In the Australian Government’s first step towards enhancing and enforcing privacy compliance in Australia, the Attorney-General’s Department has released two publications regarding amendments to Australia’s privacy regime:

  • An exposure draft introducing amendments to the Privacy Act 1988 (Cth) (the Privacy Act), which will establish an online privacy code applicable to major online platforms and introduce increased penalties for non-compliance with the Privacy Act for all entities (the Online Privacy Bill); and
  • A discussion paper seeking further submissions on up to 67 proposals to amend the Privacy Act and introduce a raft of amendments to Australian privacy law focused on increasing enforcement, empowering individuals and aligning Australia with global privacy regimes (the Discussion Paper).

Continue Reading Australia’s Online Privacy Bill and Privacy Act Discussion Paper: First Steps Towards an Enhanced Australian Privacy Regime

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

Multi-Million Dollar Settlement Reached in BIPA Litigation That Went Up to Seventh Circuit – Consumer Privacy World

Eleventh Circuits Orders Rehearing En Banc in Hunstein – Consumer Privacy World

Colonial Pipeline Data Breach Litigations: Where Are We Now? – Consumer Privacy World

Registration OPEN: Join CPW’s Elliot Golding at Healthcare Research-A Transatlantic and Trans-European Dialogue Summit on November 23rd – Consumer Privacy World


In a move that shocked no one, including the Czar of TCPAWorld, the Eleventh Circuit Court of Appeals issued an order vacating its last opinion in Hunstein vs. Preferred Collection & Management Services, Inc., and ordered the case to be reheard en banc.  This development is just the latest in one of the most significant financial privacy litigations this year, with widespread implications for the debt collection industry regardless of how the Eleventh Circuit subsequently rules.

First, a recap of the facts and procedural history of the litigation—including all of its twists and turns before the Eleventh Circuit.

In Hunstein v. Preferred Collection and Management Services, Inc., the Eleventh Circuit issued a ground breaking decision concerning application Section 1692c(b) of the Fair Debt Collection Practices Act (“FDCPA”).  Plaintiff incurred a debt to a hospital arising out of his son’s medical treatment.  The hospital assigned the debt to a debt collector.  The debt collector in turn hired a California-based commercial mail vendor to handle the collection.  The debt collector transmitted certain information about Plaintiff to the mail vendor.  The mail vendor used that information to generate and send a dunning letter to Plaintiff.

Plaintiff filed suit, alleging violations of Florida consumer protection law and the FDCPA.  The district court, however, dismissed the Complaint for failure to state a claim, concluding that Plaintiff had not sufficiently alleged that the debt collector’s transmittal to the mail vendor violated Section 1692c(b) of the FDCPA.  According to the court, this was because it did not qualify as a communication “in connection with the collection of a[ny] debt.”

The Eleventh Circuit reversed.  In a case of first impression, the Court first held that Plaintiff had alleged a concrete statutory injury under Section 1692c(b) for purposes of satisfying Article III, even where he had not alleged a “risk of real harm” or a “tangible harm,” such as a financial loss or emotional distress.  The Court additionally held that a debt collector’s transmittal of a consumer’s personal information to its letter vendor constituted a prohibited third-party communication “in connection with the collection of any debt” as used in the FDCPA.

Following Hunstein I, which came out in April 2021, the Supreme Court decided TransUnion in June 2021. In Ramirez v. TransUnion, the Supreme Court reconsidered the question of what constitutes an “injury in fact” under Article III, five years after its significant holding in Spokeo, Inc. v. Robins, 136 S. Ct. 1540.  The Supreme Court held that “[o]nly plaintiffs concretely harmed by a defendant’s statutory violation have Article III standing to seek damages against that private defendant in federal court.”  (emphasis added).

In a footnote in TransUnion, the Supreme Court additionally addressed (as relevant to Hunstein I) the Plaintiffs’ argument that “TransUnion ‘published’ the class members’ information internally—for example, to employees within TransUnion and to the vendors that printed and sent the mailings that the class members received.”  The Supreme Court held that argument had been forfeited and in any event was “unavailing.”  This was because:

[T]he plaintiffs’ internal publication theory circumvents a fundamental requirement of an ordinary defamation claim—publication—and does not bear a sufficiently “close relationship” to the traditional defamation tort to qualify for Article III standing.

141 S. Ct. 2190, 2210 n. 6 (emphasis supplied).

Which brings us to Hunstein II.  2021 U.S. App. LEXIS 32325 (Oct. 28, 2021).  Confronted with the subsequent TransUnion v. Ramirez decision, the Eleventh Circuit three-judge panel reconsidered its prior, unanimous ruling in a new 2-1 decision.

The Eleventh Circuit in Hunstein II stood by its prior ruling on standing.  After citing Spokeo and n. 6 of the TransUnion decision, the Eleventh Circuit nevertheless held that Hunstein had Article III standing.  This was based on the determination that Hunstein alleged “an intangible-but-nonetheless-concrete injury, including one resulting from a statutory violation.”

The Eleventh Circuit in Hunstein II  then turned to the merits of Plaintiff’s claim under the FDCPA.  Section 1692c(b) of the FDCPA states that, subject to several exceptions, “a debt collector may not communicate, in connection with the collection of any debt, with any person” other than the consumer.  The sole question before the Court was whether the debt collector’s communication with the mail vendor was “in connection with the collection of any debt,” such that it violates § 1692c(b).

After considering the plain language of the statute and dictionary definitions of terms used, the Eleventh Circuit found that the debt collector’s transmittal to the mail vendor “included specific details regarding Hunstein’s debt: Hunstein’s status as a debtor, the precise amount of his debt, the entity to which the debt was owed, and the fact that the debt concerned his son’s medical treatment, among other things.”  As such, the Court held, “[i]t seems to us inescapable that [the debt collector’s] communication to [the mail vendor] at least ‘concerned,’ was ‘with reference to,’ and bore a ‘relationship [or] association’ to its collection of Hunstein’s debt.”  According, the Eleventh Circuit ruled that “Hunstein has alleged a communication ‘in connection with the collection of any debt’ as that phrase is commonly understood.”

This ruling  was in many ways a double-down on the Eleventh Circuit’s prior decision with broad implications for all debt collectors doing business in that Circuit (which includes Florida, Alabama and Georgia) where Hunstein II is binding precedent for the lower federal courts.  Debt collectors (pre-Hunstein II) have historically heavily relied upon mail vendors—a decision that many are likely now reevaluating (including in relation to online platforms that have the same functionality).

Relief, however, may be on the horizon.  This week, the Eleventh Circuit decided sua sponte to rehear Hunstein en banc.  The sua sponte order was evidently issued after an unidentified Eleventh Circuit judge “requested a poll on whether [Hunstein] should be reheard en banc, and a majority of the judges of this Court in active service having voted in favor.”  Moreover, the order this week additionally vacated the panel’s prior ruling in Hunstein, meaning that the opinion is no longer binding precedent in the Eleventh Circuit.

For more on this, stay tuned.  CPW will be there to keep you in the loop.

On Tuesday, November 23rd from 10:15-11 am EST CPW’s Elliot Golding will be moderating a panel regarding transatlantic health research challenges with industry experts from Microsoft (Geff Brown), Philips (Hans Hofstraat) and Novartis (Alexandre Entraygues).  The conference will have many other interesting sessions, including an all-star list of additional speakers, including Lydia F de la Torre and Ricard Martínez Martínez.  CPW highly encourage anyone interested in this space to attend (the conference is free). Online registration is available here:

As summarized in greater detail on the registration page:

Whether you live in Europe or the United States, everybody should be able to benefit from advances in healthcare and medical research if there is to be a lasting impact for society and humanity. Regulators, researchers, tech experts, patient organizations and key stakeholders have considered the need for a functional model that enables medical advances and the use of data in the fields of healthcare and biomedical research across Europe and the United States. One clear example has been the response to the pandemic, where research on COVID-19 has demonstrated the importance of data sharing for the common good.

There are key regulatory challenges that need to be addressed by this community to truly deliver for patients and their healthcare systems. These challenges are not restricted to data protection regulation and entail a broader discourse that includes solutions that enable the responsible use of big data and artificial intelligence techniques in the healthcare sector to improve the prevention, diagnosis, and treatment of diseases.

In this context, the Microsoft-Universitat de Valencia Privacy and Digital Transformation Chair invites you to participate in the Healthcare Research: a transatlantic and Trans-European Dialogue Summit on November 23. The event will feature key experts from both sides of the Atlantic and will address the key challenges and opportunities that healthcare systems encounter when developing data sharing models and bringing scientific research to the next level on both sides of the Atlantic.

Earlier this year, CPW covered the Colonial Pipeline cyberattack and the two putative class actions filed in reaction to that cyberattack, (Dickerson v. CDCP Colonial Partners, L.P., Case No. 1:21-cv-02098 (N.D. Ga.) and EZ Mart 1, LLC v. Colonial Pipeline Company, Case No. 1:21-cv-02522 (N.D. Ga.)).  Recall these putative class actions ensued after a ransomware attack carried out by cybercriminals crippled the Colonial Pipeline’s functionality.  The Pipeline was taken offline as a remedial measure, causing significant gasoline shortages across the Eastern United States.

Dickerson purports to represent a class of consumers who contend the paid higher prices at the pump as a result of the shutdown.  EZ Mart, in turn, purports to represent a class of gas stations that claim to have suffered fuel shortages or have paid excessively high prices for gas.  These consumers and gas stations are located on the east because the Colonial Pipeline supplies nearly half of the East Coast’s fuel supply.  In both Dickerson and EZ Mart, plaintiffs seek to hold Colonial Pipeline liable because it allegedly “failed to implement and maintain reasonable security measures, procedures, and practices appropriate” to its business.

Colonial Pipeline has moved to dismiss both putative class actions on similar grounds.  Colonial Pipeline has also moved to strike the class action allegations in both cases as representing purported “fail-safe” classes, arguing that ascertaining the classes would require ascertaining liability.

Colonial Pipeline moves to dismiss both suits in their entirety as preempted by the federal regulatory scheme for gas pipelines.  More interesting for this blog, however, is Colonial Pipeline’s effort to dismiss the negligence claims because Colonial Pipeline owes no duty to consumers or gas stations.  Colonial Pipeline explains that it does not bear duties customers so far removed from its work decrying the imposition of such a duty to prevent “economic ripple effects” as an being an “absurdity.”  Colonial Pipeline also seeks to bar plaintiffs’ claims based on the economic loss rule.

Plaintiffs, in turn, argue that their dependence on the pipeline gives rise to an ordinary duty of care. Plaintiffs add that this duty of care is non-contractual and, therefore, not barred by the economic loss rule.

The outcome of these cases – specifically the extent to which downstream duties can be implicated by data breaches – could have a major impact on the future of data privacy/cybersecurity litigation, and it will be important to keep an eye on any major developments.  For our readers, we’ve got you covered.  Stay tuned to CPW for all the information you need.

CPW has previously blogged about the Bryant litigation which concerned a putative class action brought under the Illinois Biometric Information Privacy Act (“BIPA”).  In 2020, the Seventh Circuit issued a landmark standing decision concerning whether the Plaintiff in Bryant could proceed with litigating her claims in federal court.  Recently, in that case Compass Group USA Inc. and a retail technology company agreed to pay $6.8 million as part of a settlement to resolve claims alleging they collected fingerprint data from vending machine users without proper notice and consent as required under BIPA.  Read on to learn more.

First, some background.  The Plaintiff in Bryant filed suit under BIPA alleging that Compass Group collected her fingerprint scan when she signed up to use a smart vending machine in 2018.  Plaintiff worked for a call center in Illinois.  The call center had a cafeteria for employees, in which it had installed Smart Market vending machines owned and operated by Compass Group USA, Inc.  The machines did not accept cash.  Rather, all users had to create accounts using their fingerprints.  Plaintiff alleged that upon her hire, she was instructed during her orientation (along with her other coworkers) to scan their fingerprints into the Smart Market system and establish a payment link to create user accounts.  After establishment of an account and provision of their fingerprints, employees could then purchase items via fingerprint.

Plaintiff alleged that Compass Group violated Section 15(a) of BIPA by possessing her biometric information and failing to destroy that information once the purpose for collecting that information was complete.  However, her Section 15(a) was dismissed for failure to state a claim in November 2020.  Recall that to state a claim under Section 15(a), a plaintiff must allege that the defendant has failed to comply with its established retention and destruction guidelines.  Significantly, courts have held that “making such an allegation requires making an antecedent allegation—namely, that the defendant has established retention and destruction guidelines.”  To put it otherwise, the mere alleged retention of biometric information is not adequate to support a BIPA Section 15(a) claim.

In regards to these requirements, the district court found Plaintiff’s Section 15(a) claim lacking.  First, the pleadings were silent as to whether Compass Group had any retention and destruction guidelines in place.  And second, in any event Plaintiff’s claim was unripe.  BIPA Section 15(a) expressly provides that that the guidelines an entity establishes must provide for: (1) the destruction of biometric identifiers within three years of the individual’s last interaction with the entity or (2) when the initial purpose for collecting or obtaining such identifiers has been satisfied, whichever is earlier.  In this instance, the Complaint’s allegations failed to meet either standard.

However, Plaintiff’s 15(b) claim survived (concerning her allegations that Defendants collected biometric fingerprint identifiers and information from her and other Illinois residents without following BIPA’s informed written consent procedures).  The litigation continued and discovery commenced, with the parties thereafter engaging in mediation.

Under the terms of the settlement reached by the parties, class members (defined as “[a]ll individuals who scanned their finger(s) in one or more of Defendants’ vending systems in Illinois between August 23, 2014 and preliminary approval without first executing a written consent”) would be eligible upon submission of a valid claim to receive a pro rata payment from a $6.8 million settlement fund.  Notably, unlike prior BIPA settlements where the payouts to class members ranged from $80-$380, here it was predicted that individual class members who submitted a claim would receive more than $500 (based upon a 12.5 percent take rate).

Because BIPA provides for liquidated statutory damages, it is one of the most frequently litigated data privacy statues in the country.  Although there remains ambiguity regarding the contours of the law, this trend is expected to persistent into 2022.  For more on this, stay tuned.  CPW will be there to keep you in the loop.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

E-Commerce Platform Data Breach Settlement Receives Final Court Approval – Consumer Privacy World

CPRA Amended and Updates Regarding the CDPA – Consumer Privacy World

Brands’ Influencer Marketing Practices in Regulators’ Crosshairs on Both Sides of the Atlantic – Consumer Privacy World

Registration OPEN for Upcoming Privacy Webinars On CCPA, CPRA, and Advertising, Media and Brands – Global Compliance Challenges – Consumer Privacy World

Join CPW’s Rosa Barcelo and Kristin Bryan at IAPP Privacy Panels – Consumer Privacy World

Registration Open: Don’t Miss the Critical TCPA Summit Next Month! Additional Speakers Announced – Consumer Privacy World

CPW previously covered the Drizly data breach litigation.  In that case, this month a federal court in Massachusetts granted final approval to a class settlement in the absence of any objections.  Barr v. Drizly, 2021 U.S. Dist. LEXIS 217158 (D. Mass. Nov. 4, 2021).  Read on to learn more.

As a recap, Drizly operates an online e-commerce platform that facilitates the delivery of alcoholic beverages from local retailers.  The litigation, Barr v. Drizly, LLC, Case No. 1:20-cv-11492 (D. Mass.), concerned a data event which Plaintiffs alleged resulted in consumers’ information, including at least email addresses, dates of birth, hashed passwords, delivery addresses, phone numbers, and IP addresses, to be improperly exposed to third parties on the dark web.  The data event was allegedly the result of a targeted attack that occurred around February 2020, but was not identified by Drizly until the end of July 2020.

Under the terms of the settlement approved by the Court, each eligible Class Member that files a timely and valid Proof of Claim and Release (“Claim Form”) will receive an individual cash payment of $14.00, that may be adjusted upward if the total amount due to all Authorized Claimants does not exceed $1,050,000, and adjusted downward in the event that the aggregate cash payments to all Authorized Claimants exceeds $3,150,000.  Additionally, Class Members will also receive a pro rata portion of a pool of up to $447,750 in the form of a credit against the cost of service fees for future orders from Drizly.  Finally, Drizly will also implement and maintain for a two-year period certain security measures.

In granting final approval, the Court found (solely for purposes of settlement), that the requirements of Federal Rule of Civil Procedure Rule 23(a) and (b)(3) were satisfied such that:

(i) the Settlement Class was so numerous that joinder of all Settlement Class Members is impracticable (as required under Fed. R. Civ. P. 23(a)(1));

(ii) common questions of law and fact existed with regard to the Settlement Class (as required under Fed. R. Civ. P. 23(a)(2));

(iii) Plaintiffs’ claims in this litigation were typical of those of Settlement Class Members (as required under Fed. R. Civ. P. 23(a)(3)); and

(iv) Plaintiffs’ interests do not conflict with those of absent Settlement Class Members, all of whose claims arise from the same factual predicate, and Plaintiffs and Class Counsel have adequately represented the interests of all Settlement Class Members (as required under Fed. R. Civ. P. 23(a)(4)).

Additionally, the Court concluded that common issues of fact and law predominate over any questions affecting only individual members.  Moreover (also as required under Fed. R. Civ. P. 23(b)(3)) the Court determined that that a class action was superior to other available methods for fairly and efficiently adjudicating this controversy.

The payout to individual class members when viewed in isolation may strike some as low.  However, readers of CPW should bear in mind this is par for the course for most data breach cases.  In many instances, plaintiffs’ attorneys will try to position themselves for a large payout, relying upon statutory causes of action that provide liquidated damages on a per violation basis to class members.  However, uncertainties in this area of the law—including in relation to questions of standing and causation—are still formidable challenges for Plaintiffs to overcome.  These issues in particular were previously cited in the Drizly litigation as driving settlement here.  See ECF 52-1 at 15 (citing In re Tyco Int’l, Ltd. Multidistrict Litig., 535 F. Supp. 2d 249, 260 (D.N.H. 2007) (noting that, because the case “involved a greater risk of non-recovery” due to “still-developing law,” this factor weighed in favor of approval); see also In re Sonic Corp. Customer Data Sec. Breach Litig., No. 1:17-md2807, 2019 WL 3773737, at *7 (N.D. Ohio Aug. 12, 2019) (“Data breach litigation is complex and risky.  This unsettled area of law often presents novel questions for courts.”) (emphasis supplied).  This trend is expected to continue–particularly in light of the Supreme Court’s ruling in TransUnion earlier this year.

For more developments regarding data privacy and security litigations, stay tuned.  CPW will be there to keep you in the loop.

CPW’s Rosa Barcelo and Kristin Bryan will be speaking at two International Association of Privacy Professional (“IAPP”) engagements.

On November 17th, Rosa will be a moderator at the IAPP Europe Data Protection Congress 2021 conference in Brussels on Nov. 17-18.  Alongside a panel of industry thought leaders, Rosa will moderate a session titled, “Privacy and Security Considerations in Competition.”  Topics to be explored include legislative proposals focused on data portability, interoperability and the freedom of choice for consumers.  Complete event details may be found here.

On December 18th from 1-2 pm EST, Kristin will be speaking on a virtual panel for the Cleveland IAPP KnowledgeNet Chapter regarding “Key Impacts of CCPA, Virginia, Colorado and Proposed US Law” from her perspective as a data privacy and cybersecurity litigator.  In 2020, more than 30 states in the U.S. considered bills for state privacy and data protection laws. Both Colorado and Virginia have followed California’s lead and successfully passed comprehensive privacy laws. The three laws, California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act, will all take effect in 2023.  Join the Cleveland and Columbus KnowledgeNet Chapters for an overview of scope and key obligations of these laws and tips for harmonizing your privacy risk management program.  Complete event details may be found here.

The influence of influencers on social media is a modern day phenomenon that marketers harness to develop more organic and grassroots connections with consumers, and influencers are able to monetize those connections. It is a symbiotic relationship, though one that is not necessarily clear to consumers.

When an influencer gets something of value to promote a product, that may impact how a consumer interprets that endorsement, and thus consumer protection authorities worldwide have long required clear, conspicuous and effective disclosures of those kinds of material connections. Recently authorities in the US and the UK have turned up the heat on influencer marketing practices. We break these efforts down for you so that you can adapt your influencer marketing programs to avoid problems.

Check out the detailed analysis prepared by the team here.