Gibbons Law Alert

Gibbons Law Alert

Tagged: Privacy Class Actions

Delaware District Court Allows for Single Claim to Proceed Against Amazon in Illinois Biometric Information Privacy Act Class Action Suit

by

Posted in Class Action Defense / Privacy Class Actions

On May 3, 2023

The Illinois Biometric Information Privacy Act (BIPA) is designed to protect and regulate the use of both “biometric identifiers” and “biometric information” of Illinois residents. “Biometric identifiers,” for instance, include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” In contrast, “biometric information” means “any information … based on an individual’s biometric identifier used to identify an individual.” On March 29, 2023, in McGoveran v. Amazon Web Servs., Inc., the United States District Court for the District of Delaware granted in part Amazon Web Services (“Amazon”) and Pindrop Security’s (“Pindrop”) motion to dismiss a proposed class action brought pursuant to BIPA for lack of standing, based on a strict interpretation of the definitions of “biometric identifiers” and “biometric information” and the plaintiffs’ failure to adequately allege that they suffered any concrete, actual, or imminent injury as a result of the defendants’ conduct. In McGoveran, a group of Illinois residents alleged that Amazon and Pindrop violated BIPA by extracting their biometric information for authentication purposes when the plaintiffs called John Hancock to discuss their retirement accounts. At the outset, the court held that the plaintiffs lacked Article III standing to bring a claim under BIPA Section 15(a) and Section 15(c) or to otherwise obtain injunctive relief. Under Section 15(a), a company is...

GoodRx Fined $1.5 Million for Disclosure of Users’ Personal Information to Third Parties Without Notice or Consent

by and

Posted in E-Commerce / Privacy and Data Security / Privacy Class Actions / Regulatory Counseling and Departmental Action

On February 23, 2023

On February 1, 2023, the Federal Trade Commission (FTC) filed a “first of its kind” enforcement action under the FTC’s Health Breach Notification Rule, 16 CFR Part 318, which offers several useful takeaways for all companies that collect and process a consumer’s personal information – not just companies that handle health-related data. The FTC’s proposed order seeks to impose a $1.5 million civil penalty against GoodRx, a digital health platform, for sharing the sensitive personal health and other information of millions of GoodRx users with various advertising platforms, including Facebook and Google, and failing to report these disclosures to consumers. According to the FTC complaint, GoodRx collects sensitive personal information from users and represents that it will treat users’ information in accordance with its privacy policies. Since at least 2017, the GoodRx privacy policy specifically stated that GoodRx “would never disclose personal health information to advertisers or any third parties.”  Yet for several years, GoodRx allegedly violated these promises “by sharing information with Advertising Platforms, including Facebook, Google and Criteo, about users’ prescription medications or personal health conditions” and “did so without notice to users, and without obtaining consent.” In addition, GoodRx monetized the personal health information it collected through the creation of advertising campaigns on Facebook and Instagram that targeted GoodRx users. In August...

District of New Jersey Analyzes Article III Standing Requirement in the Class Action Context Under the Supreme Court’s Decision in TransUnion

by

Posted in Class Action Defense / Privacy Class Actions

On November 10, 2022

In a post-TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021) victory for the class action defense bar, the District of New Jersey has further clarified the standing requirement for showing concrete harm. In Schultz v. Midland Credit Management., Inc., the Honorable Madeline Cox Arleo, U.S.D.J. granted defendant Midland Credit Management, Inc.’s (“Midland”) motion for summary judgment because the plaintiffs failed to establish concrete harm and thus lacked standing. In Schultz, the plaintiffs filed a putative class action against Midland alleging that the collection agency issued collection letters with false Internal Revenue Service (IRS) reporting language in violation of the Fair Debt Collection Practices Act (FDCPA). Midland sent letters to the plaintiffs stating: “We will report forgiveness of debt as required by IRS regulations. Reporting is not required every time a debt is canceled or settled, and might not be required in your case.” Pursuant to the Department of Treasury and IRS regulations, Midland only needed to report discharges of indebtedness greater than $600. As the plaintiffs’ debts were below the $600 threshold, the plaintiffs argued that the IRS reporting language was false, deceptive, and misleading in violation of the FDCPA because the language implied that “there could be ‘negative consequences with the [IRS]’ and ‘deliberately fail[ed] to disclose that such reporting is required under...

Colorado Is the Latest State to Enact a Data Privacy Law: Here’s What You Need to Know

by and

Posted in General Litigation / Privacy Class Actions

On August 9, 2021

Colorado has become the third state to enact a comprehensive data privacy statute imposing compliance obligations on legal entities that collect or process the personal data of its residents. The Colorado Privacy Act (CPA) is based on and enforces many of the same key concepts as do other data privacy statutes and regulations. As such, companies that are implementing or updating compliance programs for the European Union’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and Virginia Consumer Data Protection Act (CDPA) will be familiar with the main provisions of the CPA and likely will have an easier time achieving compliance. There are, however, some important distinctions that companies must consider as part of any ongoing compliance efforts in anticipation of the CPA’s effective date of July 1, 2023. As a threshold matter, the CPA applies to legal entities that (i) conduct business in Colorado or produce or deliver commercial products or services that are “intentionally targeted to residents of Colorado,” and (ii) either (a) control or process personal data of more than 100,000 consumers per year or (b) earn revenue (or receive a discount on goods or services) from the sale of personal data and control or process personal data of more than 25,000 consumers. Notably, the CPA...

Following Duguid, South Carolina District Court Limits Reach of TCPA’s Autodialer Definition

by

Posted in Class Action Defense / Privacy Class Actions

On July 8, 2021

In April 2021, the U.S. Supreme Court resolved a circuit split interpreting the Telephone Consumer Protection Act’s (TCPA) definition of “automatic telephone dialing system” or (ATDS). In Facebook, Inc. v. Duguid, the Court held that the clause “using a random or sequential number generator” in the statutory definition of ATDS, 47 U.S.C. § 227(a)(1), modifies both “store” and “produce,” thereby “specifying how the equipment must either ‘store’ or ‘produce’ telephone numbers.” Accordingly, “a necessary feature of an autodialer under § 227(a)(1)(A) is the capacity to use a random or sequential number generator to either store or produce phone numbers to be called.” Duguid thus reversed the Ninth Circuit’s interpretation that the clause “using a random or sequential number generator” modifies only “produce,” such that a device could be an autodialer if it has the capacity to store and automatically dial numbers, even if the numbers are not generated by a random or sequential number generator. Under Duguid, equipment that makes calls to “targeted…numbers linked to specific accounts” are excluded from liability under the TCPA. In June, the U.S. District Court for the District of South Carolina had the opportunity to apply the Supreme Court’s decision. In Timms v. USAA Federal Savings Bank, the plaintiff sought to recover damages from the defendant for alleged violations of the Fair...

Connect:

About Gibbons

With 200 attorneys, Gibbons is a leading law firm in New Jersey, New York, Pennsylvania, Delaware, Washington, DC, and Florida, ranked among the nation’s top 200 by The American Lawyer. More…

Subscribe

Archived Blog Posts

Categories