue to ratchet up compliance pressure on businesses. On February 17, 2023, the Illinois Supreme Court ruled in a narrow 4-3 majority that a separate claim for damages accrues each time a business violates the state’s BIPA (e.g., accruing additional damages each time a fingerprint is scanned rather than a single violation for each unique fingerprint collected). Under BIPA, companies collecting biometric data such as facial scans, fingerprints and voiceprints can face millions of dollars in fines if they fail to seek permission to collect this data, or if they fail to disclose their data retention plan.

The 7th Circuit in Huston v. Hearst Communications, Inc. just issued a published decision in a putative Illinois Right to Publicity Act class action laying the claims to rest. The ruling should prove to be useful guidance in jurisdictions where similarly suspect claims are still being pursued.

Read more

While some states have enacted privacy laws granting consumers the right to bring a private right of action in a data breach context, federal courts have struggled to fit data breach injury into traditional Article III standing requirements. On April 26, 2021, in McMorris v. Carlos Lopez & Associates, LLC,¹ the Second Circuit Court of Appeals addressed a question of first impression for the Circuit regarding when a plaintiff’s increased risk of future identity theft following a data breach case constitutes an injury sufficient to establish standing under Article III of the United States Constitution. Attempting to harmonize various approaches taken by some of its sister circuits, the Second Circuit articulated a nonexhaustive list of factors courts may consider in determining standing and affirmed the district court’s dismissal for lack of Article III standing.

A new report from Akin Gump looks back at the first year of civil litigation related to the California Consumer Privacy Act (CCPA) and previews what to expect throughout the remainder of 2021 and beyond.

Over the past year, the growing popularity of smart speakers—and accompanying consumer concerns regarding privacy—has given rise to a number of class action lawsuits alleging that these speakers and their virtual assistants, such as Apple’s Siri and Amazon’s Alexa, are listening in without consumer consent.

The Biometric Information Privacy Act (BIPA) sets forth certain onerous notice, consent, disclosure, and retention requirements in connection with the capture of biometric data, which includes fingerprints, voiceprints, facial geometry, and iris and retina scans. Many businesses are using fingerprinting tools for employee timekeeping and/or facial recognition technology for asset protection, payment verification, mobile apps, and/or social media and gaming activities. Vendors are actively marketing new biometric tools to businesses across industries.