Data privacy litigators have their eye on the Supreme Court going into the end of the month as we wait for the Court’s opinion in Ramirez v. TransUnion.  And when the decision is issued, CPW will be there in real time to fill you in.  In the meantime, below is a refresher of the facts and issues raised in Ramirez, and why it is a must-watch decision for the end of the Supreme Court’s current term.

As readers of CPW already know, Article III limits federal court jurisdiction to actual “cases or controversies.”  U.S. Const. Art. III, § 2.  The Supreme Court has held that standing “is an essential and unchanging part of the case-or-controversy requirement of Article III.”  This includes the following three elements, which constitute the “irreducible constitutional minimum of standing”:

First, the plaintiff must have suffered an “injury in fact”—an invasion of a legally protected interest which is (a) concrete and particularized … and (b) actual or imminent not conjectural or hypothetical … Second, there must be a causal connection between the injury and the conduct complained of … Third, it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.

As relevant for Ramirez, in 2016, the Supreme Court decided Spokeo, Inc. v. Robins, 136 S. Ct. 1540.  In Spokeo, the Court affirmed that a plaintiff cannot “allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.”  (emphasis added).  The Supreme Court’s analysis emphasized that “[a] ‘concrete’ injury must be ‘de facto’; that is, it must actually exist.”  Id. (emphasis in original).

Which brings us to Ramirez.  The plaintiff alleged that he had difficulty obtaining credit, was embarrassed in front of family members, and canceled a vacation after a car dealer received a credit report indicating that his name matched a name on a government “terrorist list” of persons with whom U.S. businesses may not transact.  In response, Ramirez filed a class action alleging three violations of the Fair Credit Reporting Act (“FCRA”), two concerning the mode of providing consumers with a copy of their own credit file and one concerning the procedural requirements for furnishing an accurate credit report.

Ramirez sought to represent a class of thousands of individuals, the vast majority of whom (more than 75%) never had a credit report disseminated to any third party, let alone suffered a denial of credit or other injury anything like what he experienced.  The trial court nonetheless let the class proceed on the theory that the absent class members all suffered an Article III injury and that the vast differences between the experiences of the named plaintiff and the class he purported to represent were immaterial.  Ramirez ultimately obtained a multi-million dollar jury verdict against the credit reporting agency TransUnion for falsely flagging him and more than 8,100 other people as terrorists.

The Supreme Court granted cert for the question: “Whether either Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered.”  (emphasis added).  TransUnion argued in its opening brief that Ramirez’s class definition includes individuals who suffered no injury because they never had a credit report disseminated to a third party with incorrect or misleading information.  TransUnion further asserted that simply alleging an FCRA violation and claiming statutory damages does not itself confer Article III standing.

At oral argument earlier this year, several members of the Court expressed skepticism about Ramirez’s standing argument if carried to its logical conclusion.  [For Kristin Bryan’s real time coverage of that oral argument, check it out here].  However, at this point it is an open-ended question as to whether the Court will rule in a way that curtails the availability of Article III standing in data privacy litigations going forward.  Suffice to say, depending on how the Court rules, the case could have a major impact on litigations brought under various federal and state data privacy statutes (not only the FCRA but also the Telephone Consumer Protection Act, the Illinois Biometric Information Privacy Act, among others) and for data event litigations where Article III standing is a frequently litigated issue.

For more on this and the clarity from SCOTUS expected in the short term, stay tuned.  CPW will be there.

CPW has been monitoring the data privacy bills under consideration this year at the federal and state level (see some of our prior coverage here, here and here).  Last week, Senator Kirsten Gillibrand reintroduced the Data Protection Act, a bill that would establish a new federal agency, the Data Protection Agency (“DPA”), dedicated to regulating and enforcing federal data privacy laws.  Read on for an overview of the bill’s key features.

The Data Protection Act was first introduced in 2020 and would charge the DPA with conducting investigations and collecting and reviewing complaints from consumers.  Additionally, the DPA would create and develop model data privacy standards for use in the private sector.  The new version of the bill significantly expands the DPA’s responsibilities and authority, equipping the potential agency with enforcement tools including civil penalties, equitable relief, and injunctive remedies.  The bill also tasks the DPA with reviewing any merger that would involve the transfer of data for 50,000 individuals or more. [Note: The transaction would also then be reviewed by the Federal Trade Commission and the Department of Justice.]

As an executive agency, the DPA would advise Congress on emerging privacy and technology issues, and would coordinate with other federal agencies to promote consistent regulatory treatment of personal data.  Additionally, the 2021 bill includes new provisions addressing civil rights issues, including the creation of an Office of Civil Rights within the DPA to ensure that data is not used or collected for discriminatory purposes.  In addition to the creation of the DPA, the Data Protection Act includes provisions prohibiting certain data collection and usage practices, including those that are labeled “high-risk.”  The bill also provides definitions for key data privacy terms, including “Privacy Harm,” “Data Aggregators,” and “High-Risk Data Practice,” among others.

As states continue to develop their own privacy regimes and adopt varying approaches to regulating the collection, use and dissemination of personal information, pressure is growing at the federal level for a comprehensive, uniform privacy law.  Whether the Data Protection Act will garner enough support to accomplish that remains to be seen.  But not to worry, CPW will be there to keep you in the loop.

 

A recent Illinois Supreme Court opinion found that the coverage afforded for personal or advertising injuries in business owners’ liability policies may apply to claims under the state’s Biometric Information Privacy Act (“BIPA”).  We anticipate this decision will have a significant impact in this area going forward.  West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (Ill. May 20, 2021).  The case stands for the proposition that BIPA claims may fall within the personal and advertising injury coverage afforded under standard form CGL policies even if the policyholder cannot show a widespread publication.  Read on to learn more and what it all means.

I.     Background

First, let’s take a look at the facts of the underlying BIPA litigation.  The plaintiff purchased a membership from the defendant tanning salon.  To obtain her membership, the plaintiff was required to provide her fingerprints to the defendant, which then sent the fingerprints to a salon management software vendor.  The plaintiff filed a class-action lawsuit alleging, in relevant part, that the defendant had violated BIPA, which regulates the collection, retention, disclosure, and destruction of biometric identifiers (“a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”) and information (“any information . . . based on an individual’s biometric identifier used to identify an individual”).  Specifically, the plaintiff alleged that the defendant violated the statute when it “systematically and automatically collected, used, stored, and disclosed [to the vendor] their [customers’] biometric identifiers or biometric information without first obtaining the written release required by [BIPA].”

Importantly here, the defendant maintained CGL policies with coverage for personal injury and advertising injury.  The policies defined both “personal injury” and “advertising injury” to include injuries arising from a “publication” of material that violates one’s “right of privacy.”  The policies did not define “publication” or “right of privacy.”

The defendant provided notice of the lawsuit to its insurer and requested a defense under the policies.  The insurer filed a declaratory judgment action, alleging that the plaintiff’s complaint did not fall within the policies’ coverage for two reasons.  First, the lawsuit did not allege a “personal injury” or “advertising injury” as defined in the policies, because it did not allege a “publication” of material that violates a person’s “right of privacy.”  Alternatively, the policies’ violation-of-statutes exclusion applied and therefore barred coverage.  The defendant filed a counterclaim in the declaratory judgment action alleging, in relevant part, that the allegations in the underlying complaint potentially fell within the policies’ coverage.  The insurer and defendant ultimately filed cross motions for summary judgment.

The insurer argued that a “publication” under Illinois law is a “communication to the public at large,” as opposed to “disclosure to a single party,” meaning that the defendant’s communication with its vendor did not constitute a “publication.”  Because the complaint did not allege any “publication,” the insurer argued, the coverage afforded for personal and advertising injuries did not apply.  Alternatively, the insurer argued that the plaintiff’s allegations fell within the policies’ violation-of-statutes exclusion.

The defendant, on the other hand, argued in relevant part that a communication with a single party constitutes a “publication,” and therefore, its alleged disclosure to its vendor was a publication covered by the policies.  The defendant addressed the insurer’s motion, arguing that the violation-of-statutes exclusion did not apply “because the exclusion only applies to statutes that regulate methods of communication.”

The trial court held that the insurer had a duty to defend the defendant, and the appellate court affirmed.  The Illinois Supreme Court engaged in de novo review.

II.     Issues Before the Illinois Supreme Court

The issue for the Illinois Supreme Court was whether the insurer had a duty to defend its insured.  This required the court to determine, in key part, whether defendant’s sharing of biometric identifiers and information with its vendor was a “publication” of material that violated the plaintiff’s “right of privacy.”

In regards to whether disclosure to a single party constitutes a “publication,” the court looked to dictionary definitions, treatises on insurance and privacy law, and the Restatement of the Law of Torts.  Based on those sources, the court found that “publication” means “both the communication of information to a single party and the communication of information to the public at large.”  Because there was more than one reasonable interpretation of “publication” as used in the policies, the term was determined to be ambiguous and the court was required, under Illinois precedent, to “construe the insurance contract in favor of the insured and against the insurer that drafted the contract.”  Doing so, the court found that the term “publication” encompassed a communication with a single party such as the salon’s software vendor.

To determine whether the lawsuit alleged a violation of a “right of privacy,” the court looked to dictionary definitions and court interpretations of the phrase.  Earlier decisions in Illinois recognized that the right to privacy includes a “right to secrecy,” i.e., “the right to keep certain information confidential.”  Based on this precedent, the court found, BIPA protects a “secrecy interest,” namely, “the right of an individual to keep his or her personal identifying information like fingerprints secret.”  Further, “disclosing a person’s biometric identifiers or information without their consent or knowledge necessarily violates that person’s right to privacy in biometric information.” The court found that the underlying plaintiff’s claim that the defendant shared her biometric identifiers and information with the vendor alleged a potential violation of the plaintiff’s right to privacy within the coverage afforded by salon’s the insurance policies.

For those reasons, the Court determined that the underlying plaintiff’s claim under BIPA alleged a “publication” that violated the plaintiff’s “right of privacy,” bringing the claim potentially within the policies’ coverage for personal or advertising injury. Having determined that the underlying claims fell within the policy’s coverage grant, the Court turned to the question of  whether  the violation-of-statutes exclusion acted to bar coverage.  The relevant exclusion is titled “Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information.”  [Note: Many CGL policies contain this exclusion, which excludes from coverage claims for damages arising from violation of the Telephone Consumer Protection Act (“TCPA”) and CAN-SPAM Act of 2003, among others.]

The Illinois Supreme Court, however, found the exclusion inapplicable under the facts of this case.  Why?  For the simple reason that BIPA itself does not regulate methods of communication.  Rather, the statute applies to the collection, use, safeguarding, handling, storage, retention and destruction of biometric information while the exclusion was allegedly drafted to bar coverage for statutes that regulate methods of communication

So there you have it.  This case may have widespread implications for insurers and policyholders alike.  It represents a significant victory for policyholders under so-called silent cyber coverage, affirming that insuring policies do not have to include specific language to cover BIPA claims (and potentially other data privacy claims).  For more on this, stay tuned.  CPW will be there.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

New York Biometric Law Goes into Effect Next Month: Alan Friel and Niloufar Massachi Tell Businesses What They Need to Know | Consumer Privacy World

Consumers Denied Preliminary Injunction in Clearview Data Privacy Litigation, Court Rejects Consumers’ Reliance on Testimony of Clearview’s General Counsel | Consumer Privacy World

Supreme Court Remands LinkedIn Data Scraping Case Back to Ninth Circuit | Consumer Privacy World

Lina Khan Confirmed as FTC Chair | Consumer Privacy World

First CA Consumer Rights Requests Metrics Reporting Approaching: Alan Friel and Katie Sharpless Tell You What You Need to Know | Consumer Privacy World

Join CPW’s Alan Friel and Glenn Brown on June 28-Why Data Privacy, Security and Asset Management Are Crucial for Start-ups | Consumer Privacy World

Emotional Harms For Alleged FCRA Violations? | Consumer Privacy World

Global Trend: New Competition Regulations Aimed at Big Tech | Consumer Privacy World

Following up on our prior coverage (see here and here), this week a federal court denied Plaintiffs’ request for the first-ever injunction under BIPA In re: Clearview AI, Inc. Consumer Privacy Litigation, Case No. 1:21-cv-00135 (N.D. Ill).  Read on for the scoop.

Recall that Clearview collects publicly-available images on the Internet and organizes them into a searchable database, which Clearview’s licensed users can then search by using Clearview’s app.  As described in Clearview’s prior briefing the only information that Clearview stores from the photos are: (1) the URL from which the photo was collected; (2) any metadata associated with the image itself; and (3) the facial vectors from the faces that appear in the image.

Moreover, in response to the BIPA litigation, Clearview has already implemented significant changes to its business practices.  However, according to Plaintiffs these measures are inadequate as Clearview “cannot be trusted” to maintain these changes.  For these reasons, and others, Plaintiffs requested that the court issue a preliminary injunction enjoining Clearview’s business practices.

In order for the Plaintiffs to demonstrate they were entitled to a preliminary injunction in the litigation, it was required that they establish four elements: “(1) they have a reasonable likelihood of success on the merits; (2) no adequate remedy at law exists; (3) they will suffer irreparable harm, which, absent injunctive relief, outweighs the irreparable harm [Clearview] will suffer if the injunction is granted; and (4) the requested injunction will not harm the public interest.”  The court’s opinion which came out earlier this week determined that the consumers failed to demonstrate a likelihood of irreparable harm in the absence of injunctive relief.  Their motion for a preliminary injunction was denied.

Notably, the court found that the failure of the Plaintiffs to show that irreparable harm is likely in the absence a preliminary injunction was “dispositive.”  The court commented that “Plaintiffs base their irreparable harm argument on what they call the Clearview defendants’ ‘lax security practices’ and two past data breaches of Clearview’s electronic systems.”  However–in language familiar to all data privacy litigators–the court found that “Plaintiffs’ general arguments about the possibility of future data breaches and Clearview’s lax security practices suggest a mere possibility of irreparable harm, not that they will likely suffer irreparable harm.”  To put it simply, Plaintiffs’ alleged speculative future injuries were not enough to support a preliminary injunction.

The court also rejected concerns Plaintiffs’ raised with the testimony of Clearview’s General Counsel, who testified as a Rule 30(b)(6) witness in the litigation.  At that deposition, Clearview’s GC “admitted he was not a cybersecurity expert” and Plaintiffs also took issue with certain “responses about Clearview’s security measures [which] lacked precision.”  While the court acknowledged that perhaps the GC was “not the best Rule 30(b)(6) witness to testify about Clearview’s security measures,” “his lack of knowledge does not create a reasonable inference that plaintiffs will likely suffer irreparable harm before final judgment.”

So there you have it.  Plaintiffs were unable to show they met the legal standard for a preliminary injunction in regards to their claims under BIPA.  However, the litigation remains ongoing and remains a must-watch.  For more on this, stay tuned-CPW will be there to keep you in the loop.

Readers of CPW are invited to join a complimentary webinar on June 28 at 12 pm EST with CPW’s Alan Friel and Glenn Brown as part of Squire Patton Boggs (US) LLP’s next monthly Venture Law Meetup Webinar. Partner Tom Reems will moderate a discussion between partners Alan Friel and Glenn Brown entitled “Why Data Privacy, Security and Asset Management Are Crucial for Start-Ups”. The panel will discuss general privacy laws that require privacy policies and limitations on data use/disposition and how they apply to start-ups. This is particularly important since we are seeing robust privacy and data security reps and warranties in investments and acquisitions for those companies headed down that path. We have also seen companies unsellable because they build a business around a data model that is illegal or where they did not give proper notice at collection. We will touch on the key implications of these developments as well, including new California and Virginia privacy law thresholds that a number of companies are headed towards and what this might mean for being acquired.

This complimentary webinar series aims to equip executive officers and founders of new start-ups with the knowledge and tools needed to navigate the various aspects of launching and growing a new venture.

You can register here.

As reported in greater detail at the Security & Privacy Bytes blog by Alan Friel and Katie Sharpless, “[t]he deadline is fast approaching for businesses that buy, receive, sell, or share the personal information of 10 million or more California consumers to report their California Consumer Privacy Act (“CCPA”) rights requests metrics. On July 1, 2021, these businesses must report certain data (outlined below) in their privacy policy or elsewhere online accessible via a link in their privacy policy.”  For a detailed overview of what this means, be sure to check out their fantastic analysis here.

This week, Lina Khan was confirmed as a Democratic commissioner to the Federal Trade Commission in a 69-28 Senate vote. The White House subsequently confirmed that Khan would chair the agency. She will serve as the FTC’s youngest-ever commissioner and chair.

CPW previously covered Khan’s nomination, including her history as an antitrust scholar and critic of big tech. In addition to serving as legal counsel to the U.S. House Judiciary Committee’s Subcommittee on Antitrust, Commercial, and Administrative Law, where she helped lead an investigation of competition in digital markets among large companies, she also previously served as a fellow in FTC Commissioner Rohit Chopra’s office. She rose to prominence as an antitrust scholar with the publication of her 2017 paper “Amazon’s Antitrust Paradox.”

Khan’s appointment and elevation to chair signals the Biden administration’s support of a more progressive agenda for the agency that is likely to include aggressive antitrust measures. As chair, Khan will shape the agency’s agenda, including voting on whether to bring enforcement actions in areas of consumer protection and competition. Khan received bipartisan support during her confirmation hearing for increased regulation of big tech, as Congress has been working in tandem to bolster the FTC’s enforcement capabilities, including with the introduction of a package of antitrust bills last week.

Khan replaces acting chairwoman Rebecca Kelly Slaughter, who will remain at the agency as a Democratic commissioner. President Biden has not yet named a third commissioner to succeed Rohit Chopra, who has been nominated to lead the Consumer Financial Protection Bureau.

 

Last month, a federal court addressed the kind of harms that need to be included in a plaintiff’s complaint asserting claims under the Fair Credit Reporting Act (“FCRA”) and Fair Debt Collection Practices Act (“FDCPA”) to survive a motion to dismiss.  Magruder v. Capital One, Nat’l Ass’n, 2021 U.S. Dist. LEXIS 94804 (D.D.C. May 19, 2021).  Finding that the plaintiff had “barely” overcome the bar, the court reaffirmed the minimum pleading requirements necessary for such claims.  Read on for more details.

Plaintiff’s initial lawsuit brought claims against several financial institutions and debtor collectors.  Alleging that his attempts to resolve disputes with his credit reports had had him effectively running in circles, Plaintiff brought suit against all the defendants for violations of the FCRA, and against one defendant specifically for violations of the FDCPA.

Prior to going any further with the case, the court ordered Plaintiff to show that he had suffered an “injury in fact” sufficient to satisfy the threshold requirement of Article III standing.  This necessitated that Plaintiff show that he had been harmed in a real sense, that is, that he has personally affected, and the harm was not hypothetical or abstract.  [Note: Injury for purposes of Article III in some instances can include intangible harms, including emotional harms in very specific instances.]

In assessing Plaintiff’s injury claims, the court expressed repeatedly that his claims of a tangible harm were “thin by any measure.”  Plaintiff claimed that he had suffered economic losses, but provided no details explaining the amount of the losses, or how they happened.  Still, the court found that the bar was low enough that Plaintiff’s complaint was sufficient for a number of his claims, at least at this point.

Most notably, the court found that while Plaintiff had not claimed any tangible loss as a result of Trans Union’s alleged violation of FCRA, his emotional harm was enough.  Plaintiff alleged that Trans Union’s failure to follow reasonable procedures to assure maximum accuracy (§ 1681e(b)) and failure to conduct a reasonable investigation” (§ 1681i(a)) had caused him “embarrassment, humiliation and other mental and emotional distress.”

The court found that FCRA was, at least in part, designed with this specific kind of injury in mind.  Plaintiff claimed that his credit reports incorrectly said that he had outstanding debt, when he did not.  That false claim was spread to other parties, causing emotional harms.  “The FCRA was enacted to deter just this.”  The court also extended this to the FDCPA, noting that courts have previously ruled that a plaintiff may have standing in FDCPA cases if the alleged violation “caused anxiety” or “stress and inconvenience.”

Note that in the context of the FCRA and FDCPA, other courts have taken a contrary approach as to whether such damages suffice at the pleadings stage.  This issue is far from settled in this area of data privacy law.  Not to worry, CPW will be there to keep you in the loop.

In the aftermath of the Supreme Court’s Van Buren decision this month and its resulting impact on data privacy litigation, the Supreme Court ordered the hiQ/LinkedIn data scraping saga to be remanded back to the Ninth Circuit.

Recall that in March 2020, LinkedIn filed a petition for a writ of certiorari, raising the issue of “[w]hether a company that deploys anonymous computer “bots” to circumvent technical barriers and harvest millions of individuals’ personal data from computer servers that host public-facing websites—even after the computer servers’ owner has expressly denied permission to access the data—“intentionally accesses a computer without authorization” in violation of the Computer Fraud and Abuse Act.” [Note: Of course, it is all about framing.  According to hiQ, the question was instead whether a professional networking website, such as LinkedIn), may rely on CFAA’s prohibition on “intentionally access[ing] a computer without authorization” to prevent a competitor from accessing information that the website’s users have shared on their public profiles and that is available for viewing by anyone with a web browser.]

Well, on June 14, the Supreme Court issued a summary disposition in hiQ Labs, Inc. v. LinkedIn Corp. granting certiorari.  The Court vacated the Ninth Circuit’s previous judgment, and remanding the case for additional consideration in light of the high court’s ruling in Van Buren.  This case is sure to be of interest going forward, as Van Buren’s impact continues to play out in the lower courts.  Stay tuned-CPW will be there to keep you in the loop.