A putative federal class action brought on behalf of delivery drivers asserting invasion of privacy and wiretapping claims against a global e-commerce company survived an interlocutory appeal last week.  The Ninth Circuit Court of Appeals upheld a decision from the U.S. District Court for the Southern District of California that allows plaintiff’s claims to proceed.

The opinion, written by Judge Schroeder, affirmed the lower court’s decision denying the company’s motion to compel arbitration.  The Court held that the e-commerce company did not provide adequate notice of a change to its terms of service (TOS) for delivery drivers, so a 2019 agreement did not replace the original TOS the lead plaintiff and others assented to in 2016.  Moreover, while the 2016 agreement validly bound the parties, the Court held that the claims, which include invasion of privacy and wiretapping, fell outside of the scope of that agreement’s arbitration clause, so litigation, not arbitration, must resolve the dispute.

Delivery Driver Alleged the E-Commerce Giant Spied on His, and Others’, Private Communications

In February 2021, the lead plaintiff alleged that the e-commerce company “was unlawfully monitoring communications” in closed social media group chats for those, like him, who worked as gig-style delivery drivers for the company.  The drivers communicated about unionizing efforts, benefits, warehouse conditions, and more under the assumption that their communications were private.  The class action suit raised state claims of invasion of privacy under California’s Invasion of Privacy Act and the California Constitution, as well as federal claims for violation of the Federal Wiretap Act and the Stored Communications Act.  The e-commerce company sought to compel arbitration under its 2019 TOS with its gig drivers, but the Southern District of California denied the motion.  The company brought its interlocutory appeal thereafter.

The Ninth Circuit Court of Appeals Had Proper Jurisdiction Over the Appeal

To start, the Ninth Circuit held that it had proper jurisdiction to hear the appeal.  The plaintiff challenged the Court of Appeals’ jurisdiction over the interlocutory appeal because the original complaint was not brought under the Federal Arbitration Act (FAA), which makes rulings on motions to compel arbitration immediately appealable.  Though the plaintiff cited the practice, in other Federal Circuits, of not allowing interlocutory appeals on motions to compel arbitration, the Court noted that it is settled law in the Ninth Circuit that “an order denying a motion to compel arbitration is immediately appealable as tantamount to a denial of injunctive relief under 28 U.S.C. § 1292(a)(1).”

The Earlier Agreement Between the Parties Applies to This Dispute, Because of Improper Notice of Material Changes to the Arbitration Clause in the Later Agreement

Next, the Court of Appeals considered whether the district court applied the correct contract in considering whether the claims were arbitrable.  The e-commerce company argued that an updated TOS agreement it sent to its delivery drivers in 2019, which contained a broader arbitration clause, should apply.  The key difference between the 2016 and 2019 agreements was the 2019 agreement’s broader arbitration provision “that made the issue of arbitrability itself subject to arbitration” (emphasis added).  The Court of Appeals upheld the district court’s ruling that the 2016 TOS agreement applied because the e-commerce company gave its drivers inadequate notice of the new terms in the 2019 agreement.

Without adequate notice, the drivers could not affirmatively assent to new contractual terms, the Court of Appeals reasoned, citing the U.S. Supreme Court’s emphasis on the necessity of consent in contracts: “[P]arties cannot be coerced into arbitrating a claim, issue, or dispute absent an affirmative contractual basis for concluding that the party agreed to do so.” (citing Viking River Cruises, Inc. v. Moriana, ––– U.S. ––––, 142 S. Ct. 1906, 1923, 213 L.Ed.2d 179 (2022)).

The Court of Appeals wrote that the burden was on the e-commerce company to show the drivers’ assent to the new terms in the 2019 agreement, not on the plaintiffs to show the lack of consent.  In this case, however, there was no evidence that the email allegedly sent to drivers adequately notified drivers of the update to the arbitration clause.  The court consequently held: “a reasonable person would not believe that the . . . drivers’ conduct constituted an intent to be bound by a new arbitration provision in the 2019 TOS.”

Federal and State Invasion of Privacy Claims and Wiretapping Claims Are Not Arbitrable Under the Agreement Between the Parties

Having determined which agreement bound the parties, the Court of Appeals finally turned to the question of arbitrability.  The e-commerce company argued that, even under the 2016 TOS, the case should be sent to arbitration because the claims fell under the scope of that arbitration provision.  The Court of Appeals, like the district court, disagreed.  The Court found the various allegations of spying behavior from the e-commerce company not arbitrable because they “involve employer misconduct wholly unrelated to the parties’ agreement.”  Even if the alleged spying occurred while the drivers were performing services related to the agreement, it does not mean that the alleged misconduct arose from the agreement.

The e-commerce company argued that, even if the claims in the dispute were not arbitrable, the dispute should still be sent to arbitration because the company may have potential defenses to the claims within the privacy-related provisions of the agreement.  But the Court still disagreed because of settled law that “[a]rbitrability issues . . . are to be decided on the basis of the complaint.”

Takeaways Regarding the Arbitrability of Privacy Claims

Though the Court of Appeals declined to wade into the debate on whether gig workers are employees or independent contractors, its ruling provides insight into the Ninth Circuit’s treatment of data privacy disputes going forward.

In holding that the alleged misconduct that led to violations of California state privacy laws and federal wiretapping and stored communications laws did not arise under the terms of service, the Ninth Circuit declined to shield companies from public litigation when the conduct at issue is arguably unrelated to the provision of services outlined in the agreement between the parties.  The Ninth Circuit extended its emphasis on protecting the privacy rights of consumers in such litigation to protect employees and contractors from practices at issue in this case as well.

For more, stay tuned.  Privacy World will be there to keep you in the loop.

The EU adequacy decision in favour of the UK allows the free flow of personal data between the UK and the European Economic Area (the EU member states plus Iceland, Liechtenstein and Norway). Both before and since expiry of the Brexit implementation period businesses have emphasised the crucial importance of maintaining that adequacy decision, pointing out that it is subject to review in 2025, or sooner if UK data protection law is considered to have diverged from EU GDPR in a way that poses a risk to the rights and freedoms of data subjects. Up to, and including, the second reading debate for the UK’s Data Protection and Digital Rights (No 2) Bill (the Bill) on 17 April the UK government seemed to agree that maintaining the adequacy decision must be a priority. However, will the appointment of John Whittingdale MP as the Minister responsible for steering the Bill through its House of Commons committee stage impact the government’s commitment to that goal?

Introducing the second reading debate, Minister for Data and Digital Infrastructure Julia Lopez MP, acknowledged the importance of EU adequacy, indicating that the UK government has been in constant touch with the EU and expects to maintain adequacy once the Bill is enacted. There was no Ministerial disagreement when Carol Monaghan MP relayed the Open Rights Group’s concerns that loss of adequacy would be extremely costly for UK business, exacerbating the already increasing need adapt compliance procedures to fit multiple legal regimes. Equally, though, there was no indication that Ministers agreed with Carol Monaghan’s conclusion that: the only way that we can properly maintain standards is by having a standard across the different trading partners, but the Bill risks creating a scenario where the data of EU citizens could be passed through the UK to countries with which the EU does not have an agreement. The changes are raising red flags in Europe. Many businesses have spoken out about the negative impacts of the Bill’s proposals. Many of them will continue to set their controls to EU standards and operate on EU terms to ensure that they can continue to trade there.

Julia Lopez MP is currently on maternity leave. On 21 April John Whittingdale MP was announced as her temporary replacement. Given that he had previously held Ministerial posts as the Department for Digital, Culture, Media and Sport (DCMS) the appointment had some logic. However, John Whittingdale’s contribution to the Bill’s second reading debate may fuel EU concerns about the strength of UK commitment to maintaining adequacy, since he will now be responsible for steering the Bill through its committee third reading stages. Whittingdale said:

A lengthy negotiation with the EU took place before a data adequacy agreement was reached. As part of that process, officials rightly looked at what alternative there would be, should we not be granted data adequacy. It became clear that there are ways around it. Standard contractual clauses and alternative transfer mechanisms would allow companies to continue to exchange data. It would be a little more complicated. They would need to write the clauses into contracts. For that reason, there was clearly a value in having a general data adequacy agreement, but one should not think that the loss of data adequacy would be a complete disaster because, as I say, there are ways around it.

The Bill committee has issued a call for written evidence. It provides an opportunity for businesses and other organisations to ensure that the committee, in its line-by-line scrutiny of the Bill, fully grasps the practical importance of the EU adequacy decision. Although it is possible to adopt “appropriate safeguards”, such as Standard Contractual Clauses (SCCs), for transfers of personal data to countries not considered by the EU to provide adequate protection to data subjects, using those Standard Contract Clauses is not a low-cost question of merely signing a pre-printed document. Valid completion of the SCCs requires the parties to set out specific details of the data transfers to which they relate. They also require completion of a Transfer Risk Assessment (TRA) to determine whether the SCCs can, on their own, serve as an “appropriate safeguard” or whether data subject rights can viably be protected only with additional technical or organisational measures, such as encryption. Conducting a TRA and implementing any measures that flow from it can be time consuming, incurring both direct expense and opportunity costs in terms of management time. Our sense, having worked with many clients seeking to navigate the complexities of data transfers to countries without the benefit of an adequacy agreement, is that John Whittingdale’s comments at the second reading of the Bill may not reflect the actual risks. It might be the case, as he suggests, that there would be “ways around” loss of data adequacy, but those workarounds would multiply the complexities and costs of compliance with absolutely no material benefits in return. Unless a business operates only within the UK, and has no customers other than UK residents, compliance with EU GDPR remains a practical necessity. Loss of the EU adequacy decision would affect any UK business operating in or trading with the EU and any EU business operating in or trading with the UK. The current EU adequacy decision permits a single, streamlined compliance regime and the free flow of personal data. Any divergence of UK GDPR from EU GDPR introduces friction and impairs streamlining of data compliance. Loss of adequacy would materially increase those challenges for both UK and EU businesses.

The Bill committee is due to begin its consideration of the Bill on 10 May, and to conclude by 13 June 2023. Written evidence can be submitted up to the end of the committee’s proceedings. However, if your organisation wishes to respond to the call for evidence then we recommend sending your submission as early as possible in the process – and ideally by 10 May. If you would like help compiling and presenting your written evidence, or if you would like to discuss the issues, please contact our Data Protection, Cybersecurity and Digital Assets team:

david.naylor@squirepb.com

charles.helleputte@squirepb.com

 

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

The Monetary Authority of Singapore has launched a public consultation to gather feedback on two sets of proposed rules which it will soon impose on Singapore financial institutions (FIs), with a view to improving existing consumer safeguards, including for such FIs’ digital prospecting and marketing activities. 

What do the proposed rules seek to achieve? 

The enhancements are aimed at raising industry standards across the financial sector in Singapore by requiring FIs to put in place additional controls when engaging in prospecting and marketing activities through both physical and digital means. As the world sees a resumption of roadshows post-pandemic, coupled with the increased use of digital applications and social media by FIs to market financial products, it is timely to introduce these new measures to strengthen market conduct in Singapore. 

What are the rules pertaining to digital marketing?

FIs will need to ensure that online advertisements do not disseminate misleading content. They must also put in place measures to monitor the activities and conduct of any third party service providers they appoint to generate leads online, or as introducers, through the dissemination of online advertisements and collection of prospective customers’ contact information, to ensure that these providers adhere with the FIs’ own data management policies and applicable laws such as Singapore’s Personal Data Protection Act (PDPA).

Currently, any advertisements of financial products and services are subject to the Financial Advisers Regulations, and Securities and Futures (Licensing and Conduct of Business) Regulations in Singapore. These regulations apply to advertisements disseminated via traditional media (print) as well as digital media (for instance, websites or social media platforms).  

With digital media, however, there are heightened risks, for example: 

  • Truncated or omitted key information that is disclosed to consumers due to social media application or product design. These may pertain to: (i) product features and risks; or (ii) terms and conditions, which could result in such advertisements presenting a misleading or an unbalanced view of financial products. 
  • Misleading advertisements that highlight unsubstantiated high returns without mentioning any specific products. The high returns are usually presented without highlighting how they can be achieved and do not include a description of the key risks or other important caveats.
  • Advertisements posted anonymously by representatives on websites and social media platforms using pseudonyms. Consumers would not know the identity of the person who posted the advertisement and whether the person is regulated by MAS or not. 
  • Representatives’ inappropriate use of digital platforms for prospecting (e.g., soliciting leads through online dating applications), and representatives’ use of third-party tools or service providers for generating leads online without their FIs’ authorisation.

What are the rules pertaining to physical prospecting at public places and telemarketing? 

It will soon be mandatory to disclose representatives’ identities and the FIs they represent. FIs will only be permitted to conduct prospecting activities at commercial premises. They will also need to provide customers with additional time to consider whether to make a purchase and limit the use of gift offers which may influence decision-making.

What other implementation details need to be taken note of? 

In addition to the measures proposed in its consultation papers[1], MAS reserves the right to impose additional or stricter measures to address any persistent conduct risks and issues, including limiting representatives to only re-posting their FI’s advertisements or, even more restrictively, prohibiting representatives from posting advertisements altogether, i.e., only allowing FIs themselves to post advertisements.

MAS is proposing a transition period of six to nine months for FIs to comply with the new digital prospecting and marketing guidelines[2]

The above consultations will close on 30 June 2023.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

[1] https://www.mas.gov.sg/publications/consultations/2023/consultation-paper-on-enhancing-safeguards-for-digital-prospecting-and-marketing-activities;

https://www.mas.gov.sg/publications/consultations/2023/consultation-paper-on-enhancing-safeguards-for-prospecting-activities-at-public-places

[2] https://www.mas.gov.sg/-/media/mas/regulations-and-financial-stability/regulations-guidance-and-licensing/financial-advisers/consultation-paper/annex-a-guidelines-on-standards-of-conduct-for-digital-prospecting-and-marketing-activities.pdf

 

As U.S. privacy pros know, the past few years have seen many state privacy bills proposed but, as of January 1st, only five states had comprehensive privacy laws in effect. So far in 2023, Iowa approved its “Act relating to consumer data protection” (which we reported on here) and late last week, the Indiana Legislature passed the Indiana Consumer Data Privacy Act which is pending the governor’s signature (discussed here). Continue Reading Montana, Tennessee or ____________?: Which State Will Pass the Next Privacy Law?

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

New York Releases Data Security Guide to Help Businesses Protect Personal Information | Privacy World

Selfie ID Biometric Verification Vendor’s Bid for Dismissal of BIPA Class Action Rejected by Federal Court | Privacy World

CONFERENCE: SPB’s Kristin Bryan to speak at the Cybersecurity & Privacy Protection Conference | Privacy World

Vietnam Issues Much-awaited Landmark Data Protection Law | Privacy World

Registration Open: Society for the Policing of Cyberspace Event Featuring SPB’s Scott Warren and Kristin Bryan | Privacy World

Follow the Leader: Indiana Becomes Latest State to Enact Consumer Privacy Statute | Privacy World

Recordings Available: The Expanding Landscape of Biometric Data Law: Where We Are and What’s to Come | Privacy World

UK Data Protection Law Reform: Battle lines drawn? | Privacy World

Singapore Appointed as Deputy Chair of the Global Cross-Border Privacy Rules Body | Privacy World

Italian OpenAI : May (A)I? | Privacy World

Federal Privacy Legislation Moves One Step Closer to Enactment | Privacy World

Congratulations to Alan Friel on Being Named a “Trailblazer” for Media and Advertising Law | Privacy World

Data Retention and Minimization, The Elephant in the Room | Privacy World

Orders to Progress Complaints – No Backdoor Appeal Process For ICO Decisions | Privacy World

Sites, PII, and Videotape: Litigation Trends Under the Federal Video Privacy Protection Act | Privacy World

Webinar Materials Available: China’s New Personal Data Export Restrictions | Privacy World

UK Data Protection Reform: who would want to be a “Senior Responsible Individual”? | Privacy World

SPB’s “Elite” Data Privacy, Cybersecurity and Digital Assets Practice Continues to Expand | Privacy World

On April 19th, New York’s Attorney General, Letitia James, released a document titled, “Protecting consumer’s personal information: Tips for businesses to keep data safe and secure” (the “guide”), a resource to help businesses adopt effective data security measures. It draws on the Office of the Attorney General’s (“OAG”) experience investigating and prosecuting cybersecurity breaches, and highlights findings from such investigations. The guide can be found here.

Just last year, OAG investigated multiple large companies for inadequate cybersecurity practices. OAG obtained a USD$1.25 million settlement with Carnival Cruise Line following the unauthorized access of employee email accounts which exposed customers’ sensitive personal information, settled with T-Mobile after its failure to provide sufficient vendor oversight leading to the unauthorized access of customer information stored on a vendor’s network, and reached a USD$400,000 settlement with Wegmans after the supermarket chain’s cloud storage containers were inadvertently configured to allow public access. Overall, 4,000 data breach incident notifications were received by the OAG in 2022, providing ample opportunity for OAG to exercise its enforcement discretion.

The guide recommends data practices that companies should adopt to protect their systems. The recommendations from the guide include:

  1. Maintain controls for secure authentication, with a preference for multi-factor authentication and strong password requirements.
  2. Encrypt sensitive customer information.
  3. Ensure service providers use reasonable security measures, including carefully selecting service providers, building security expectations into contracts, and monitoring service providers.
  4. Know where you keep consumer information to prevent unauthorized and public access.
  5. Guard against data leakage in web applications, including by masking sensitive information.
  6. Protect customer accounts impacted in data security incidents, including resetting passwords of accessed accounts and notifying impacted users when necessary.
  7. Delete or disable unnecessary accounts, which may be vulnerable to unauthorized access.
  8. Guard against automated attacks. Tips specific to this recommendation can be found in an earlier guide on credential stuffing attacks, here.
  9. Provide clear and accurate notice to consumers. Misleading statements following a data breach can violate New York Law.

Although this guide does not constitute a legal requirement or official New York State policy, the OAG hopes companies implement its recommendations to lower their risk of data breaches. It is likely that these measures will become part of the suite of best practices adopted by the privacy sector to mitigate risk, including on the litigation front, where the adequacy of a company’s cyber controls in the wake of a data breach continues to be an area of focus by the plaintiff’s bar. Privacy World will continue to cover cybersecurity and data privacy developments in New York and beyond. For more information, please contact the authors or your relationship partner at Squire Patton Boggs.

One of the most notable trends in Illinois Biometric Information Privacy Act (“BIPA”) class action litigation is the marked increase in the number of class actions targeting third-party biometric technology vendors, such as identity authentication systems and employee timekeeping devices. Importantly, because these vendors do not maintain any direct relationship with the end users of their technology, compliance with Illinois’s biometric privacy statute—especially its notice and consent requirements—can be a challenging undertaking. Despite this, to date, the majority of courts have held that BIPA nonetheless applies equally to vendors vis-à-vis employers and other entities that maintain direct relationships with biometric data subjects.

Earlier this month, an Illinois federal court rejected a selfie ID facial recognition identity verification vendor’s bid for dismissal of a BIPA class action in Davis v. Jumio Corp., No. 22 CV 776, 2023 WL 2019048 (N.D. Ill. Feb. 14, 2023). The Davis decision illustrates the scope of exposure faced by vendors for alleged non-compliance with BIPA, as well as the challenges and complexities in obtaining dismissals of biometric privacy class actions prior to the commencement of costly discovery.

Background

Plaintiff maintained a membership with the online cryptocurrency marketplace operated by Binance. Jumio Corporation provides facial recognition identity verification services for its clients, including Binance. Plaintiff sued Jumio, alleging that the company violated BIPA’s Section 15(b) notice and consent requirements when it collected his biometric data during the process of verifying his identity for Binance.

Jumio moved to dismiss the class action pursuant to Federal Civil Rule 12(b)(6). Jumio raised two arguments in support of dismissal. First, Plaintiff’s suit was barred by BIPA’s financial institution exemption. Second, dismissal of the complaint was warranted under Illinois’s extraterritoriality doctrine.

The Decision

The court first considered whether BIPA’s exemption for financial institutions precluded Plaintiff’s claims against Jumio. BIPA Section 25(c) provides that “[n]othing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 [(“GLBA”)] and the rules promulgated thereunder.”

In raising this argument, Jumio did not contend that it was a financial institution itself; rather, Jumio argued that Binance was a financial institution and, as a result, applying BIPA to Jumio in connection with use of the Binance App would effectively result in applying BIPA to Binance, an action that is proscribed by BIPA.

The court disagreed, finding several flaws in Jumio’s argument. First, the court rejected consideration of materials submitted by Jumio in support of its motion to dismiss, which Jumio had argued allowed the court to take judicial notice of Binance’s qualification as a financial institution for purposes of BIPA’s Section 25(c) exemption. The court instead held that “Binance’s self-serving statements (such as characterizing itself as a financial institution in other litigation to avoid liability under BIPA) need not be accepted as true and do not support taking judicial notice of the contested fact that Binance is, in fact, a financial institution.” Additionally, the court also held that the allegations in the complaint were similarly inadequate to demonstrate Binance’s status as a financial institution, as other than using the term “cryptocurrency marketplace,” the complaint contains no further factual allegations about the financial activities of Binance.

Second, the court found that even if Binance was found to be a financial institution within the meaning of the GLBA—thus triggering the Section 25(c) exemption—it did not necessarily follow that the claim against Jumio was barred. In so doing, the court rejected Jumio’s argument that because its software was embedded and integrated into the Binance App, BIPA would be applied to Binance “in any manner” in contravention of Section 25(c) in the event the court granted the Plaintiff’s requested relief under the Illinois biometrics law. The court explained that even if Jumio were ordered to comply with BIPA’s notice and consent requirements, Jumio might have to modify the software it provided to Binance; Binance, however, would still nonetheless have no affirmative obligation under BIPA to change the Binance App. Without further information regarding how the Binance App functioned and how Jumio’s software was integrated into the Binance App, the court was unable to determine the extent to which requiring Jumio’s compliance with BIPA would necessitate changes to how Binance did business, such that BIPA could be construed as applying “in any manner” to Binance.

Accordingly, the court declined to dismiss the class action pursuant to BIPA’s financial institution exemption.

The court then turned to Jumio’s argument that Illinois’s extraterritoriality doctrine barred Plaintiff’s lawsuit. In Illinois, a statute is without extraterritorial effect unless a clear intent appears from the express provisions of the statute. Both parties agreed that BIPA did not apply extraterritorially. Therefore, for BIPA to apply to Jumio’s conduct, the circumstances giving rise to the suit must have occurred “primarily and substantially in Illinois.”

Jumio argued that the complaint did not allege that any relevant conduct giving rise to the class action occurred in Illinois, aside from Plaintiff’s allegation that he was an Illinois resident. Notably, after Jumio filed its motion to dismiss, Plaintiff added allegations in his response brief to bolster his opposition to Jumio’s extraterritoriality argument. In its reply, Jumio posited that dismissal was still warranted, as Plaintiff’s new allegations failed to allege that any of Jumio’s conduct took place within the borders of Illinois.

Considering the allegations in the complaint, as supplemented by additional facts in his response brief, the court found that Plaintiff sufficiently alleged a plausible claim that Jumio’s BIPA violations occurred primarily and substantially in Illinois. Specifically, the court found that the following allegations, without more, were enough at the pleading stage to avoid dismissal based on Jumio’s extraterritoriality argument: (1) Plaintiff was an Illinois resident; (2) Jumio conducted business transactions in Illinois; and (3) Plaintiff submitted photographs of his driver’s license and face through the Binance App while in Illinois.

Analysis & Takeaways

Continued Trend of Broad Exposure for Third-Party Biometrics Vendors and Service Providers

Since the start of the year, the Illinois Supreme Court has issued two notable plaintiff-friendly opinions, which resolved the uncertainty surrounding the applicable statute of limitations for BIPA claims and the issue of claim accrual in BIPA litigation, respectively, and significantly expanded the scope of potential liability exposure for BIPA non-compliance even further in the process. However, the applicability of BIPA to third-party vendors continues to persist as a significant area of ambiguity. To date, the majority of courts to analyze the issue have held that BIPA is applicable to vendors and service providers, even if they do not directly interface with end users. This line of reasoning was most recently affirmed in early February 2023 by an Illinois federal court in Johnson v. NCR Corp., No. 22 CV 3061, 2023 WL 1779774 (N.D. Ill. Feb. 6, 2023) (for more information on the Johnson opinion, you can read Privacy World team member David Oberly’s article analyzing the decision for Biometric Update here).

Davis further illustrates the potential perils that vendors face if they fail to satisfy the full range of BIPA compliance requirements when offering biometrics-related products and services to their commercial clients.

Scope of BIPA’s Financial Institution Exemption Not Unlimited

To date, the Section 25(c) financial institution exemption has been one of the most robust defenses to BIPA class actions, resulting in the dismissal of a number of defendants not traditionally known as “financial institutions,” such as colleges and universities. The Davis decision, however, demonstrates that the contours of the financial institution exemption are not unlimited.

In rejecting the vendor’s assertion of the financial institution exemption as a bar to the BIPA claims asserted against it, the Davis court relied primarily on the lack of sufficient evidence demonstrating that the defendant’s customer was, in fact, a financial institution entitled to seek refuge under BIPA Section 25(c). The reasoning of the Davis court comports with other courts that have denied motions to dismiss asserting BIPA’s financial institution exemption as a complete defense to liability—which have also found inadequate evidence demonstrating that the defendant or a related entity satisfied the GLBA’s definition of a financial institution so as to make Section 25(c) applicable to bar BIPA claims.

Importantly, Davis illustrates that defendants seeking dismissal pursuant to the financial institution exemption need to ensure that their motions are properly supported with sufficient evidence to permit a finding that Section 25(c) applies to the specific activities engaged in by the entity at issue in order to maximize the likelihood of a favorable outcome on a motion seeking to definitively end class action litigation. This task is especially critical when pursuing motions to dismiss, where the scope of evidence that can be considered by the court is curtailed.

Challenges Faced by Defendants in Procuring Dismissals from BIPA Litigation at the Pleading Stage

BIPA class actions have been challenging to defeat at the pleading stage, which is due to a combination of factors that include the deference given to Plaintiff’s allegations for purposes of a motion to dismiss, the lack of guidance offered to courts by BIPA’s statutory text, and courts’ willingness to interpret BIPA’s compliance requirements in a manner that heavily favors the plaintiff’s bar.

Davis is a textbook example of these challenges that are often faced by defendants in attempting to obtain dismissals of BIPA disputes before proceeding to the discovery phase of litigation. Of note, although courts are generally only permitted to consider the allegations in the complaint on a motion to dismiss, the Davis court permitted the Plaintiff’s elaborations to the complaint’s factual allegations in his response brief to be considered in ruling on the defendant’s motion to dismiss. Further, the court found that the Plaintiff’s allegations were sufficient at the pleading stage to plausibly allege circumstances that the alleged BIPA violation occurred in Illinois so as to avoid dismissal on extraterritoriality grounds, even though the Plaintiff only alleged a single fact relating directly to the defendant’s conduct—that it engaged in business transactions in Illinois. More than that, in rejecting Jumio’s extraterritoriality argument, the court acknowledged that discovery might reveal that the connection to Illinois is “sufficiently tenuous” as to warrant revisiting the matter at summary judgment, but that was not enough to prevent the case from moving past the pleading stage.

To mitigate BIPA litigation risk, all types of entities that use biometric data in their operations should consider taking a conservative approach to compliance—one that ensures all applicable BIPA requirements are satisfied—even where it is not definitively clear that Illinois’s biometrics statute applies to organizational operations.

Specifically, companies should ensure they maintain flexible, comprehensive biometric privacy compliance programs, which should include (among other things) the following:

  • A publicly-available, biometrics-specific privacy policy;
  • Set data retention and destruction guidelines and schedules containing a clear and unambiguous description of the event trigger(s) that will prompt the immediate and permanent destruction of an individual’s biometric data;
  • A mechanism for ensuring written notice is supplied to all data subjects before the time biometric data is collected; and
  • A separate mechanism for ensuring written consent is obtained, allowing the vendor to collect, possess, retain, store, and disseminate biometric data before the time any such data is obtained.

For more, stay tuned. Privacy World will be there to keep you in the loop.

We are pleased to announce that SPB’s Kristin Bryan will be speaking at the upcoming Cybersecurity & Privacy Protection Conference on Thursday, April 20 at 8:15 a.m. EDT. Kristin will be joined by the Regional Director from the Federal Trade Commission and a staff attorney from the Securities and Exchange Commission. This live event will be held at Cleveland State University’s College of Law.

Kristin’s panel will discuss recent federal regulatory updates and investigations, including the Federal Trade Commission’s proposed rules on commercial surveillance and groundbreaking action against GoodRx as well as the Securities and Exchange Commission’s proposed incident reporting requirements.

Read more information and register using this link. Enter code CYBER50 during checkout for a 50% discount.

On April 17, 2023, Vietnam issued its long-awaited, first-ever comprehensive data privacy law, Decree No. 13/2023/ND on the Protection of Personal Data (Decree). The Decree will take effect on July 1, 2023, without any transition period. All Vietnamese and foreign businesses located in Vietnam or carrying out data processing activities in Vietnam must comply with the Decree.

The issuance of the Decree follows an extensive and protracted series of public consultations and numerous rounds of review of its proposed text since the release of a first draft in February 2021. The final text of the issued Decree is currently only available in the Vietnamese language.[1] Continue Reading Vietnam Issues Much-awaited Landmark Data Protection Law

AI, Chatbots and similar technology are playing a greater role in protecting, as well as attacking, our social infrastructure. Data privacy laws around the globe are increasingly affecting the use of such tools. Join a free webinar, moderated by SPB’s Scott Warren and panelist Kristin Bryan, along with a panel of experts from the military, law enforcement, companies and consultants from around the globe discussing this timely topic. Areas for discussion include how the US military, Canadian smart cities and emergency call centers, and North American and APAC law enforcement are using technology like AI and Chatbots to enhance their capabilities, while dealing with data privacy concerns and hackers using such tools against them. Experts will discuss the latest types of attacks affecting consumers and companies and effective ways to deal with these rapidly evolving challenges. The webinar will include updates on the latest legal developments affecting the use and cross-border transfer of data received from such technologies.

Date and Time: April 20, 7-9 p.m. EDT / April 21, 7-9 a.m. Singapore time.

If you are interested in attending, please contact Scott Warren (scott.warren@squirepb.com), with your name and details. Seats are limited, so please reach out quickly.