On January 24, 2025, the Illinois Supreme Court ruled in Petta v. Christie Business Holding Co., P.C., 2025 IL 130337, that a patient who alleged an increased risk of harm arising from a data breach at a medical clinic did not suffer an injury in fact sufficient to confer standing.

Continue Reading Illinois Supreme Court: Increased Risk of Harm Arising from a Data Breach Is Insufficient to Confer Standing

As we reach the peak of this year’s Spooky Season, we thought it would be helpful to revisit some of the scariest recent developments in the realm of TCPA litigation and compliance.  The conventional wisdom is that some of the new rules and regulations coming into play around the TCPA are going to lead to even more litigation under the statute.  But at the same time, the Supreme Court’s ruling earlier this year in Loper Bright Enterprises v. Raimondo, 144 S. Ct. 2244 (2024), has called into question much of what we thought we knew about administrative law, leading to ambiguity and uncertainty surrounding the TCPA and many other statutes. 

One-to-One Consent Rule

We’re now just under three months away from the January 27, 2025 effective date of the FCC’s one-to-one consent rule.  Formally adopted in December 2023, the rule requires that prior express written consent be obtained separately for each company seeking to use such consent.  This raises significant concerns about a company’s ability to communicate with not only third-party leads but also many first-party leads, if consent is not adequate under the new rule. 

The TCPA has long required prior express written consent for calls and texts that contain an artificial or prerecorded voice or are sent using an “automatic telephone dialing system.”  But the new rule states, in relevant part, that:

Continue Reading TCPA Turnstile: Four Scariest Developments (and a Potential Ray of Light Amid the Fright) (TCPA Update Vol. 19)

Does your company have website terms of use, or e-commerce terms?

If so, it’s important to know whether those terms are enforceable.

In Domer v. Menard, Inc., Domer wanted to recover a $1.40 pickup service fee for a can of paint she bought on the Menards’ website. In her suit, Domer alleged that Menards had not disclosed the pickup service fee and used the fee to manipulate its prices, and had it been disclosed, she would not have purchased the product. Menards argued that the case should be dismissed because Domer entered into an enforceable arbitration agreement when she accepted the Menards Terms of Order at checkout. For Menards, the question was a critical one—if its Terms of Order applied, then the class action would leave the court and head to arbitration. 

Continue Reading E-Tailer Beware: The Seventh Circuit Clarifies the Framework for Enforceability of Digital E-Commerce Agreements

A federal court last week sustained a First Amendment challenge to a Utah law aimed at addressing the use of social media platforms by minors, holding that the law’s proponents failed to demonstrate that the law served a compelling interest or was narrowly tailored.

Continue Reading NetChoice Succeeds in Striking Down Utah Social Media Law Under First Amendment

On August 13, 2024, the Texas Attorney General’s Office (Texas AGO) filed a claim under Texas’s Deceptive Trade Practices-Consumer Protection Act challenging General Motors’ collection and use of data collected from consumers regarding their driving history. The Texas AGO’s complaint implicates thorny issues regarding how companies prepare and roll out privacy disclosures to consumers. The complaint also reiterates the importance of implementing clear, informed written consent processes when collecting and using consumer data.

Continue Reading Texas Attorney General Challenges General Motors’s Collection and Sale of Driving Data

In May, we told you about proposed revisions to the Illinois Biometric Information Privacy Act (“BIPA”) that should provide some welcome relief for defendants.  Governor J.B. Pritzker has now signed that reform legislation into law.

Continue Reading BIPA Bellwether: Governor signs BIPA reform bill

On July 30, 2024, the Texas Attorney General’s Office announced a $1.4 billion settlement of biometric privacy claims brought against Meta arising from Meta’s historical use of facial recognition technology on photographs posted to Facebook’s social media platform.

Continue Reading Texas and Meta Settle Biometric Data Litigation for $1.4 Billion

On April 26, 2024, the Federal Trade Commission (FTC) announced that it had finalized changes to the Health Breach Notification Rule (HBNR). These changes, which go into effect on June 25, 2024, are intended to modernize aspects of the HBNR such that the HBNR applies to entities not covered under the Health Insurance Portability and Accountability Act (HIPAA). The updated HBNR follows the FTC’s previously stated intention in a 2021 policy statement to broaden the interpretation of the HBNR to address the growing number of digital health applications, websites, and consumer-facing technology that were not subject to HIPAA. The scope of the finalized rule therefore aims to apply the HBNR to health care technology and digital health companies that obtain personal health records (PHR) and PHR identifiable health information.

Continue Reading FTC Finalizes Broader Changes to the Health Breach Notification Rule

In a welcome change for defendants, a recent amendment to the Biometric Information Privacy Act (“BIPA”) is expected to significantly curtail potential damages under the statute. SB 2979, which passed the General Assembly on May 16, 2024, clarifies that damages are per individual, rather than per violation, for violations of the collection provision under Section 15(b) and the disclosure provision under Section 15(d).

Continue Reading BIPA Bellwether: General Assembly provides relief from “per scan” damages

Last week, the U.S. Securities and Exchange Commission (“SEC”) became the latest federal regulator to implement a data breach notification law. The commissioners unanimously voted to approve amendments to Regulation S-P (the “Final Rule”)—the regulation governing the use of consumers’ personal information and records—to require certain financial institutions to adopt and maintain data incident response procedures and to require notification to consumers of the potential compromise of their data within 30 days of discovery.

Continue Reading SEC Joins Chorus of Regulators Requiring Data Breach Notifications