Photo of David Oberly

David Oberly

Earlier this week, the Illinois Supreme Court denied a petition for rehearing of its decision in Cothron v. White Castle, a case which has tremendous implications on the effect of Illinois’s Biometric Information Privacy Act (“BIPA”). As previously covered here on PW, the Court’s decision in February concluded that that each separate incident which is a violation of BIPA constitutes a distinct and separately actionable violation of the statute. In other words, plaintiffs may seek to collect liquidated damages per violation—$1,000 per violation, $5,000 per intentional/reckless violation—instead of per plaintiff, even if a plaintiff alleges daily violations over the course of years. This week’s ruling leaves in place the Cothron decision and its exponential expansion of the scope of damages that may be sought by an individual plaintiff.

Continue Reading Illinois Supreme Court Refuses to Reconsider Decision That BIPA Claims Accrue Individually with Each Violation

As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.

There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).

This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates.
Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts

On May 18, 2023, the Federal Trade Commission (“FTC”) unanimously adopted its Policy Statement on Biometric Information and Section 5 of the Federal Trade Commission Act (“Policy Statement”), addressing the increasing use of consumers’ biometric information and the marketing of technologies that use or claim to use it—regarding which the FTC raises significant concerns. In the areas of privacy, data security, and the potential for bias and discrimination. In addition, the Policy Statement also provides a detailed discussion of the established legal requirements applicable to the use of biometrics, particularly those relating to Section 5 of the FTC Act, and lists examples of the practices the agency will scrutinize in determining whether companies’ use of biometric technologies run afoul of Section 5.

Continue Reading FTC’s New Policy Statement on Biometric Information Provides Clear Warning to Companies on Increased Scrutiny of Facial Recognition & Related Biometrics Practices

Today, Governor Jay Inslee signed into law the My Health My Data Act (SB 1155) (the “Act” or “MHMD”), a first-of-its-kind consumer health data law. Passage of the Act was, in part, a direct response by Washington state lawmakers to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Org. overturning Roe v. Wade. Recognizing that the nation’s federal health law, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), has blind spots in protecting health-related information collected outside of contexts involving HIPAA covered entities (e.g., healthcare institutions), the legislature in passing MHMD sought to “close the gap” in privacy protections for health data that falls outside the scope HIPAA, including information related to reproductive health and gender-affirming care.
Continue Reading Governor Inslee Signs Washington My Health My Data Act Into Law: First-of-Its-Kind Consumer Health Data Law, Explained

One of the most notable trends in Illinois Biometric Information Privacy Act (“BIPA”) class action litigation is the marked increase in the number of class actions targeting third-party biometric technology vendors, such as identity authentication systems and employee timekeeping devices. Importantly, because these vendors do not maintain any direct relationship with the end users of

On April 13, 2023, the Indiana legislature passed Senate Bill 5 (“SB 5”)—more commonly referred to as the Indiana Consumer Data Privacy Act or “Indiana CDPA”—sending the legislation to Governor Eric Holcomb’s desk for signature. Governor Holcomb has until Thursday, April 20 to act on the bill. The Indiana CDPA will become law either if the governor signs the bill or takes no action before the April 20 deadline.
Continue Reading Follow the Leader: Indiana Becomes Latest State to Enact Consumer Privacy Statute

Today, the Illinois Biometric Information Privacy Act (“BIPA”) remains one of the hottest areas of class action litigation. Despite the high volume of class action filings, however, many significant aspects of Illinois’s biometrics statute remain unsettled and uncertain. One of the most notable open-ended issues pertains to the applicability of BIPA to third-party vendors and

New Year, New Bills

As Privacy World reported, 2022 saw a plethora of class action litigation stemming from alleged non-compliance with the well-known Illinois Biometric Information Privacy Act (“BIPA”). At the same time, due to concerns about companies using biometrics in a safe and responsible manner, lawmakers from coast to coast also attempted (albeit

The Illinois Supreme Court today resolved one of the most significant unsettled areas of law for claims arising under the Illinois Biometric Information Privacy Act (“BIPA”). In its decision in Cothron v. White Castle Sys., Inc., the Court confirmed that each separate violation of BIPA constitutes a distinct and separately actionable violation of the

For over two years now, online retailers—such as cosmetics and eyewear brands—that utilize virtual try-on (“VTO”) tools have faced a barrage of class action litigation alleging that their technology violates the Illinois Biometric Information Privacy Act (“BIPA”). During this period, a defense has emerged for the targets of VTO suits and online eyewear retailers in