Search results for: clearview

At this point, readers of CPW are familiar with the Clearview Illinois Biometric Information Privacy Act (“BIPA”) litigation.  The case raises novel data privacy and constitutional issues, as underscored by a recent development in the case.

Clearview previously moved to dismiss Plaintiffs’ claims under BIPA and various other states’ laws.  Among other arguments, Clearview claimed that Plaintiffs were improperly attempting to apply BIPA to Clearview’s out-of-state conduct in violation of Illinois’ extraterritoriality doctrine (which requires that the conduct at issue occurred “primarily and substantially” in the state).  This standard was plainly not satisfied here, Clearview argued, as none of the conduct relevant to Plaintiffs’ claims occurred in Illinois, and therefore the litigation should be dismissed.  Clearview also argued if BIPA applied to Clearview’s conduct, then BIPA would violate the dormant Commerce Clause of the U.S. Constitution, which precludes the application of a state statute that has the effect of regulating conduct in another state.

Besides these challenges, Clearview asserted that Plaintiffs’ claims are barred by the First Amendment and Article One Section Four of the Illinois Constitution.  According to Clearview, this is because both protect the creation and dissemination of information—which includes the collection and use of public photographs that appear on the Internet.  Besides these constitutional challenges, Clearview also argued that Plaintiffs failed to plead a cognizable BIPA claim under Section 15(c) of the statute (to be discussed on this blog another day).

Plaintiffs have opposed Clearview’s motion.  Last week, several consumer privacy groups weighed in, seeking leave to file amicus briefs supporting Plaintiffs—including the Electronic Frontier Foundation (“EFF”) and the Center on Privacy & Technology at Georgetown Law (“Center”).  Unsurprisingly, these groups have contrary views as to BIPA and whether it passes constitutional muster.  For example, as recently argued by the Center, BIPA is a content-neutral law that protects against the harm facial recognition technology poses to Illinois residents’ rights to privacy and free expression.  This includes in relation to protecting residents from police misuse of facial recognition technology [Note: Remember Clearview’s customers?]

As more states (like New York) pass biometric laws, similar arguments are going to be raised in future data privacy litigations.  Although how the court rules regarding BIPA in the context of the Clearview litigation will not be dispositive for these cases, it will provide a useful metric for predicting the direction of the law on this topic.  Not to worry-CPW will be there every step of the way to keep you in the loop.  Stay tuned.

Following up on our prior coverage (see here and here), this week a federal court denied Plaintiffs’ request for the first-ever injunction under BIPA In re: Clearview AI, Inc. Consumer Privacy Litigation, Case No. 1:21-cv-00135 (N.D. Ill).  Read on for the scoop.

Recall that Clearview collects publicly-available images on the Internet and organizes them into a searchable database, which Clearview’s licensed users can then search by using Clearview’s app.  As described in Clearview’s prior briefing the only information that Clearview stores from the photos are: (1) the URL from which the photo was collected; (2) any metadata associated with the image itself; and (3) the facial vectors from the faces that appear in the image.

Moreover, in response to the BIPA litigation, Clearview has already implemented significant changes to its business practices.  However, according to Plaintiffs these measures are inadequate as Clearview “cannot be trusted” to maintain these changes.  For these reasons, and others, Plaintiffs requested that the court issue a preliminary injunction enjoining Clearview’s business practices.

In order for the Plaintiffs to demonstrate they were entitled to a preliminary injunction in the litigation, it was required that they establish four elements: “(1) they have a reasonable likelihood of success on the merits; (2) no adequate remedy at law exists; (3) they will suffer irreparable harm, which, absent injunctive relief, outweighs the irreparable harm [Clearview] will suffer if the injunction is granted; and (4) the requested injunction will not harm the public interest.”  The court’s opinion which came out earlier this week determined that the consumers failed to demonstrate a likelihood of irreparable harm in the absence of injunctive relief.  Their motion for a preliminary injunction was denied.

Notably, the court found that the failure of the Plaintiffs to show that irreparable harm is likely in the absence a preliminary injunction was “dispositive.”  The court commented that “Plaintiffs base their irreparable harm argument on what they call the Clearview defendants’ ‘lax security practices’ and two past data breaches of Clearview’s electronic systems.”  However–in language familiar to all data privacy litigators–the court found that “Plaintiffs’ general arguments about the possibility of future data breaches and Clearview’s lax security practices suggest a mere possibility of irreparable harm, not that they will likely suffer irreparable harm.”  To put it simply, Plaintiffs’ alleged speculative future injuries were not enough to support a preliminary injunction.

The court also rejected concerns Plaintiffs’ raised with the testimony of Clearview’s General Counsel, who testified as a Rule 30(b)(6) witness in the litigation.  At that deposition, Clearview’s GC “admitted he was not a cybersecurity expert” and Plaintiffs also took issue with certain “responses about Clearview’s security measures [which] lacked precision.”  While the court acknowledged that perhaps the GC was “not the best Rule 30(b)(6) witness to testify about Clearview’s security measures,” “his lack of knowledge does not create a reasonable inference that plaintiffs will likely suffer irreparable harm before final judgment.”

So there you have it.  Plaintiffs were unable to show they met the legal standard for a preliminary injunction in regards to their claims under BIPA.  However, the litigation remains ongoing and remains a must-watch.  For more on this, stay tuned-CPW will be there to keep you in the loop.

CPW has been following the Clearview Illinois Biometric Information Privacy Act (“BIPA”) litigation for quite some time.  On Friday, Clearview argued to an Illinois federal judge that an injunction should not be issued precluding the company from collecting data.  This included, among other reasons, the argument that Clearview’s business operations are exempt from BIPA and that Clearview’s activities are Constitutionally protected.  Read on to learn more.

As you will recall, in In re: Clearview AI, Inc. Consumer Privacy Litigation, Case No. 1:21-cv-00135 (N.D. Ill), Plaintiffs have asked the court to issue the first-ever injunction under BIPA.  Given the potential impact this case could have on other app-developers and actors in the space, this litigation is a must-watch.

First, some background for the uninitiated.  Clearview collects publicly-available images on the Internet and organizes them into a searchable database, which Clearview’s licensed users can then search by using Clearview’s app.  As described in Clearview’s briefing, the only information that Clearview stores from the photos are: (1) the URL from which the photo was collected; (2) any metadata associated with the image itself; and (3) the facial vectors from the faces that appear in the image.

Accordingly, Clearview asserted to the court it cannot determine whether the individuals in the images it collects live in Illinois.  Instead, this can be ascertained at best only on an ad-hoc basis based on photo metadata.  For this reason, Clearview argued a BIPA injunction would be particularly harmful as the company would likely have to stop using its database outright (without being able to tailor any response on an Illinois-specific basis).

In response to the litigation, Clearview has already implemented changes to its business practices.  First, it purportedly cancelled the accounts of every customer who was not either associated with government agencies or their agents or subcontractors.  Second, Clearview also implemented an opt-out mechanism for Illinois residents to exclude their photos from Clearview’s search engine.  And third, Clearview’s terms of use now require users of the Clearview app to, among other things, agree to use the app only for law enforcement purposes and not to upload photos of Illinois residents.

However, according to Plaintiffs these measures are inadequate as Clearview “cannot be trusted” to maintain these changes.  Additionally, in the litigation Plaintiffs have also pointed to Clearview’s 2020 patent application that Plaintiffs contend “describes a much broader use of [Clearview’s] technology.”  For these reasons, and others, Plaintiffs requested that the court issue a preliminary injunction enjoining Clearview’s business practices.

In order for the court to rule in favor of Plaintiffs, it must find that: “(1) they have a reasonable likelihood of success on the merits; (2) no adequate remedy at law exists; (3) they will suffer irreparable harm, which, absent injunctive relief, outweighs the irreparable harm [Clearview] will suffer if the injunction is granted; and (4) the requested injunction will not harm the public interest.”

Clearview argued in its most recent briefing that Plaintiffs cannot satisfy this standard.  First, Clearview claimed exemption from BIPA.  This is because the statute does not apply “a contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government.”  740 ILCS 14/25(e).

And even if BIPA applied to Clearview (which Clearview argued it does not), Clearview also contended that the record evidence plainly supports Clearview’s other defenses.  This includes, among other reasons, that:

(1) BIPA does not apply to conduct outside of Illinois; and

(2) Clearview’s conduct is protected under the First Amendment.

Notably, Illinois state law recognizes a “rule of construction” that a “statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute.”  Because BIPA lacks such a provision, Clearview argued the statute should not apply here as the “majority of circumstances” giving rise to Plaintiffs’ claims occurred outside of Illinois.  Specifically, Clearview is headquartered in New York, Clearview’s servers are located outside of Illinois; and Clearview does not sell its services or app to anyone in Illinois.

Clearview also argued that its conduct is constitutionally protected, as the U.S. Supreme Court has held that the “creation and dissemination of information are speech within the meaning of the First Amendment.”

How the court will rule on these issues (and on Plaintiffs’ requested injunction) remains to be seen.  The litigation raises interesting questions concerning the impact of state privacy laws on emerging technologies, in addition to novel constitutional issues.  Not to worry, CPW will be there.  Stay tuned.

Frequent readers of CPW will recall our coverage of the Clearview MDL currently pending in the Northern District of Illinois.  Plaintiffs, seeking to represent a class of Illinois residents, have filed a class action lawsuit claiming that the defendant, Clearview AI, Inc. has collected the biometric information of Illinois residents and sold that information in a database without the residents’ consent.

During the MDL proceedings, Clearview has represented to the court that it voluntarily changed its business practices to avoid including data from Illinois residents in its database, and to avoid providing its services to non-governmental customers.  Plaintiffs, however, claim that these representations are either inaccurate or misleading, based primarily on Clearview’s recent patent application that would permit it to use its accumulated biometric information in connection with background searches on potential business or personal connections.  Based on this application, along with other evidence that plaintiffs claim shows Clearview’s representations are either inaccurate or dishonest, plaintiffs have a motion asking the court to preliminarily enjoin Clearview from possessing, using, or storing the biometric information of any Illinois resident for any purpose without first obtaining clear written consent under Illinois’ Biometric Information Privacy Act (“BIPA”), and to create certain protections and policies regarding the possession, storing, and use of that information.

This motion is interesting for a few reasons: first, the basis for the injunction isn’t the actions that led the plaintiffs to bring the suit in the first place; the basis is actions the defendant might possibly take in the future that have yet to impact Illinois residents.  Second, the motion effectively asks the court to weigh the credibility of Clearview’s representations regarding its efforts to cease harm to the plaintiffs.  And third, the motion doesn’t ask that the court enjoin the specific act that’s the basis for the request—it asks the court to enjoin global aspects of Clearview’s operations.

We’ll keep an eye on this motion, as the court’s decision could have far-reaching impact on defendants in privacy litigation who continue to pursue other ventures with privacy implications while the litigation is ongoing.

In its latest filing in Thornley v. Clearview AI, No. 20-3249, defendant Clearview AI petitioned the Seventh Circuit to stay the issuance of its mandate in the litigation because it plans to file a petition for writ of certiorari with the Supreme Court.  The Seventh Circuit has not yet issued its mandate following its decision earlier this month to deny rehearing of its decision affirming that Plaintiffs’ putative class action brought under Illinois’ Biometric Information Privacy Act (“BIPA”) should be heard in state court, rather than federal court.

While Clearview has not yet filed its petition for certiorari, its filing with the Seventh Circuit gives a preview of the question it will ask the Supreme Court to clarify: whether, under Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), an allegation of a statutory violation necessarily gives rise to a concrete and particularized injury-in-fact that is necessary for Article III standing.  A plaintiff must have Article III standing to sue in federal court, which requires that the plaintiff prove: (1) an injury in fact; (2) causation of the injury by the defendant; and (3) that the injury is likely to be redressed by the requested relief.  In Spokeo, the Supreme Court found that a statutory violation can be sufficient to constitute an injury in fact, but did not provide analysis of which types of statutory violations necessarily implicate concrete and particularized injuries in fact.

Throughout the procedural history of Thornley, Clearview has consistently alleged that the BIPA violations alleged in Plaintiffs’ complaint are sufficient for Article III standing, because violations of BIPA constitute a concrete and particularized harm given the privacy concerns implicated in the statute.  Plaintiffs had alleged a statutory violation of BIPA, section 15(c), which prevents a private entity from selling or profiting from an individual’s biometric data, on the basis of Clearview selling access to its digital database containing Plaintiffs’ biometric identifiers or information.  Plaintiffs have argued that the action should play out in state court because the complaint intentionally only alleges a procedural violation of BIPA, which is not itself a sufficient injury in fact to confer Article III standing upon Plaintiffs.  The district court previously found, and the Seventh Circuit affirmed, that it was permissible for Plaintiffs to take advantage of the fact that Illinois permits suits under BIPA that only allege procedural violations of the statute, and that Plaintiffs had not alleged a concrete and particularized harm in alleging the specific violations of BIPA they raised.

Clearview’s petition would give the Supreme Court the opportunity to clarify the types of statutory violations that necessarily give rise to Article III standing under Spokeo, and any decision would have a significant impact on the wave of BIPA legislation that has been brought since BIPA became law in 2008.  While the jury is out on whether the Supreme Court will grant certiorari, it already did so earlier this year for a key question of Article III standing under the FCRA.  We’ll have the coverage of how this litigation processes for you here on CPW – stay tuned.

As CPW readers may recall, in December 2020, two notable data privacy multidistrict litigations (“MDLs”) were created:  In re: Clearview AI, Inc., Consumer Privacy Litigation (“Clearview”) and In re Blackbaud, Inc. (“Blackbaud”). Since then, each case has experienced a few developments.  Read our summary of developments below, and be sure to subscribe to CPW to follow our ongoing coverage of these two significant data privacy MDLs.

First, a look at who the defendants are and how we arrived at this point.

Clearview is a facial recognition startup.  Its story began in January 2020, when the New York Times reported on Clearview’s alleged data gathering and use practices.  In a nutshell, reporters alleged that Clearview used facial recognition software to scan images that had been scrapped from the internet for purposes of creating a biometric database of scanned images that could allow persons to be identified.  The reaction was swift:  as CPW previously reported, the first lawsuit against Clearview was filed within three days of the Times’s reporting.  Eventually, 10 cases were consolidated before Judge Sharon Johnson Coleman of the U.S. District Court for the Northern District of Illinois.

Blackbaud is a cloud computing provider, and its story began with a tale more commonly seen elsewhere.  The relevant lawsuits began after an alleged ransomware attack and data security breach of its systems from February 2020 to May 2020 purportedly compromised the personal information of millions of consumers doing business with entities served by Blackbaud’s cloud software and services.  Eventually, 23 cases were consolidated before Judge J. Michelle Childs of the U.S. District Court for the District of South Carolina.

Next, a look at what has happened in each MDL, as well as a preview of upcoming events.

Since consolidation, Clearview has experienced several developments.  As active matters, the court is currently accepting briefing for lead plaintiffs’ counsel and the case was referred to Judge Maria Valdez for discovery supervision.  Previously, the first status hearing was held on February 9, 2021, and recent court filings indicate that an unsuccessful mediation session was held on February 2, 2021.  Two upcoming events include the conclusion of briefing for plaintiffs’ counsel by March 2, 2021 and the next status hearing scheduled for March 12, 2021.

Blackbaud’s docket appears to be progressing quicker than Clearview.  Like Clearview, the Blackbaud court already held one status conference (on January 29, 2021), and a new status conference is scheduled for March 19, 2021.  Unlike Clearview, however, the Blackbaud court has already selected lead plaintiffs’ counsel and, according to a February 3, 2021 order, fact sheets and proposed discovery materials are due this month.  Upcoming, the plaintiffs are expected to file a consolidated complaint no later than the beginning of April and the parties should be submitting a scheduling order for substantive dismissal motions practice as soon as possible.

The Northern District of Illinois recently declined to stay an action for declaratory relief relating to an insurance coverage dispute arising out of the ongoing Clearview litigation.  This was because, the court held, determination of whether an insurance policy applied did not require resolution of facts related to the policy holder’s alleged violations of Illinois’ Biometric Information Privacy Act (“BIPA”).  Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, No. 20 C 3873, 2021 U.S. Dist. LEXIS 15300 (N.D. Ill. Jan. 27, 2021).  The case is a reminder that with the growth in data privacy litigations, there will inevitably be coverage disputes regarding what entity (if any) should cover a defendant’s expenses defending such suits.  Read on below.

In Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, No. 20 C 3873, 2021 U.S. Dist. LEXIS 15300 (N.D. Ill. Jan. 27, 2021), the plaintiff (an insurance company) sought declaratory relief that it has no duty to defend or indemnify defendant Wynndalco in two BIPA class action litigations.  In the BIPA litigations, it was alleged that Wynndalco “operated as Clearview’s Illinois-based agent by purchasing Clearview’s technology and then reselling or licensing it to law enforcement agencies, whether directly or through another intermediary”.  Id. at *9.  Accordingly, Wynndalco purportedly “violated the BIPA by capturing, collecting, receiving, storing, disclosing, and/or using biometric identifiers and biometric information, without complying with the statutory requirements, in the course of its agency relationship with Clearview.”  Id.

Citizens subsequently filed a declaratory judgment action, seeking a ruling that that it had no duty to defend or indemnify Wynndalco and the CEO and founder of Wynndalco in the litigations involving Clearview.  Wynndalco, in turn, moved to stay the matter pending resolution of the underlying cases.

Wynndalco’s motion to stay was premised on the principle that “it is generally inappropriate for a court considering a declaratory judgment action to decide issues of ultimate fact that could bind the parties to the underlying litigation.”  Id. at *6.  For purposes of resolving the insurer dispute, Wynndalco argued the court would have to determine two questions of ultimate fact on which the underlying actions hinged: (1) “whether Wynndalco was a government contractor, and therefore exempted under BIPA:; and (2) “whether Wynndalco ‘possessed’ biometric information.”  Id.

The court disagreed.  This was because, it explained, to determine whether Citizens had a duty to defend “the Court need only ask whether the allegations of the [BIPA] complaints, ‘if proven, . . . would establish an injury’ covered by the Policy”.  Id. at *9 (emphasis in original).  Accordingly, it was not necessary to stay the litigation pending resolution of the BIPA class actions.  The court additionally noted that Wynndalco and the Wynndalco executives had conceded as much in their briefs “where they cite multiple precedents for the proposition that the insurer’s ‘duty to defend exists as long as the allegations of the underlying complaint are potentially within the scope of coverage.’”  Id. (emphasis in original).

So there you have it.  This case is a cautionary reminder to defendants in data privacy litigation that insurance coverage for legal fees is not guaranteed merely by the existence of a policy (and there may be challenges to a policy’s scope before the merits of the underlying data privacy litigation are resolved).  For the most update to date news concerning the various issues implicated by the Clearview litigation stay tuned.  CPW will be there to keep you in the loop and informed of other developments regarding data privacy litigation more broadly.

 

Several weeks ago, ConsumerPrivacyWorld reported that the Seventh Circuit had affirmed a district court decision to remand a putative class action brought under Illinois’ Biometric Information Privacy Act (“BIPA”) to Illinois state court.  In Thornley v. Clearview AI, No. 20-3249, 2021 U.S. App. LEXIS 1006 (7th Cir. Jan. 14, 2021), the Seventh Circuit found that the complaint alleged only a statutory violation, and did not allege any particularized injury – which was intentional and a permissible strategic choice, as Plaintiffs preferred to litigate in state court – and the case was remanded for lack of Article III standing to sue in federal court.  Last week, the defendant, Clearview AI, filed a petition for rehearing, claiming that the complaint sufficiently alleges an injury in fact and that the Seventh Circuit’s holding conflicts with existing precedent on BIPA and on Spokeo.

Clearview first claimed that the complaint alleges a concrete and particularized injury in fact, giving Plaintiffs Article III standing.  [As a quick reminder, to establish Article III standing, which is necessary to sue in federal court, plaintiffs must generally show: (1) a concrete injury in fact; (2) that the injury was caused by the defendant; and (3) that the injury would likely be redressed by the requested relief.]  Plaintiffs had alleged a statutory violation of BIPA, section 15(c), which prevents a private entity from selling or profiting from an individual’s biometric data, on the basis of Clearview selling access to its digital database containing Plaintiffs’ biometric identifiers or information. Clearview argued that this allegation is concrete and particularized because the harm posed by having one’s personal information sold is experienced in a unique way, as each person has a private and possessory information in their own biometric data.

The petition also claims that the Seventh Circuit’s holding is inconsistent with existing precedent on BIPA and on Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Supreme Court case that found that Article III standing requires allegations of an injury in fact even where only a statutory violation has been alleged.  Clearview claimed that, contrary to the Seventh Circuit’s finding, an alleged violation of BIPA section 15(c) is a type of statutory violation that necessarily gives rise to an injury in fact, given the risk of harm to the concrete privacy interest an individual has in their own biometric information.  It pointed to other Seventh Circuit decisions that had interpreted different provisions of BIPA and found that the nature of the statutory violations alleged also alleged a concrete and particularized harm.  With respect to Spokeo, Clearview pointed out the wide variety of case law interpreting the injury in fact requirement differently, as highlighted in Judge Hamilton’s concurrence in Thornley.  It asked for rehearing or en banc review to clarify the law on what constitutes an injury in fact when a statutory violation is alleged.

We’ll keep an eye on how this one develops for you.

Yesterday, the Seventh Circuit weighed in on the critical issue of whether a plaintiff bringing a data privacy action – this time, under Illinois’ Biometric Information Privacy Act (“BIPA”) – has Article III standing to sue in federal court.  In a twist that civil procedure buffs will love, Plaintiffs claimed that they did not have standing (because they preferred to litigate in state court), while defendant claimed the Plaintiffs had valid standing.  Ultimately, Plaintiffs won the day, and the Seventh Circuit affirmed the district court’s remand to Illinois state court.[1]

In Thornley v. Clearview AI, No. 20-3249, 2021 U.S. App. LEXIS 1006 (7th Cir. Jan. 14, 2021), Plaintiffs initially filed suit in Illinois state court against Clearview, alleging violations of BIPA §§ 14/15(a), (b), and (c).  Clearview removed the case to federal court, and Plaintiffs voluntarily dismissed, only to bring another claim against Clearview in Illinois state court.  This time, Plaintiffs alleged only a violation of BIPA § 15(c), with a narrower proposed class definition.  When Clearview promptly removed to federal court again, Plaintiffs filed a motion to remand, alleging (under Spokeo) that the BIPA violation alleged in the complaint was a “bare procedural violation, divorced from any concrete harm” that did not support Article III standing.  In general, a plaintiff must show that three things are true to establish Article III standing, which is necessary for suit in a federal court: (1) that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief.  The Thornley court focused only on the first factor (the “injury in fact requirement”).

The Thornley court first turned to relevant Seventh Circuit precedent in which it had already examined the issue of Article III standing under BIPA, pointing back to its decisions in Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019); Bryant v. Compass Group USA, Inc., 958 F.3d 617 (7th Cir. 2020); and Fox v. Dakkota Integrated Systems, LLC, 980 F.3d 1146 (7th Cir. 2020).  It did so to underscore two points: first, that “allegations matter,” specifically the particular allegations that each plaintiff brings, even in cases that are factually similar or brought under the same statutory provision; and second, that Article III must be satisfied regardless of the type of violation that is alleged (procedural or substantive).

The Thornley complaint alleged a violation of BIPA § 15(c), which specifies that companies may not profit from individuals’ biometric information, and conceded that no class member suffered any injury aside from that statutory violation (the inclusion of their biometric information in Clearview’s database).  In evaluating the removal to federal court, the district court found that these particular allegations did not show concrete or particularized harm.  The Seventh Circuit agreed, noting that its decision would be different if the allegations had been different – for example, if the named plaintiff had alleged that, by selling her data, defendant had amplified an invasion of privacy, or deprived her of her own opportunity to profit from her data, that could have potentially satisfied Article III standing.  As the complaint was written, though, it did not allege any particularized injury.

The Thornley court also considered whether the fact that Plaintiffs had brought a class action – in which class members might potentially have suffered more particularized harm – would defeat the remand to state court.  It distinguished Thornley from Standard Fire Insurance Co. v. Knowles, 568 U.S. 588 (2013), a case in which a plaintiff sought remand to state court with a stipulation that he and the class would not seek more than $5,000,000 in damages; the Supreme Court found that such a stipulation could not be binding on class members.  Thornley differed because the issue turned on Plaintiffs’ class definition, and because “the plaintiff controls her own case,” Plaintiffs had the right to file a complaint with a narrower class definition than they could have otherwise sought.  The Seventh Circuit noted that other putative plaintiffs were free to bring their own class actions against Clearview with broader class definitions.

Ultimately, the Seventh Circuit acknowledged that it was “no secret” that Plaintiffs had taken care with their allegations and proposed class definition to “steer clear of federal court,” but noted that, “in general, plaintiffs may do this.”  Plaintiffs were permitted to “take advantage” of the fact that BIPA permits suit for solely statutory violations.

In a concurrence, Judge David Hamilton opined on the different outcomes of Seventh Circuit decisions on standing for private plaintiffs bringing suit under consumer protection statutes, observing, “I confess that I have not yet been able to extract from these different lines of cases a consistently predictable rule or standard.”  Judge Hamilton noted that Spokeo may have “raised more questions than it answered” in its finding that standing requires concrete injury, but that intangible injuries may sometimes be considered concrete.  As a result, he observed that some Seventh Circuit decisions may have “take[n] Spokeo too far” in denying standing for private plaintiffs alleging substantive violations of consumer protections statutes.

Thornley is the latest in a slate of federal court decisions on Article III standing in the context of data breach litigation, but is a win for class action plaintiffs looking to litigate BIPA claims in Illinois state courts.  Defendants seeking removal to federal court in data privacy actions should take special notice of the specific allegations they are contesting.  As Thornley demonstrates, those allegations can make or break your removal case.

[1] As many CPW readers know, BIPA regulates the storage and sale of biometric data, and offers consumers protections of that data, including the right to sue a business that fails to comply with BIPA’s requirements.  CPW readers will also be familiar with Clearview AI, a manufacturer of software that “scrapes” pictures from social media sites and sells access to a database of these pictures to clients, many of whom are law enforcement agencies.

This week the Judicial Panel on Multidistrict Litigation (“JPML”) ordered the creation of two massive data privacy multidistrict litigations (“MDLs”), in a move that will have significant impact on the data privacy litigation landscape in 2021.  The litigations, concerning claims brought against Clearview AI and Blackbaud Inc., are now headed to federal courts in Illinois and South Carolina for consolidated proceedings.  In re Blackbaud, Inc., 2020 U.S. Dist. LEXIS 236057 (JPML Dec. 15, 2020); In re Clearview AI Inc., 2020 U.S. Dist. LEXIS 236053 (JPML Dec. 15, 2020).

MDLs are a way of handling multiple civil actions at once, and can be formed when separate actions in different federal district courts share a common question of fact.  28 U.S.C. Section 1407(a).  On a motion filed by either party, those separate actions can be flagged to the JPML.  The JPML then decides whether the litigations should be consolidated and transferred into one federal court for consolidated pretrial proceedings.  [Note: Don’t assume that just because a party requests formation of a MDL it will happen.  The JPML denies the majority of such motions, although data breach MDLs are becoming increasingly common].  MDLs are generally formed to address complex legal matters.  They differ from class actions because while a class action is one lawsuit brought on behalf of a group of plaintiffs; the cases that are part of a MDL remain separate lawsuits that are handled together for efficiency.

CPW readers are already well familiar with the Clearview litigations.  In regards to the various claims that had been brought against Clearview, the JPML found that “[t]hese actions share factual questions arising from allegations that the Clearview defendants improperly collected, captured, obtained, distributed, and profited off of citizens’ biometric data.”  As such, the JPML held that “centralization will eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary.”  Consistent with the JPML’s order, these cases will now proceed in Illinois federal court for consolidated proceedings.

And in regards to Blackbaud, there was an alleged ransomware attack and data security breach of Blackbaud’s systems from about February 2020 through May 2020 that purportedly compromised the personal information of millions of consumers doing business with entities served by Blackbaud’s cloud software and services.  Plaintiffs, whose information was allegedly disclosed in the breach, filed putative class action litigation against Blackbaud.  While their allegations varied, the JPML found all litigations raised certain common factual questions regarding (1) Blackbaud’s data security practices and whether the practices met industry standards; (2) how the unauthorized access occurred; (3) the extent of personal information affected by the breach; (4) when Blackbaud knew or should have known of the breach; (5) the investigation into the breach; and (5) the alleged delay in disclosure of the breach to Blackbaud clients and affected consumers.  As such, the JPML ruled (as with the Clearview cases) that “centralization of the litigations in South Carolina would eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary.”

These MDLs are poised to shape data privacy litigation to come – particularly with respect to Clearview, which is one of the first MDLs formed to address the handling of biometric data.  We’ll keep our eyes on Illinois and South Carolina for you to let you know how things turn out.  Stay tuned!