Privacy

Subscribe to Privacy
Binary code behind a blue digital fingerprint

In a highly anticipated decision, the Illinois Supreme Court recently held that a separate claim accrues under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) each time biometric data or information is collected and/or disclosed.  The Supreme Court’s holding in Cothron v. White Castle System, Inc., 2023 IL 128004, is likely to have a profound impact on both the ability of plaintiffs to file BIPA claims and the calculation of liquidated damages for such claims.   

Continue Reading BIPA ALERT: Illinois Supreme Court Opens the Door to “Punitive, Crippling Liability” for Illinois Businesses

Binary code behind a blue digital fingerprint

In a ruling that is unlikely to significantly alter the landscape of litigation under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), the Illinois Supreme Court recently clarified that a five-year statute of limitations is applicable to all claims under the Act.  The Supreme Court’s holding in Tims, et al. v. Black Horse Carriers, Inc. clarifies the applicable statute of limitations period for BIPA claims, but does not address the critical question of when claims accrue under the Act.

Continue Reading BIPA ALERT: Five Year Statute of Limitations Applicable to All BIPA Claims

As 2022 comes to a close, we wanted to look back at the most significant Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) decisions of the year.  While we didn’t see the types of landscape-altering decisions that we saw in 2021, there’s still plenty to take note of.  We summarize here the biggest developments since our last update, listed by issue category in alphabetical order.

Continue Reading TCPA Turnstile: 2022 Year in Review (TCPA Case Update Vol. 17)

Much ink has been spilled over the Executive Order Enhancing Safeguards for United States Signals Intelligence Activities (the “Executive Order”) signed by President Biden in early October.  The Executive Order is supposed to establish the United States’ commitments reflected in the March 25, 2022 joint EU-U.S. announcement of the Trans-Atlantic Data Privacy Framework (the “Framework”).  While the Framework is described as an “agreement in principle” to facilitate cross-border transfer of personal data, the Executive Order is supposed to go further, toward actually implementing the promised protective measures.  But does it?

Continue Reading Does the Latest Move in Trans-Atlantic Privacy Really Change the Game?

The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.

Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover.  US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.

In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:

Continue Reading UK-US Data Transfers Post Brexit

Lock on Computer

On February 9, 2022, the Securities and Exchange Commission (the SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940, as amended (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act) (such rules collectively referred to as the ‘cybersecurity risk management rules’), to require investment advisers registered under the Advisers Act (advisers) and registered investment companies under the Investment Company Act (funds) to adopt and implement significant new written cybersecurity policies and procedures. At a high level, the proposed rules would require annual reviews, add new disclosure requirements, and add new SEC and investor reporting requirements, among other requirements.
Continue Reading SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies

Bell and gavel

One of the best ways for companies facing media and privacy risk to protect themselves from expensive class action litigation is by including an arbitration provision in the applicable terms and conditions. While it’s not always clear at the outset of litigation whether the plaintiff agreed to the terms, companies often have to invoke arbitration quickly out of fear that they will be found to have waived arbitration. But in its coming term, the U.S. Supreme Court is now poised to address the critical point of whether prejudice to the plaintiff is a necessary element for a finding of waiver.
Continue Reading Supreme Court to address role of “prejudice” in evaluating waiver of arbitrability

Phone and gavelThanks to the Supreme Court’s decision in Facebook v. Duguid, 141 S. Ct. 1163 (2021), 2021 will go down as one of the most significant years in the history of the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”).  And while the second half of 2021 did not produce the fireworks that we saw earlier in the year, there are still some cases worthy of note as we enter the new year.  We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: 2021 came in like a lion, and went out more like a lamb for TCPA law (TCPA Case Update Vol. 16)

FingerprintIn the aftermath of two recent appellate court decisions addressing when claims under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) accrue, it appears likely that the Illinois Supreme Court will need to provide clarity on this critical question. First, the Appellate Court of Illinois, First District, found in Watson v. Legacy Healthcare Financial Services, LLC, et al.  that claims under sections 15(a) and (b) of the Act accrue with each and every capture and use of a plaintiff’s biometric identifier or information. Second, in Cothron v. White Castle System, Inc. the Seventh Circuit Court of Appeals declined to directly address the issue of when a claim under BIPA accrues, and instead has certified the question for review by the Illinois Supreme Court. While the holding in Watson provides some clarity as to when certain BIPA claims accrue, it leaves open critical questions regarding how to calculate: (i) the number of BIPA violations; and (ii) monetary damages under the Act.
Continue Reading Two Recent Developments Promise to Shed Light on Accrual of BIPA Claims

Phone and gavelThe first half of 2021 saw one of the most significant TCPA rulings in many years as Facebook v. Duguid, 141 S. Ct. 1163 (2021), appeared to settle the long-debated question of what constitutes an automatic telephone dialing system (“ATDS”).  But while the Supreme Court’s April ruling was extremely positive for the TCPA defense bar, it by no means brought an end to TCPA claims.  Significant cases have continued to yield decisions, including cases that have sought to interpret Facebook.  And the state of Florida stepped into the abyss in passing a “mini-TCPA” statute that went into effect earlier this month that regulates telemarketing at the state level, with a much broader definition of the relevant technology.  Thus, the TCPA (and related statute) litigation landscape, while upended to some degree, remains unsettled, and we’ll continue to provide our insights.  We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: TCPA cases in a post-Facebook world (TCPA Case Update Vol. 15)