This post has been cross-posted from Seyfarth’s Employment Law Lookout blog.

Welcome to Decoding Appeals, where Seyfarth’s Appellate Team brings to in-house counsel our insights and expertise from the front lines of the appellate courts. Throughout this short video series, we break down the nuances of appellate advocacy, sharing tips and lessons we’ve learned to help companies’ in-house legal teams understand the complexities of the appeals process.

In this first episode, host Owen Wolfe is joined by Amanda Williams and Cat Johns, two former judicial law clerks who offer their unique perspectives on the appeals process, drawing from their firsthand experiences and behind-the-scenes knowledge of how it all works.

In a significant legislative development, the Illinois House of Representatives has overwhelmingly approved Senate Bill 2979, with a vote of 81 to 30, which amends the Illinois Biometric Information Privacy Act (BIPA) to limit damages to one violation per individual, rather than each instance their biometric information is captured, collected, disclosed, redisclosed, or otherwise disseminated. The bill also amended the definition of “written release” to include an electronic signature.

Last month, we reported on the Illinois Senate’s passage of the bill by a vote of 46 to 13. This legislative move is a direct response to the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle. The Court ruled that under BIPA, a claim accrues each time an individual’s biometric information is captured or collected. This decision highlighted the urgent need for legislative clarity, as White Castle argued that it could face damages exceeding $17 billion if each of its employee’s time clock scans were found to recklessly or intentionally violate BIPA. Recognizing the potential for such devastating liability, the Court called on the Illinois legislature to act.

In its original form, BIPA stated that an individual may be entitled to $1,000 or actual damages for each negligent violation, or $5,000 or actual damages for each reckless or intentional violation. The newly passed bill amends Sections 15(b) and 15(d) of BIPA to state that an “aggrieved person is entitled to, at most, one recovery under this Section.”

Having cleared both legislative chambers, the bill is now headed to Governor Pritzker for his signature.

If you have any questions about how this BIPA amendment may impact your business practices, please do not hesitate to contact your trusted Seyfarth Shaw advisor.

This blog has been cross-posted on the Global Privacy Watch site.

Anyone following trends in consumer class action litigation will know that consumer privacy was a primary focus of the plaintiff’s bar in 2023. And there are no signs this uptick in consumer privacy claims is slowing any time soon. Although the claims center around use of tracking technology or analytics functions on consumer facing websites, several different statutes and claims have been asserted, including violations of state wiretap statutes and the Video Privacy Protection Act (“VPPA”).  

Although these cases are largely at the motion to dismiss stage, and therefore there is little insight into how certain key defenses will play out, some recent decisions surrounding VPPA claims have shifted the landscape in certain defendant’s favor.

The VPPA provides that “a video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person.” 18 U.S.C. 2701(b)(1). That is, a video tape service provider cannot knowingly disclose, without the consent of the consumer, his or her personal video viewing information, to a third party. In these class actions, plaintiffs are alleging that if a website they visit to watch a video has a tracking pixel embedded in its code, the visitor’s video viewing information will be disclosed to the third party associated with that pixel without the visitor’s consent. If this activity is deemed a violation of the VPPA, the plaintiff stands to recover $2,500 per violation. In a class action where the class members are visitors to a website, the exposure can be in the tens of millions, if not higher.

There are, however, some limitations in the statute as to who can sue and be sued, and recent case decisions have been helpful to clarify those limits, particularly in the context of who is a video tape service provider and who is a consumer.

Definition of Video Tape Service Provider narrowed

In Carrol v. General Mills, Inc., the plaintiff filed a putative class action against General Mills for violation of the VPPA. The plaintiff alleged he had purchased and eaten General Mills products in the past and had downloaded the General Mills mobile app. 2023 WL 6373868, *1 (C.D. Cal. Sept. 1, 2023). He then used the mobile app to watch a video titled “Today’s Experiment, Carbonation Baking.”  Id. According to the plaintiff, because the General Mills app has pixel tracking technology installed and he watched the video while he was simultaneously logged into the site, the pixel caused information about the video he watched to be disclosed to the site without his consent. Id. On the motion to dismiss, the court made a few key findings that resulted in the dismissal of the plaintiff’s VPPA claim. First, the court analyzed the definition of Video Tape Service Provider (“VTSP”), which is “any person engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”  Id. at *3.  The court found that based on the allegations, General Mills could not be found to be “engaged in the business” of delivering selling or renting audio visual material. Id. Specifically, the court stated where the allegations “do no more than show that videos are part of General Mills’ marketing and brand awareness” and do not indicate that the videos themselves are profitable, there is not enough to say that General Mills is a VTSP. Id.

Second, the court considered whether the plaintiff qualified as a consumer for purposes of a VPPA claim. A consumer is defined as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”  18 U.S.C. 2701(a)(1). The court rejected the idea that the plaintiff could be a consumer by alleging that he had purchased and eaten General Mills products in the past. Id. at *4. Rather, the court found that the goods and services rented, purchased, or subscribed to must be the audiovisual materials. other words, “a customer’s non-video transaction plays no part.”  Id. Thus, because the plaintiff failed to allege that General Mills was a VTSP or that he was a consumer, the court granted the motion to dismiss.

Definition of Consumer narrowed

Another defense-friendly development in the VPPA case law relates to the definition of subscriber. In many cases, plaintiffs allege that subscribing to a newsletter, app, or having an account with a defendant is enough to establish plaintiff is a consumer under the VPPA. There have been a string of recent decisions across the country interpreting subscriber to be much narrower. In particular courts have found that where the allegations cannot link the subscription to any kind of special access to video content the plaintiff is not a consumer within the meaning of the statute. Lamb v. Forbes Media LLC, 2023 WL 6318033, *13 (S.D.N.Y. Sept. 28, 2023); Brown v. Learfield Communications LLC, No. 23-cv-00374 (W.D. Tex. Jan. 29. 2024); Pileggi v. Washington Newspaper Publishing Co., 2024 WL 324121, 10 (D.D.C. Jan. 29. 2024). In the Brown case, because the plaintiffs did not allege that their “status as a newsletter subscriber was a condition to accessing the site’s videos, or that it enhanced or in any way affected their viewing experience, they had not alleged he was a subscriber of video content. Likewise, the Pileggi court found that “merely alleging that she visited the Washington Examiner website and watched videos on that site, wholly separate from her newsletter subscription breaks the link between the service to which she was a subscriber and her assessing of audio-visual content” which was fatal to her claim.

These decisions narrow the scenarios under which a valid VPPA claim can be brought and lessen the potential risk that any website operator with any video content is a potential target.

This blog is cross-posted on The Global Privacy Watch blog site as well.

Throughout much of 2023, businesses found themselves in a challenging position as they continued to grapple with defending against Illinois Biometric Information Privacy (BIPA) class action lawsuits. The year began on a somber note with the Illinois Supreme Court delivering unfavorable decisions on two pivotal threshold matters. However, rays of hope emerged when the same court issued two favorable decisions, one affirming union preemption, and another concerning medical exemptions under BIPA. These welcomed developments provided a reprieve for businesses contending with the longstanding challenges posed by the statute. As we navigate the complexities of BIPA, it becomes crucial for businesses to recognize and consider the various exemptions embedded within the legislation—many of which have proven effective in legal defenses over the past few years.

Procedural History of BIPA

Enacted in 2008, BIPA regulates the collection, use, and handling of biometric identifiers and information by private entities. After a relatively quiet period spanning nearly a decade, the statute experienced a significant surge in activity following the landmark decision in Rosenbach v. Six Flags (2019 IL 123186). This ruling established that a plaintiff need not plead actual harm or injury resulting from an alleged BIPA violation to seek relief under the Act. Subsequently, more than 1,500 BIPA lawsuits have been filed in Illinois.

The statute, having been largely untested before Rosenbach, gave rise to a series of critical threshold matters in the years that followed, many of which proved unfavorable for Illinois businesses. For instance, in early 2022, the Illinois Supreme Court, in McDonald v. Symphony (2022 IL 126511), decided that the Illinois Workers’ Compensation Act did not preempt BIPA. Approximately a year ago, the Illinois Supreme Court issued two highly anticipated decisions. First, in Tims v. Black Horse Carriers (2023 IL 127801), the Court held that the “catch-all” five-year statute of limitation under 735 ILCS 5/13-205 applies to all BIPA claims, as opposed to the one-year limitation period provided under 735 ILCS 5/13-201. Two weeks later, in Cothron v. White Castle (2023 IL 128004), the Court held that a claim under BIPA accrues each time a person scans or otherwise transmits biometric information.

While the White Castle decision initially reverberated through Illinois businesses facing potential exposure under BIPA, a careful examination of the ruling offers guidance and optimism for businesses navigating their defenses. At a point where many in the plaintiffs’ bar were ready to seize on separate $1,000 (negligent) or $5,000 (reckless/intentional) statutory damages for each scan, the high court reminded and acknowledged that a trial court has the power to fashion a damage award that fairly compensates the class and deters future violations without destroying a defendant’s business. 2023 IL 128004, ¶ 42. The majority seems to advocate for a sensible approach to damages under the statute, recognizing necessity for robust incentives for compliance while emphasizing that “the General Assembly chose to make damages discretionary rather than mandatory under the Act” and underscoring that “there is no language in the Act suggesting legislative intent to authorize a damage award that would result in the financial destruction of a business.” Id.

Although the majority’s decision held that a statute should be adopted “even though the consequences may be harsh, unjust, absurd or unwise,” id. ¶ 40, the Illinois Supreme Court, like state and federal courts throughout the country, has applied a contrary rule known as “the absurdity doctrine,” which holds: “[w]e will not make any determination that will construe an act of the legislature so as to lead to absurd, inconvenient or unjust consequences.” Loyola Academy v. S&S Roof Maintenance, Inc., 146 Ill. 2d 263, 273 (1992), citing McCastle v. Sheinkop, 121 Ill. 2d 188, 193 (1987); see also Evans v. Cook County State’s Attorney, 2021 IL 125513, ¶ 27 (“Statutes must be construed to avoid absurd or unjust results.”) (emphasis added), citing People v. Hamma, 207 Ill. 2d 486, 498 (2003). Citing this fundamental rule of statutory construction, the dissenting opinion in Cothron argued that the legislature could not have intended to impose punitive, crippling liabilities on businesses “wildly exceeding any remotely reasonable estimate of harm.” Cothron, ¶ 63. In response, the majority held that the risk of such “absurd” consequences is overblown. Accordingly, the most reasonable interpretation of Cothron’s holding is not that it embraces or invites absurd results, but that it requires trial courts applying BIPA’s non-mandatory damages provision to fashion appropriate remedies that are fair, equitable and suited to the circumstances of each case. The majority also makes clear that such damages should be tailored to deter future violations “without destroying defendant’s business.” Id., ¶ 42.

The White Castle decision firmly underscores the discretionary nature of damages under BIPA, emphasizing the importance of proportionality. However, Illinois businesses shouldn’t hold out hope that a jury will be so mindful. In recent years, businesses have achieved success by strategically leveraging applicable exemptions, and the Illinois Supreme Court’s recent recognition for certain exemptions, further underscores the need for businesses in Illinois to thoroughly explore every available avenue for exemptions. Therefore, it’s imperative for Illinois businesses to meticulously examine and leverage any relevant exemptions to navigate the challenging landscape of BIPA.

Health Care Worker Medical Exemption

At the end of 2023, the Illinois Supreme Court issued a rarity – a favorable decision for Illinois medical providers defending against BIPA lawsuits. On November 30, 2023, the high court delivered a long-awaited ruling in Mosby v. The Ingalls Memorial Hospital (2023 IL 129081), providing clarity on the protection status of biometric information collected from health care workers under BIPA. The case addressed certified questions relating to whether (1) BIPA applies to health care workers (as opposed to patients) and whether, more narrowly, (2) biometric information collected from a health care worker, when utilized for purposes related to health care treatment, payment, or operations as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), falls within BIPA’s purview. Id., ¶ 1. Answering both certified questions in the affirmative, the Court’s decision established that when health care worker data is gathered for HIPAA-defined health care activities, it is exempt from BIPA protection. Id., ¶ 59.

In Mosby, nurses brought forth a putative class action, alleging that their biometric information was collected for identification purposes before administering medication to patients through use of an automated medication dispensary system. Id., ¶ 5. Both the trial court and the Illinois Appellate Court had previously determined that these collections were subject to BIPA, contending that BIPA’s exclusions for activities “under HIPAA” were primarily designed to safeguard patient data, not data pertaining to health care workers. Id., ¶¶ 7-8.

BIPA’s relevant exception states: “Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.” Id., ¶ 35. The Court, reversing the trial and appellate courts, applied principles of statutory construction, and emphasized that the use of the term “information” at the beginning of both phrases, separated by the disjunctive “or,” implied legislative intent to exclude two distinct categories of information. Id., ¶¶ 41-42, 52. Furthermore, the Court clarified that the term “under HIPAA” defined the scope of “health care treatment, payment, or operations” and that these terms pertained to activities performed by health care providers, not patients. Id., ¶ 53.

Nevertheless, the Court emphasized that it did not establish a sweeping, categorical exclusion of biometric identifiers from health care workers. Id., ¶ 57. Instead, the exclusion applied only when such information was collected for health care treatment, payment, or operations under HIPAA. Id. The extent to which lower courts will interpret and apply the Mosby decision, particularly in contexts beyond medication dispensing (i.e. time clock medical cases), remains a topic for future debate, and potentially another appellate review.

Union Exemption

Last year, the Illinois Supreme Court also gave employers a favorable decision when it decided that Section 301 of the Labor Management Relations Act (LMRA) preempts BIPA claims brought by bargaining unit employees covered by a collective bargaining agreement (CBA) where there is a broad management rights clause.

In Walton v. Roosevelt University (2023 IL 128338), the plaintiff alleged that he was required to scan biometric identifiers for timekeeping without being given notice and providing written consent, as required under BIPA. The trial court rejected Roosevelt University’s argument that the plaintiff’s claims were preempted by Section 301 of the LMRA. The Illinois Appellate Court reversed the trial court, relying on a 2021 Seventh Circuit BIPA decision in Fernandez v. Kerry, Inc., 14 F.4th 644, 646 (7th Cir. 2021), and explained that “when the employer invokes a broad management rights clause from a [CBA] in response to a [BIPA] claim, the claim is preempted because it requires an arbitrator to determine whether the employer and the union bargained about the issue or the union consented on the employees’ behalf.” See 2022 IL App (1st) 210011, ¶ 19.

Affirming the appellate court’s decision, the Illinois Supreme Court held that, “[g]iven the language in the CBA and the LMRA, it is both logical and reasonable to conclude any dispute [under BIPA] must be resolved according to federal law and the agreement between the parties. Therefore . . . we defer to the uniform federal case law on this matter and find that when an employer invokes a broad management rights clause from a CBA in response to a [BIPA] claim brought by bargaining unit employees, there is an arguable claim for preemption. Accordingly, because we do not believe the federal decisions were wrongly decided, and here the CBA contained a broad management rights clause, we find Walton’s [BIPA] claims are preempted by the LMRA.”

Although the ruling doesn’t entirely prohibit a BIPA claim by a bargaining unit employee under a CBA, Walton confirms the legitimacy of a preemption defense for employers who have established CBAs with expansive management rights clauses that may encompass mandated actions pertaining to BIPA claims. In such cases, employee claims under BIPA must adhere to the procedures specified in the relevant CBA, potentially involving individual private arbitration rather than class-wide proceedings.

Virtual Try-On Medical Exemption

As the plaintiffs’ bar continued to find creative ways to move beyond time clock BIPA cases, one trend included targeting businesses offering virtual try-on features for consumers to try various products at home, including glasses and makeup, through the use of a consumer’s computer or phone camera. But in September 2022, the court held in Svoboda v. Frames for America, Inc. (2022 WL 4109719 (N.D. Ill. Sept. 8, 2022)), that BIPA did not regulate the virtual try-on tool in this instance because it fell under the statute’s health care exemption.

Frames for America, Inc., which operates (an online platform selling prescription and non-prescription eyewear), offered a virtual feature on its website that allowed consumers to digitally try on glasses or sunglasses. The plaintiff alleged that Frames for America utilized software to scan a consumer’s facial geometry from a uploaded photograph and then digitally superimposed the eyewear on the consumer’s face. Id. at *1. Applying the same crucial exemption as in Mosby, the court dismissed the plaintiff’s complaint, reasoning that she qualified as a “patient receiving a health care service in a health care setting” when using the virtual try-on tool. Id. at *3. Even though the plaintiff did not seek medical treatment, consult an eye doctor, or make a purchase during the virtual try-on experience (id. at *1), the court concluded that “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses are all Class 1 medical devices.” Id. at *2. Consequently, the court held that the plaintiff “would have received a health care service had she purchased the glasses….” Id. Drawing an analogy, the court equated the virtual try-on feature in this case to services offered in optometrists’ offices. Id.

Illinois businesses providing a virtual try-on tool must meticulously assess the applicability of the medical exemption, particularly in situations where a potential connection can be argued between the product offered and a medical service. This careful analysis is crucial to navigate the complex regulatory landscape and ensure compliance, or exemption, with relevant statutes.

State Contractor Exemption

BIPA explicitly states that private entities that are “a contractor, subcontractor, or agent of a State or local unit of government when working for that State agency or local unit of government” are not subject to its mandates. (BIPA, Section 25(e)). While the exemption for state contractors under Section 25(e) has not been extensively explored by reviewing courts, the sole appellate decision addressing this provision, in Enriquez v. Navy Pier, Inc., clarifies that an entity qualifies for exemption if it meets three criteria: (1) it is a contractor, (2) of a unit of government, and (3) was working for that unit of government when collecting or disseminating biometric information. 2022 IL App (1st) 211414-U, ¶ 19, appeal denied, 201 N.E.3d 582 (Ill. 2023).

This interpretation aligns with previous rulings by trial courts, as exemplified in Thornley v. CDW-Government, LLC, 2022-CH-04246 (Cir. Ct. Cook Cty., Ill. June 25, 2001). The court in Thornley dismissed a class action lawsuit, reasoning that Section 25(e) of BIPA is straightforward and unambiguous. According to the court, the term “working” is commonly understood to mean “relating to or designating one that works,” leading to the conclusion that Section 25(e) applies to “one whom a state agency or local unit of government engages to … provide services….” The appellate court’s ruling in Enriquez not only affirms this interpretation but also provides a comprehensive analysis and a clear roadmap for businesses contracted to provide services for a state agency or local unit of government seeking to assert a defense under BIPA.

Financial Institution Exemption

According to Section 25(c) of BIPA, the provisions of the Act do not apply “in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 [GLBA] and the rules promulgated thereunder.” In a notable 2022 case, DePaul University successfully had a BIPA class action lawsuit dismissed by invoking this financial institution exemption. The plaintiff had alleged that the university violated BIPA by using an online remote proctoring tool that purportedly captured, collected, and stored plaintiff’s biometric information. Powell v. DePaul Univ., 2022 WL 16715887, at *1 (N.D. Ill. Dec. 6, 2022).

DePaul University argued that its participation in U.S. Department of Education’s Federal Student Aid Program qualified it as a financial institution under the GLBA. Id. Supporting its stance, DePaul highlighted the acknowledgment by both the Federal Trade Commission (FTC) and the Department of Education that universities fall under the definition of financial institutions as per the GLBA. Id. Moreover, DePaul emphasized that rulemaking authority for Title V lies with the Consumer Financial Protection Bureau, which adopted and republished the privacy rules initially promulgated by the FTC. Id. at *2. According to the FTC rules, any institution “significantly engaged in financial activities” is considered a financial institution. Id. The court sided with DePaul, concluding that BIPA’s Section 25(c) applies to higher education institutions. The court was swayed by DePaul’s reliance on the FTC’s consistent and reasoned interpretation of the GLBA it administers. Id.

Despite being in the context of higher education, this decision should prompt any Illinois business facing BIPA claims to carefully analyze its reporting obligations and affiliations to determine whether they are in fact subject to Title V of the GLBA, and/or the rules promulgated thereunder.

Aside from analyzing compliance with and exposure under BIPA, Illinois businesses should be mindful of the everchanging landscape of the statute as lawsuits continue to progress. Businesses falling short of compliance standards should thoroughly examine whether any applicable BIPA exemptions may provide relief.

For further information, or to initiate a comprehensive review and audit of your BIPA compliance, feel free to reach out to Kristine Argentine, National Chair of Seyfarth Shaw’s Consumer Class Action Defense Practice Group, or Paul Yovanic, a seasoned BIPA litigator and counselor within the practice group.

With so many companies being hauled into court in California based on claims that the functionalities on their website and use of service providers for marketing or analytics purposes violate consumer privacy rights, it is important to exhaust all possible defenses available to defendants. Late last year, the Ninth Circuit issued a ruling upholding a dismissal based on a lack of personal jurisdiction over a web-based payment company. Companies operating interactive websites may be able to take advantage of this ruling as part of their defense strategy in 2024.

In Briskin v. Shopify, Inc., the plaintiff sued Shopify in California in a putative class action alleging that its collection, retention, and use of consumer data obtained from persons who made online purchases violated various California privacy and unfair competition laws. 87 F.4th 404 (9th Cir. Nov. 28, 2023). The district court dismissed plaintiff’s complaint based on a lack of specific jurisdiction over the defendant, and the Ninth Circuit affirmed. Id.

The plaintiff conceded that there was no general jurisdiction over Shopify because it was neither incorporated nor maintained a principal place of business in California, but argued that Shopify was subject to specific jurisdiction based on its contractual relationships with California merchants, its operation of one physical location in California, and its knowledge that California residents were being potential injured based on the allegations. Id. at 409-10. The Ninth Circuit conducted an in-dept analysis of specific jurisdiction as it relates to claims that involve interactive websites. The court noted that in order for specific jurisdiction to exist, the defendant must either purposefully direct its activities toward the forum or the claim must be one that arises out of or relates to the defendant’s forum related activities. Id. at 411. The court found that while Shopify committed an intentional act and caused harm it knew was likely to be suffered in the forum state, there was no conduct which Shopify “expressly aimed at the forum state” to create specific jurisdiction. Id. at 412.

In conducting this analysis, the court isolated the activities relevant to the specific jurisdiction analysis: Shopify’s alleged collection, retention and use of consumer data obtained from online purchases processed through its platform. Id. at 415. Thus, the key issue was whether Shopify’s web-based processing service is expressly aimed at California in any way. Id. The court relied on precedent involving out-of-state interactive websites finding those cases to be the most analogous to this “novel” issue. Id. at 415-20. The court noted that operation of an interactive website does not, by itself, establish express aiming but there must be something more. Id. at 418. That is, “when the website is the only jurisdictional contact, [the] analysis turns on whether the site had a forum specific focus or the defendant exhibited an intent to cultivate an audience in the forum” such as through the platform itself having a forum-specific aim, evidence showing that the website appeals to an audience of a particular state, or that the website actively targeted the forum in some way.  Id. at 418-20. In reaching its conclusion, the Ninth Circuit agreed that Shopify’s web payment platform did not have a forum specific focus and is indifferent to the location of the merchant or the end-consumer. Id. at 422-23. While Shopify benefits from consumers who are present in California, that alone does not answer the purposeful direction question because it does not demonstrate “express aiming.”  Id. at 423.

The claims alleged in Briskin are similar to those being asserted against hundreds of retailers alleging violations of various privacy laws including the California Invasion of Privacy Act. Thus, similar to Briskin, personal jurisdiction over companies based outside of California but operating an interactive website that is accessible to California residents should be analyzed under a similar specific jurisdiction framework. This is a defense that may be applicable in these cases and could provide defendants with early relief. With no clear direction being taken yet on as to the merits of these privacy claims and no slowdown in the filings of these claims under evolving theories of privacy violations, a successful personal jurisdiction argument could be an important arrow in the defense bar’s quiver.

This week, Seyfarth attorneys from multiple offices will be attending and presenting at the 2023 Association of National Advertisers Masters of Advertising Law Conference in Orlando, Florida.

On Wednesday, Seyfarth Partners Kristine Argentine (Chicago) and Joe Orzano (Boston) will be presenting alongside in-house counsel on a panel covering the “Effective Collaboration Between Legal and Marketing.” The panel will focus on the effective involvement of both in-house and outside counsel in managing the legal risk of advertising and marketing. The discussion will include hot topics in advertising and marketing, and strategies for managing legal risk in collaboration with the marketing team.

Then on Friday, Kristine Argentine and Senior Associate Paul Yovanic (Chicago) will be hosting a roundtable on “Striking the Right Balance: Biometric Privacy In Virtual Try-On Tools.” Paul and Kristine will lead a discussion about the exciting world of virtual try-on tools and the relevant biometric privacy laws that should be considered when implementing the tools. The discussion will include the potential risks associated with the collection and storage of biometric data, as well as the recent legal authority on virtual try-on tools, and how it should guide retailers in their marketing and advertising efforts.

Seyfarth Shaw’s Consumer Class Action and Product Liability groups have achieved a prestigious ranking in the highly regarded Legal 500 United States 2023 edition, solidifying their reputation as one of the nation’s top legal teams. This recognition reaffirms Seyfarth’s unwavering commitment to excellence in Product Liability, Mass Tort, and Class Action law.

The Legal 500 United States guide lauds Seyfarth’s Consumer Class Action and Product Liability practices for their exceptional professionalism and meticulous attention to detail. The guide highlights their ability to consider cost sensitivity while providing insightful advice, ensuring informed clients are ultimately empowered to make decisions with confidence. The guide specifically recognizes the exemplary client service demonstrated by Kristine Argentine, Tom Locke, Joe Orzano, William Prickett, Esther Slater McDonald, Giovanna Ferrari, Aaron Belzer, and Renee Appel.

Renowned for its comprehensive coverage of legal services, The Legal 500 United States is an esteemed and independent guide that offers authoritative assessments of law firms. Its rigorous research conducted over the past 12 months recognizes and rewards outstanding in-house and private practice teams and individuals. The inclusion of Seyfarth Shaw’s Consumer Class Action and Product Liability groups in these rankings reflects their status as trusted authorities in Product Liability, Mass Tort, and Class Action law. Through their unwavering dedication to providing exceptional legal counsel, clear communication, and efficient service, Seyfarth continues to serve as a valuable partner for companies seeking comprehensive Product Liability, Mass Tort, and Class Action service offering and strategic guidance in today’s fiercely competitive business landscape.

Seyfarth Synopsis: The U.S. District Court for the Northern District of Illinois recently denied Plaintiff’s motion to reconsider a prior dismissal of his privacy action due to untimeliness.  In a case titled Bonilla, et al. v. Operations Inc., et al., No. 20-cv-7390 (N.D. Ill.), Plaintiff alleged that consumer DNA network Ancestry DNA violated the Illinois Right of Publicity Act (“IRPA”) when it uploaded his high school yearbook photo to its website. The Court initially granted Ancestry’s motion for summary judgment, finding Plaintiff’s claims to be time-barred under the applicable one-year limitations period.  Upon reconsideration, Plaintiff  – unsuccessfully – made a first-of-its-kind argument that the Court should apply the Illinois Biometric Privacy Act’s five-year statute of limitations to the IRPA.

Background on the Bonilla Lawsuit

Ancestry DNA, most commonly known for its at-home DNA testing kits, also maintains a robust database of various historical information and images.  One subset of this online database is the company’s “Yearbook Database.”  This portion of the website collects yearbook records from throughout the country and uploads the yearbook contents – including students’ photos – to  On June 27, 2019, Ancestry DNA uploaded the 1995 yearbook from Central High School in Omaha, Nebraska to its Yearbook Database.

More than a year later, on December 14, 2020, Plaintiff Sergio Bonilla filed a lawsuit against Ancestry DNA over its publication of the Central High School yearbook. Specifically, Plaintiff Bonilla – a current Illinois resident and former student of Central High School whose picture appeared in Ancestry’s database – alleged that Ancestry DNA improperly publicized his private information without obtaining his consent. Plaintiff’s lawsuit asserted violations of the IRPA, as well as a cause of action for unjust enrichment.  Ancestry DNA filed a motion for summary judgment on the basis that Plaintiff’s action was not brought within the requisite one-year limitations period.  The Court agreed, thereby dismissing Plaintiff’s claims.

Court Denies Plaintiff’s Motion for Reconsideration

After the Illinois Supreme Court’s decision in Tims v. Black Horse Carriers (which held that BIPA is subject to a five-year statute of limitations – read our full summary HERE), Plaintiff filed a motion for reconsideration, contending that the Court should actually apply a five-year limitations period to IRPA actions, like it applies to BIPA.  To that end, Plaintiff emphasized that the IRPA (similar to BIPA) does not itself contain a statute of limitations.  Plaintiff also noted that both the IRPA and BIPA derived from legislative concerns centered on Illinois residents’ right to privacy.  Therefore, according to Plaintiff, the IRPA’s legislative purpose would be best served by applying the catch-all five-year limitations period of 735 ILCS 5/13-205. 

On reconsideration, the Court again rejected Plaintiff’s argument.  In its May 23, 2023 decision, the Court first outlined relevant case law precedent, under which the only courts to address this issue previously held that the IRPA’s applicable statute of limitations is one year.  See Toth-Gray v. Lamp Liter, Inc., No. 19-cv-1327, 2019 WL 3555179, at *4 (N.D. Ill. July 31, 2019); see also Blair v. Nevada Landing P’ship, 859 N.E.2d 1188, 1192 (Ill. App. Ct. 2006). 

The Court then analyzed the Tims decision, which held that, “when the law does not specify a statute of limitations, ‘the five-year limitations period applies’ unless the suit is one for ‘slander, libel or for publication of a matter violating the right of privacy.’”  Here, the Court reasoned that an IRPA action squarely falls within the last category identified by the Court in Tims, as IRPA cases necessarily involve alleged violations of a party’s right to privacy.  Finally, the Court rejected Plaintiff’s contention that Tims controls this situation, instead holding that “[u]nlike the BIPA, the IRPA protects the publication of matters related to the right of privacy and, thus, falls under the one-year statute of limitations.”

Implications for Businesses

This decision establishes a welcome pro-business standard in the Illinois privacy law context.  Notably, the Illinois Supreme Court in Tims rejected the defense bar’s argument that BIPA violations were akin to privacy rights violations and subject to the one-year statute of limitations applicable to IRPA claims.  This decision holds that the converse also is not true.  It is also the first court to reject expansion of the plaintiff-friendly five-year BIPA statute of limitations to claims beyond BIPA.

Though this decision was issued by an Illinois federal court – rather than the Illinois Supreme Court, which decided the recent Tims and Cothron v. White Castle System BIPA cases – it nonetheless offers some privacy protection for Illinois businesses that post or otherwise aggregate third parties’ content or information.  We will monitor whether defendants are able to expand the Bonilla decision into other related privacy law actions, or if Illinois courts will restrict its holding to actions brought under the IRPA.

For more information about the Illinois Right of Publicity Act, the Illinois Biometric Information Privacy Act, or how this decision may affect your business, contact the authors Danielle Kays and James Nasiri, your Seyfarth attorney, or Seyfarth’s Workplace Privacy & Biometrics Practice Group.

On Tuesday, June 13 at 1:00 p.m. Eastern, Seyfarth attorneys Kristine Argentine, John Tomaszewski, and Paul Yovanic will present at the Association of National Advertisers webinar, “Emerging Issues Surrounding Privacy Class Actions and Compliance in 2023.”

This presentation will cover the recent surge in consumer class actions, compliance considerations, and recent developments in the law related to privacy claims, including TCPA and State Mini-TCPAs, the Video Privacy Protection Act, data breach claims, biometric privacy, and claims related to collection of data through google analytics tools, such as chat functions, pixels, and cookies.

For more information and to register, click here.

On April 3, 2023, the CFPB published a new official statement of policy on the authority that Congress passed in the Consumer Financial Protection Act of 2010 (“CFPA”), codified at 12 U.S.C. § 5536(a)(1)(B), banning “abusive conduct” in connection with the offering or provision of consumer financial products or services.  A copy of the new Policy can be found here. It is broad and tilted heavily in favor of consumers.

This is the CFPB’s second effort at promulgating an official statement of policy on abusive acts and practices. On March 11, 2020, the Consumer Financial Protection Bureau (“CFPB”) announced that it was rescinding its January 24, 2020 policy statement, “Statement of Policy Regarding Prohibition on Abusive Acts and Practices,” which was published four days after the Trump administration ended and the Biden administration began.[1]  The CFPB withdrew its prior policy based upon its finding that, “The 2020 Policy Statement was inconsistent with the Bureau’s duty to enforce Congress’s standard and rescinding it will better serve the CFPB’s objective to protect consumers from abusive practices.”[2]  In doing so, the CFPB announced that, “Going forward, the CFPB intends to exercise its supervisory and enforcement authority consistent with the full scope of its statutory authority under the Dodd-Frank Act as established by Congress.” 

Among the highlights:

Under the CFPA, there are two abusive prohibitions. An abusive act or practice: (1) Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or (2) Takes unreasonable advantage of:

  • A lack of understanding on the part of the consumer of the material risks, costs or conditions of a product or service;
  • The inability of the consumer to protect the interests of the consumer in selecting or using a consumer product or service; or
  • The reasonable reliance by the consumer on a covered person to act in the interests of the consumer.

The Policy states that unlike with unfairness but similar to deception, abusiveness requires no showing of substantial injury to establish liability, but rather is focused on conduct that Congress presumed to be harmful or distortionary to the proper functioning of the market. The Policy cites as examples omissions that obscure, withhold, de-emphasize, render confusing or hide information relevant to the ability of a consumer to understand terms and conditions (including buried disclosures, physical or digital interference, overshading, and other means of manipulating consumers’ understanding). 

Intent is not a required element to show material interference. Terms regarding pricing or costs, limitations on the person’s ability to use or benefit from the product or service, and contractually specified consequences of default are listed as examples of terms of a transaction that are so consequential that when they are not conveyed to people prominently or clearly, it may be reasonable to presume that the entity engaged in acts or omissions that materially interfere with the consumers’ ability to understand. 

A product or service’s complexity may interference with consumers’ ability to understand if the material information about it cannot be sufficiently explained or if the entity’s business model functions in a manner that is inconsistent with its product’s or service’s apparent terms. And even a small advantage may be abusive if it is unreasonable.

When there are gaps in understanding regarding the material risks, costs, or conditions of the entity’s product or service, entities may not take unreasonable advantage of that gap. “Risks” include but are not limited to the consequences or likelihood of default and the loss of future benefits. Gaps in understanding related to “costs” include any monetary charge to a person as well as non-monetary costs such as lost time, loss of use, or reputational harm. And gaps in understanding with respect to “conditions” include any circumstance, context, or attribute of a product or service, whether express or implicit. For example, “conditions” could include the length of time it would take a person to realize the benefits of a financial product or service, the relationship between the entity and the consumer’s creditors, the fact a debt is not legally enforceable, or the processes that determine when fees will be assessed. 

The lack of understanding can be caused by third parties and can exist even when there is no contractual relationship between the person and the entity that takes unreasonable advantage of the person’s lack of understanding. Further, the Policy does not require that the consumer’s lack of understanding was reasonable to demonstrate abusive conduct. Since there can be differences among consumers in the risks, costs, and conditions they face and in their understanding of them, there may be a violation with respect to some consumers even if other consumers do not lack understanding. Congress has outlawed taking unreasonable advantage of circumstances where people lack sufficient bargaining power to protect their interests. Such circumstances may occur at the time of, or prior to, the person selecting the product or service, during their use of the product or service, or both.

The Policy states that the consumer “interests” include monetary and non-monetary interests, including but not limited to property, privacy, or reputational interests. People also have interests in limiting the amount of time or effort necessary to obtain consumer financial products or services or remedy problems related to those products or services. This includes, but is not limited to, the time spent trying to obtain customer support assistance, according to the Policy. The CFPB’s relatively newfound asserted dominion over customer service, now ensconced in a formal statement of policy, is expected to be particularly contentious with the financial services industry.


[2] Id.