Tagged: Privacy

District Court Affirms United States Copyright Office’s Denial of Copyright Registration for AI-Generated Visual Art

Pursuant to the Copyright Act of 1976, “original works of authorship fixed in any tangible medium of expression, now known or later developed, from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device” are eligible for immediate copyright protection, provided certain requirements are met. Against this backdrop, Stephen Thaler applied for copyright registration with the United States Copyright Office (USCO) of a piece of visual art produced by a generative artificial intelligence system he created – the “Creativity Machine.” The USCO subsequently denied the application, reasoning that Thaler’s work “‘lack[ed] the human authorship necessary to support a copyright claim,’” as “copyright law only extends to works created by human beings.” After Thaler filed suit against the USCO, both parties moved for summary judgment on the sole issue of whether a work generated entirely by an artificial system should be eligible for copyright protection. On August 18, 2023, in Thaler v. Perlmutter the United States District Court for the District of Columbia granted the USCO’s motion for summary judgment, concluding that “human authorship is an essential part of a valid copyright claim.” The court rejected as contrary to the Copyright Act’s plain language Thaler’s contention that because he created the AI system that “autonomously” produced...

“Say Cheese!” CVS Passport Photo Practices Subject to BIPA Suit

In May 2022, a group of plaintiffs brought a putative class action against CVS Pharmacy, Inc. (CVS) alleging the company violated several provisions of the Illinois Biometric Information Privacy Act (BIPA) through its practices for taking passport photos. On May 4, 2023, in Daichendt and Odell v. CVS Pharmacy, Inc., the United States District Court for the Northern District of Illinois denied CVS’s motion to dismiss, holding the plaintiffs sufficiently stated a claim under Section 15(b) of BIPA. Section 15(b) of BIPA prohibits private entities from collecting “or otherwise obtain[ing] a person’s or a customer’s biometric identifier or biometric information, unless it first”: (1) provides notice of collection; (2) provides notice of the specific purpose of collection; and (3) obtains affirmative written consent. Here, the plaintiffs alleged that CVS required them to “enter[] their names, email addresses, and phone numbers into a computer terminal inside defendant’s stores prior to scanning their biometric identifiers.” Thereafter, CVS’s system would “check” and “verify” an individual’s facial features (i.e., whether the individual is smiling) to comply with government requirements. Against this backdrop, the plaintiffs argued this system violated Section 15(b) because it “collected and stored their personal contact data (‘real-world identifying information’), such as their names and email addresses,” thus allowing CVS the ability to identify the plaintiffs “when...

I’m Sorry, Motion Denied: Washington District Court Rejects Second Try at Class Action Suit Over Amazon Alexa’s Collection of Voice Data

In June 2022, a group of plaintiffs brought a putative class action against Amazon.com (“Amazon”) alleging the company violated several statutory and common law rights through its use of voice data collected through Alexa, its digital assistant software. After the court granted Amazon’s motion to dismiss, the named plaintiffs moved for leave to file an amended complaint. On March 29, 2023, in James Gray and Scott Horton v. Amazon.com, et. al., the United States District Court for the Western District of Washington denied the motion, concluding the plaintiff’s proposed amended complaint (PAC) failed to allege new material facts. The PAC alleged that Amazon failed to disclose to its consumers that it would use the data collected from the voice recordings made by Alexa devices for the purposes of targeted advertising. Accordingly, the plaintiffs asserted, as they had done previously, that Amazon: (1) breached the implied covenant of good faith and fair dealing; (2) violated Washington’s Consumer Protection Act (CPA) and Personality Rights Act (PRA); and (3) violated common law privacy rights. The court dismissed the plaintiffs’ implied covenant claim because the PAC “merely repeat[ed] the same arguments the Court ha[d] already rejected.” For example, the court previously rejected the plaintiffs’ argument that Amazon’s terms and conditions failed to inform them of Amazon’s use of their...

Delaware District Court Allows for Single Claim to Proceed Against Amazon in Illinois Biometric Information Privacy Act Class Action Suit

The Illinois Biometric Information Privacy Act (BIPA) is designed to protect and regulate the use of both “biometric identifiers” and “biometric information” of Illinois residents. “Biometric identifiers,” for instance, include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” In contrast, “biometric information” means “any information … based on an individual’s biometric identifier used to identify an individual.” On March 29, 2023, in McGoveran v. Amazon Web Servs., Inc., the United States District Court for the District of Delaware granted in part Amazon Web Services (“Amazon”) and Pindrop Security’s (“Pindrop”) motion to dismiss a proposed class action brought pursuant to BIPA for lack of standing, based on a strict interpretation of the definitions of “biometric identifiers” and “biometric information” and the plaintiffs’ failure to adequately allege that they suffered any concrete, actual, or imminent injury as a result of the defendants’ conduct. In McGoveran, a group of Illinois residents alleged that Amazon and Pindrop violated BIPA by extracting their biometric information for authentication purposes when the plaintiffs called John Hancock to discuss their retirement accounts. At the outset, the court held that the plaintiffs lacked Article III standing to bring a claim under BIPA Section 15(a) and Section 15(c) or to otherwise obtain injunctive relief. Under Section 15(a), a company is...

CCPA Amendments Expand Private Right of Action and AG’s Enforcement Power

On February 22, 2019, another proposed amendment to the California Consumer Privacy Act (CCPA) was published. If enacted, this amendment will increase businesses’ potential exposure under the CCPA by, among other things, expanding the scope of private rights of action under the Act and eliminating a cure period prior to a civil enforcement action by the California Attorney General. The CCPA, originally enacted in June 2018 and first amended in September 2018, sets forth an entirely new privacy and security regime for many entities doing business in California. It imposes extensive requirements on the collection, use, and storage of consumer personal information, and applies to many businesses located both in and outside of the state. The deadline for all businesses to comply with the CCPA’s requirements is January 1, 2020, and the California Attorney General may bring an enforcement action six months after the passage of implementing regulations, or July 1, 2020, whichever comes first. The clock is ticking … The CCPA applies to any for-profit entity that (i) does business in California, (ii) collects “personal information” and/or determines the purposes and means of processing “personal information,” and (iii) satisfies at least one of the following threshold criteria: Has annual gross revenues of $25,000,000; Annually buys, receives, sells or shares “personal information” of 50,000 or...

New “Privacy Shield” for EU-U.S. Data Transfers Gains Acceptance by Europe and U.S. Regulators

As previously noted, in response to the European Court of Justice ruling in Schrems v. Data Protection Commissioner (Case C-362/14) striking down as inadequate the so-called “safe harbor” agreement that existed for more than a decade, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. Described as the EU-U.S. “Privacy Shield” agreement, that framework has now been vetted by EU Member States, modified in certain respects, and formally adopted on July 12, 2016 by the European Commission.

New York Federal Court Weighs in on Apple Encryption Debate

Anyone reading recent headlines knows that Apple, Inc. is engaged in a legal, and ultimately political, struggle with the U.S. Government over access to the cell phone of Syed Rizwan Farook, one of the shooters in the December 2, 2015 terror attack at the Inland Regional Center in San Bernardino, California. The core issue in that California proceeding is whether Apple should be forced to “create and load Apple-signed software onto the subject iPhone device to circumvent the security and anti-tampering features of the device in order to enable the government to hack the passcode to obtain access to the protected data contained therein.”

New “Privacy Shield” Agreement Seeks to Resurrect a Safe Harbor for EU-U.S. Data Transfers – Can it Succeed?

On February 2, 2016, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. It was appropriate that the announcement came on Groundhog Day, because we have been here before.

Class Action Plaintiffs Have Standing Based on Actual Injuries and Costs of Mitigation Following Corporate Hacking, Says Seventh Circuit

The Court of Appeals for the Seventh Circuit recently held that class action plaintiffs alleging injuries due to corporate hacking scandals have standing to pursue those claims in federal court, based on both actual injuries suffered repairing damage done by fraudulent charges, as well as costs of mitigating potential future harm, such as credit monitoring. Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Circ. July 20, 2015). As with other cases that come to the same conclusion, the court placed great emphasis on the fact that the data thieves were specifically targeting personal data, as well as the company’s admission of the breach and offer of a year of credit monitoring to those whose information had been exposed.

Class Action Certified in In re Yahoo Mail Litigation for Violations of Stored Communication Act and California’s Invasion of Privacy Act

On May 28, 2015, U.S. District Judge Lucy Koh in the Northern District of California certified a class of email users in a privacy action that claims Yahoo Inc. (“Yahoo”) violated the federal Stored Communications Act (“SCA”) and California’s Invasion of Privacy Act (“CIPA”) through its practice of scanning and analyzing emails of non-Yahoo Mail subscribers in order to display targeted ads to Yahoo Mail subscribers. In re Yahoo Mail Litigation, No. 13-CV-04980-LHK, (N.D. Cal. 2015). Plaintiffs are non-Yahoo Mail subscribers who sent emails to Yahoo Mail subscribers from non-Yahoo email accounts and allege that Yahoo routinely copies and extracts key words from emails and stores this information for later use. Plaintiffs allege that Yahoo’s practices violate § 2702(a)(1) of the SCA, which prohibits, among other items, divulging the contents of a communication without consent and § 631 of CIPA, which prohibits the recording or reading of any type of communication without the prior consent of all parties.