On April 24, 2019, the U.S. Supreme Court issued an important decision touching a number of hot button issues and litigation threats facing American businesses — including class actions, arbitration agreements and data privacy.
The case, Lamps Plus, Inc. v. Varela, 17-988, 2019 WL 1780275 (U.S. Apr. 24, 2019), stemmed from a data breach in which a hacker posing as a company official “tricked” a Lamps Plus employee into disclosing the tax information of approximately 1,300 workers. Among those 1,300 workers was Frank Varela, the named plaintiff. Id. at *2. Following the data breach, Mr. Varela became the victim of identity theft when a fraudulent federal income tax return was filed in his name.
Continue Reading
One of the most common things we discuss with clients is the need to ensure that privacy policies accurately reflect the actual procedures in place for handling confidential information. The SEC reiterated that point last week in a 
No Actual Harm Necessary to Assert Biometric Privacy Claims in Illinois
As we speed past Thanksgiving and enter the holiday season, kids shouldn’t be the only ones putting together their wish lists. Here are some things that might not fit under a tree, but would certainly fill us with the joy of the season.
Just when you thought it was safe to open your e-mail again without being inundated with updated privacy policies, here comes the California Consumer Privacy Act of 2018 (“CCPA”). The new law, which goes into effect on January 1, 2020, will expand the privacy rights of California residents and bring some of the EU’s widely discussed General Data Protection Regulation (“GDPR”) to the United States. There will be lots to talk about over the next year and a half as companies gear up for compliance, but here are some key features to be aware of:
For more than 30 years, the 
What Is GDPR?
As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place. The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.
In the past few weeks, five putative class action lawsuits have been filed under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., targeting defendants in the health care, senior living, commercial baking, meat processing and security industries. These recent suits join previously filed BIPA class actions against day care operators, tanning salons, video game manufacturers, hotel groups and supermarkets as well as much larger entities, including Facebook, Google, Shutterfly, Six Flags and Snapchat. All of these suits have similar allegations at their core; that defendants utilized employees’, customers’, or other persons’ biometric identifiers, such as fingerprints, voiceprints, retina scans or facial recognition technology, in violation of BIPA’s disclosure and consent requirements. All seek recovery of BIPA’s statutory liquidated damages of $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, injunctive relief, and recovery of attorneys’ fees and costs.
The EU’s General Data Protection Regulation (679/2016/EU), the GDPR, comes into force across the EU on 25 May 2018. As it is being made by regulation the GDPR, unlike the existing Data Protection Directive (implemented into the UK by the Data Protection Act 1998), will have direct effect throughout the EU. National governments will have some limited scope to tailor certain of its provisions to their jurisdiction. However, the GDPR will significantly harmonise the current national data protection laws across the EU.