Seyfarth Shaw is a sponsor for the 2024 ANA Masters of Advertising Law Conference, the biggest advertising, marketing, and promotion law conference in the nation. The conference will take place November 11-13 at the Fairmont Scottsdale Princess in Scottsdale, Arizona. During the conference Seyfarth attorneys Joe Orzano and Kristine Argentine will present on a breakout panel and Ken Wilton, Ameena Majid, and Gina Ferrari will lead a roundtable discussion. Additional details are provided below. 

BREAKOUT 5D: CONSUMER CLASS ACTION LITIGATION UPDATE

Monday, November 11, 2024

This session will focus on consumer class actions, including false advertising and privacy class actions. The panel will feature insights on litigation trends including common claims and types of products and services targeted, as well as theories of liability, over the past year.  The panel will also discuss defenses to commonly asserted false advertising and privacy claims and how those defenses are being received by courts. The panel will also include the latest proactive tips and strategies to maintain active advertising and marketing of products and services, while minimizing the risk of being targeted by the plaintiffs’ bar.

Panelists:

Joe Orzano
Partner and National Co-Chair, Advertising & Marketing Group
Seyfarth Shaw LLP

Kristine Argentine
Partner and National Chair, Consumer Class Action Defense Group
Seyfarth Shaw LLP

Jessica Bahr
Vice President, Deputy General Counsel
Constellation Brands

Jennifer Greenberg
General Counsel
Frida


ROUNDTABLES WITH THE EXPERTS: THE PERILS OF OVERHYPE: UNMASKING GREENWASHING AND AI WASHING

Tuesday, November 12, 2024

In today’s world, companies are expected – and even required – to share their environmental and other ESG advancements to gain consumer trust. It’s table stakes to maintain and increase market share. Not all claims are as genuine as they seem; even if well-intentioned. This roundtable will explore the potentially deceptive practices of greenwashing, AI washing, rainbow washing, and other exaggerations of an organization’s progress. We’ll touch on the risks and consequences of these misleading tactics, from both a regulatory and a civil liability perspective. Join Ameena Majid, Gina Ferrari and Ken Wilton of Seyfarth Shaw as they prompt discussions surrounding these timely and increasingly important topics.

Presenters:

Ken Wilton
National Co-Chair, Advertising & Marketing Group and National Trademark Practice Lead

Ameena Majid
Impact & Sustainability Partner 

Gina Ferrari
Partner and Co-Chair of the firm’s Impact & Sustainability Practice Group

What is the range of a federal district court’s power to compel a nonparty’s attendance at a hearing? Every practicing litigator knows the answer—“within 100 miles of where the person resides, is employed, or regularly transacts business in person.” FRCP 45(c)(1). But that is only half the answer. As the Federal Circuit recently held, when a lawyer issues a subpoena, the geographical limits of Rule 45 apply. But when the court acts on its own? That’s a different matter.

The case, Backertop Licensing LLC v. Canary Connect, was originally patent litigation filed in 2022—one of a series of twelve cases filed by Backertop, and also part of a much larger set of cases (at least ninety-seven) filed by affiliated entities that, as the Federal Circuit panel put it, all “seem to be associated with IP Edge, a patent monetization firm, and Mavexar, an affiliated consulting shop.” But this particular case landed on the desk of Chief Judge Colm Connolly of the District of Delaware, whose standing order contains very particular real-party-in-interest disclosure requirements: an LLC, joint venture, or partnership appearing in his court as a party “must include in its disclosure statement filed pursuant to Federal Rule of Civil Procedure 7.1 the name of every owner, member, and partner of the party, proceeding up the chain of ownership until the name of every individual and corporation with a direct or indirect interest in the party has been identified.”

Judge Connolly takes this requirement seriously, and when parties submit what appear to be insufficient disclosures, he investigates. Thus, as the Federal Circuit noted, “[o]ver the past year and a half, the Chief Judge . . . has identified potential attorney and party misconduct in dozens of related patent cases” filed by LLCs apparently associated with IP Edge and Mavexar. Indeed, Judge Connolly’s investigations suggest that “those real parties in interest perpetrated a fraud on the court by fraudulently conveying to a shell LLC [the patents] and filing a fictitious patent assignment with the PTO designed to shield those parties from potential liability they would otherwise face in asserting [the patents] in litigation”—as well as failing to abide by the court’s own disclosure requirements.

Judge Connolly ordered the principal of Backertop to appear in his court to “sort out the morass” after Backertop initially refused to produce documents in response to the court’s fraud concerns and its attorney attempted to withdraw from the case.  The principal objected, asserting that travel would pose a hardship for her due to childcare obligations. When she still refused after the court reset the hearing to accommodate her, the court initiated contempt proceedings. The principal filed a motion asserting that the court lacked the authority to compel her to travel, as she was outside the range specified in Rule 45—an argument Judge Connolly rejected, holding her in contempt and imposing a $200/day fine until she appeared.

The Federal Circuit panel agreed with Judge Connolly, holding that “the District Court’s order requiring [the principal] to appear at an in-person hearing falls squarely within its inherent powers,” not Rule 45’s subpoena power, and thus “that Rule does not limit the geographical range of a court’s ability to sua sponte issue an order to appear.”

Key to the court’s holding was Rule 45’s purpose in enabling “a party or attorney’s efforts to subpoena a person”—not the district court’s.  The opinion walked through the plain language of the Rule—“[a] party or attorney” is “responsible for issuing and serving” a subpoena—as well as its structure, noting that “many of FRCP 45’s requirements would be illogical if applied to a court’s own orders,” such as mandatory sanctions on a subpoenaing party for certain abuses. (Obviously, the court will not sanction itself.)

The court also examined the history of Rule 45, noting that “[s]ince its inception” the Rule “has expressly applied to subpoenas that parties requested and served without initial court oversight.” And in 1991 the Rule was amended to allow attorneys to issue subpoenas without even having the request them from the clerk. In the absence of any supervision or check, the court concluded, “it makes sense that the Rules would impose bright-line rules on the scope of party- and attorney-initiated subpoenas—as well as specific mechanisms to hold parties and attorneys accountable.” But a court’s own order to appear does not raise those issues—the court is involved directly and can weigh for itself the burden of an order requiring long-distance travel against the needs of the case.

The panel did not endow the district court with unlimited power, of course: it indirectly left open the possibility that an order to appear could be reviewable if “unreasonable or an abuse of discretion.” But because the witness being compelled was the sole human representative of the plaintiff, which was suspected of fraudulent behavior, the order was a “reasonable response to the problems and needs confronting the court’s fair administration of justice.” 

Lawyers refer to the limitations in Rule 45 so often that it is easy to get into the habit of thinking it is a limitation on the power of the court. But according to the Federal Circuit it is actually a limitation on us; and we and our clients can still be subject to a federal court’s power no matter where we are.

And for class action litigators, there’s an additional lesson here: following this ruling and Judge Connolly’s example, district courts may be more emboldened to demand clarity about the real parties in interest controlling litigation before them. While serial patent litigation is one business model where real parties may prefer to stay hidden, the same issues of real parties controlling litigation but shielding themselves from scrutiny can arise in class cases, potentially distorting the usual settlement incentives and affecting the rights of large numbers of absent plaintiffs. State borders and the 100-mile rule notwithstanding, federal district courts are broadly empowered to investigate and punish fraud, procedural abuse, and other misconduct related to their cases—including class cases.

Earlier this year, we reported that the Illinois Senate passed Senate Bill 2979 with a vote of 46 to 13, and the Illinois House of Representatives passed Senate Bill 2979 with a vote 81 to 30. This bill addressed concerns arising from recent legal interpretations of the Illinois Biometric Information Privacy Act (“BIPA,” 740 ILCS 14/ et seq.), particularly following the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle System Inc., in which the Court held that a claim under BIPA accrues each time that an individual’s biometric information or identifier is captured or collected.

Last Friday, after nearly a three-month wait, Governor J.B. Pritzker signed Senate Bill 2979 into law. This marks the first ever amendment to BIPA in its 16-year history.

Before the amendment, BIPA allowed aggrieved individuals to claim $1,000 or actual damages for “each” negligent violation, and $5,000 or actual damages for “each” reckless or intentional violation. In Cothron, the Court held that “each” violation under the statute is a separate claim, which led some plaintiffs’ attorneys to pursue a “per scan” damages theory whereby plaintiffs would purport to seek $1,000 or $5,000 for each scan of their biometric information or identifiers. Recognizing the potential for excessive statutory damages under this theory, the Court urged the Illinois legislature to take action, and the legislature responded with this significant amendment.

The amendment, which took effect on August 2, 2024, provides that an aggrieved person may recover for only one statutory violation under Sections 15(b) and 15(d). Specifically, the changes to BIPA’s damages provisions are as follows:

(b) For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.

(c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.

740 ILCS 14/25(b) and (c).

Notably, as amended, BIPA further suggests now that an aggrieved person cannot recover separate statutory amounts for violations of Section 15(b) and Section 15(d). Instead, each amendment explicitly states that an aggrieved individual is entitled to “a single violation … of Section 15 for which the aggrieved individual is entitled to, at most, one recovery under this Section …” Id. (emphasis added). In other words, although the amendment acknowledges that Section 15 includes subsections 15(b) and 15(d) as distinct subsections, its language nonetheless could be read to state that an individual may only recover for a single violation of Section 15 as a whole, regardless of which subsection is violated.

The amendment also expressly includes an “electronic signature” as a permissible means of a “written release,” as defined under the statute. Prior to this amendment, it was unclear whether an electronic signature was a proper means for affixing signature under the statute. Although electronic signatures to BIPA releases were not subject to frequent challenges by the plaintiffs’ bar, this aspect of the amendment provides additional clarity that should be welcome to Illinois employers and other businesses.

While the amendment is unlikely to halt BIPA filings entirely, they will mitigate the weaponization by some plaintiffs’ attorneys who viewed Cothron as their green light to pursue a per-scan damages theory, which could have exposed Illinois businesses to tens or even hundreds of millions of dollars in damages for even the smallest of putative classes. Until now, businesses were left to rely on the discretion of trial and appellate courts to keep this theory in check; with the amendment, the statute accomplishes that unequivocally. The amendment also prevents plaintiffs from seeking separate damages for each subsection under Section 15, thereby rebuffing another tactic for increasing damages that other plaintiffs’ counsel attempted to utilize in the alternative.   

If you have any questions about how this BIPA amendment may impact your business practices, please do not hesitate to contact the authors or your trusted Seyfarth Shaw advisor.

This post has been cross-posted from Seyfarth’s Employment Law Lookout blog.

Welcome to Decoding Appeals, where Seyfarth’s Appellate Team brings to in-house counsel our insights and expertise from the front lines of the appellate courts. Throughout this short video series, we break down the nuances of appellate advocacy, sharing tips and lessons we’ve learned to help companies’ in-house legal teams understand the complexities of the appeals process.

In this first episode, host Owen Wolfe is joined by Amanda Williams and Cat Johns, two former judicial law clerks who offer their unique perspectives on the appeals process, drawing from their firsthand experiences and behind-the-scenes knowledge of how it all works.

In a significant legislative development, the Illinois House of Representatives has overwhelmingly approved Senate Bill 2979, with a vote of 81 to 30, which amends the Illinois Biometric Information Privacy Act (BIPA) to limit damages to one violation per individual, rather than each instance their biometric information is captured, collected, disclosed, redisclosed, or otherwise disseminated. The bill also amended the definition of “written release” to include an electronic signature.

Last month, we reported on the Illinois Senate’s passage of the bill by a vote of 46 to 13. This legislative move is a direct response to the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle. The Court ruled that under BIPA, a claim accrues each time an individual’s biometric information is captured or collected. This decision highlighted the urgent need for legislative clarity, as White Castle argued that it could face damages exceeding $17 billion if each of its employee’s time clock scans were found to recklessly or intentionally violate BIPA. Recognizing the potential for such devastating liability, the Court called on the Illinois legislature to act.

In its original form, BIPA stated that an individual may be entitled to $1,000 or actual damages for each negligent violation, or $5,000 or actual damages for each reckless or intentional violation. The newly passed bill amends Sections 15(b) and 15(d) of BIPA to state that an “aggrieved person is entitled to, at most, one recovery under this Section.”

Having cleared both legislative chambers, the bill is now headed to Governor Pritzker for his signature.

If you have any questions about how this BIPA amendment may impact your business practices, please do not hesitate to contact your trusted Seyfarth Shaw advisor.

This blog has been cross-posted on the Global Privacy Watch site.

Anyone following trends in consumer class action litigation will know that consumer privacy was a primary focus of the plaintiff’s bar in 2023. And there are no signs this uptick in consumer privacy claims is slowing any time soon. Although the claims center around use of tracking technology or analytics functions on consumer facing websites, several different statutes and claims have been asserted, including violations of state wiretap statutes and the Video Privacy Protection Act (“VPPA”).  

Although these cases are largely at the motion to dismiss stage, and therefore there is little insight into how certain key defenses will play out, some recent decisions surrounding VPPA claims have shifted the landscape in certain defendant’s favor.

The VPPA provides that “a video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person.” 18 U.S.C. 2701(b)(1). That is, a video tape service provider cannot knowingly disclose, without the consent of the consumer, his or her personal video viewing information, to a third party. In these class actions, plaintiffs are alleging that if a website they visit to watch a video has a tracking pixel embedded in its code, the visitor’s video viewing information will be disclosed to the third party associated with that pixel without the visitor’s consent. If this activity is deemed a violation of the VPPA, the plaintiff stands to recover $2,500 per violation. In a class action where the class members are visitors to a website, the exposure can be in the tens of millions, if not higher.

There are, however, some limitations in the statute as to who can sue and be sued, and recent case decisions have been helpful to clarify those limits, particularly in the context of who is a video tape service provider and who is a consumer.

Definition of Video Tape Service Provider narrowed

In Carrol v. General Mills, Inc., the plaintiff filed a putative class action against General Mills for violation of the VPPA. The plaintiff alleged he had purchased and eaten General Mills products in the past and had downloaded the General Mills mobile app. 2023 WL 6373868, *1 (C.D. Cal. Sept. 1, 2023). He then used the mobile app to watch a video titled “Today’s Experiment, Carbonation Baking.”  Id. According to the plaintiff, because the General Mills app has pixel tracking technology installed and he watched the video while he was simultaneously logged into the site, the pixel caused information about the video he watched to be disclosed to the site without his consent. Id. On the motion to dismiss, the court made a few key findings that resulted in the dismissal of the plaintiff’s VPPA claim. First, the court analyzed the definition of Video Tape Service Provider (“VTSP”), which is “any person engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”  Id. at *3.  The court found that based on the allegations, General Mills could not be found to be “engaged in the business” of delivering selling or renting audio visual material. Id. Specifically, the court stated where the allegations “do no more than show that videos are part of General Mills’ marketing and brand awareness” and do not indicate that the videos themselves are profitable, there is not enough to say that General Mills is a VTSP. Id.

Second, the court considered whether the plaintiff qualified as a consumer for purposes of a VPPA claim. A consumer is defined as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”  18 U.S.C. 2701(a)(1). The court rejected the idea that the plaintiff could be a consumer by alleging that he had purchased and eaten General Mills products in the past. Id. at *4. Rather, the court found that the goods and services rented, purchased, or subscribed to must be the audiovisual materials. Id.in other words, “a customer’s non-video transaction plays no part.”  Id. Thus, because the plaintiff failed to allege that General Mills was a VTSP or that he was a consumer, the court granted the motion to dismiss.

Definition of Consumer narrowed

Another defense-friendly development in the VPPA case law relates to the definition of subscriber. In many cases, plaintiffs allege that subscribing to a newsletter, app, or having an account with a defendant is enough to establish plaintiff is a consumer under the VPPA. There have been a string of recent decisions across the country interpreting subscriber to be much narrower. In particular courts have found that where the allegations cannot link the subscription to any kind of special access to video content the plaintiff is not a consumer within the meaning of the statute. Lamb v. Forbes Media LLC, 2023 WL 6318033, *13 (S.D.N.Y. Sept. 28, 2023); Brown v. Learfield Communications LLC, No. 23-cv-00374 (W.D. Tex. Jan. 29. 2024); Pileggi v. Washington Newspaper Publishing Co., 2024 WL 324121, 10 (D.D.C. Jan. 29. 2024). In the Brown case, because the plaintiffs did not allege that their “status as a newsletter subscriber was a condition to accessing the site’s videos, or that it enhanced or in any way affected their viewing experience, they had not alleged he was a subscriber of video content. Likewise, the Pileggi court found that “merely alleging that she visited the Washington Examiner website and watched videos on that site, wholly separate from her newsletter subscription breaks the link between the service to which she was a subscriber and her assessing of audio-visual content” which was fatal to her claim.

These decisions narrow the scenarios under which a valid VPPA claim can be brought and lessen the potential risk that any website operator with any video content is a potential target.

This blog is cross-posted on The Global Privacy Watch blog site as well.

Throughout much of 2023, businesses found themselves in a challenging position as they continued to grapple with defending against Illinois Biometric Information Privacy (BIPA) class action lawsuits. The year began on a somber note with the Illinois Supreme Court delivering unfavorable decisions on two pivotal threshold matters. However, rays of hope emerged when the same court issued two favorable decisions, one affirming union preemption, and another concerning medical exemptions under BIPA. These welcomed developments provided a reprieve for businesses contending with the longstanding challenges posed by the statute. As we navigate the complexities of BIPA, it becomes crucial for businesses to recognize and consider the various exemptions embedded within the legislation—many of which have proven effective in legal defenses over the past few years.

Procedural History of BIPA

Enacted in 2008, BIPA regulates the collection, use, and handling of biometric identifiers and information by private entities. After a relatively quiet period spanning nearly a decade, the statute experienced a significant surge in activity following the landmark decision in Rosenbach v. Six Flags (2019 IL 123186). This ruling established that a plaintiff need not plead actual harm or injury resulting from an alleged BIPA violation to seek relief under the Act. Subsequently, more than 1,500 BIPA lawsuits have been filed in Illinois.

The statute, having been largely untested before Rosenbach, gave rise to a series of critical threshold matters in the years that followed, many of which proved unfavorable for Illinois businesses. For instance, in early 2022, the Illinois Supreme Court, in McDonald v. Symphony (2022 IL 126511), decided that the Illinois Workers’ Compensation Act did not preempt BIPA. Approximately a year ago, the Illinois Supreme Court issued two highly anticipated decisions. First, in Tims v. Black Horse Carriers (2023 IL 127801), the Court held that the “catch-all” five-year statute of limitation under 735 ILCS 5/13-205 applies to all BIPA claims, as opposed to the one-year limitation period provided under 735 ILCS 5/13-201. Two weeks later, in Cothron v. White Castle (2023 IL 128004), the Court held that a claim under BIPA accrues each time a person scans or otherwise transmits biometric information.

While the White Castle decision initially reverberated through Illinois businesses facing potential exposure under BIPA, a careful examination of the ruling offers guidance and optimism for businesses navigating their defenses. At a point where many in the plaintiffs’ bar were ready to seize on separate $1,000 (negligent) or $5,000 (reckless/intentional) statutory damages for each scan, the high court reminded and acknowledged that a trial court has the power to fashion a damage award that fairly compensates the class and deters future violations without destroying a defendant’s business. 2023 IL 128004, ¶ 42. The majority seems to advocate for a sensible approach to damages under the statute, recognizing necessity for robust incentives for compliance while emphasizing that “the General Assembly chose to make damages discretionary rather than mandatory under the Act” and underscoring that “there is no language in the Act suggesting legislative intent to authorize a damage award that would result in the financial destruction of a business.” Id.

Although the majority’s decision held that a statute should be adopted “even though the consequences may be harsh, unjust, absurd or unwise,” id. ¶ 40, the Illinois Supreme Court, like state and federal courts throughout the country, has applied a contrary rule known as “the absurdity doctrine,” which holds: “[w]e will not make any determination that will construe an act of the legislature so as to lead to absurd, inconvenient or unjust consequences.” Loyola Academy v. S&S Roof Maintenance, Inc., 146 Ill. 2d 263, 273 (1992), citing McCastle v. Sheinkop, 121 Ill. 2d 188, 193 (1987); see also Evans v. Cook County State’s Attorney, 2021 IL 125513, ¶ 27 (“Statutes must be construed to avoid absurd or unjust results.”) (emphasis added), citing People v. Hamma, 207 Ill. 2d 486, 498 (2003). Citing this fundamental rule of statutory construction, the dissenting opinion in Cothron argued that the legislature could not have intended to impose punitive, crippling liabilities on businesses “wildly exceeding any remotely reasonable estimate of harm.” Cothron, ¶ 63. In response, the majority held that the risk of such “absurd” consequences is overblown. Accordingly, the most reasonable interpretation of Cothron’s holding is not that it embraces or invites absurd results, but that it requires trial courts applying BIPA’s non-mandatory damages provision to fashion appropriate remedies that are fair, equitable and suited to the circumstances of each case. The majority also makes clear that such damages should be tailored to deter future violations “without destroying defendant’s business.” Id., ¶ 42.

The White Castle decision firmly underscores the discretionary nature of damages under BIPA, emphasizing the importance of proportionality. However, Illinois businesses shouldn’t hold out hope that a jury will be so mindful. In recent years, businesses have achieved success by strategically leveraging applicable exemptions, and the Illinois Supreme Court’s recent recognition for certain exemptions, further underscores the need for businesses in Illinois to thoroughly explore every available avenue for exemptions. Therefore, it’s imperative for Illinois businesses to meticulously examine and leverage any relevant exemptions to navigate the challenging landscape of BIPA.

Health Care Worker Medical Exemption

At the end of 2023, the Illinois Supreme Court issued a rarity – a favorable decision for Illinois medical providers defending against BIPA lawsuits. On November 30, 2023, the high court delivered a long-awaited ruling in Mosby v. The Ingalls Memorial Hospital (2023 IL 129081), providing clarity on the protection status of biometric information collected from health care workers under BIPA. The case addressed certified questions relating to whether (1) BIPA applies to health care workers (as opposed to patients) and whether, more narrowly, (2) biometric information collected from a health care worker, when utilized for purposes related to health care treatment, payment, or operations as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), falls within BIPA’s purview. Id., ¶ 1. Answering both certified questions in the affirmative, the Court’s decision established that when health care worker data is gathered for HIPAA-defined health care activities, it is exempt from BIPA protection. Id., ¶ 59.

In Mosby, nurses brought forth a putative class action, alleging that their biometric information was collected for identification purposes before administering medication to patients through use of an automated medication dispensary system. Id., ¶ 5. Both the trial court and the Illinois Appellate Court had previously determined that these collections were subject to BIPA, contending that BIPA’s exclusions for activities “under HIPAA” were primarily designed to safeguard patient data, not data pertaining to health care workers. Id., ¶¶ 7-8.

BIPA’s relevant exception states: “Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.” Id., ¶ 35. The Court, reversing the trial and appellate courts, applied principles of statutory construction, and emphasized that the use of the term “information” at the beginning of both phrases, separated by the disjunctive “or,” implied legislative intent to exclude two distinct categories of information. Id., ¶¶ 41-42, 52. Furthermore, the Court clarified that the term “under HIPAA” defined the scope of “health care treatment, payment, or operations” and that these terms pertained to activities performed by health care providers, not patients. Id., ¶ 53.

Nevertheless, the Court emphasized that it did not establish a sweeping, categorical exclusion of biometric identifiers from health care workers. Id., ¶ 57. Instead, the exclusion applied only when such information was collected for health care treatment, payment, or operations under HIPAA. Id. The extent to which lower courts will interpret and apply the Mosby decision, particularly in contexts beyond medication dispensing (i.e. time clock medical cases), remains a topic for future debate, and potentially another appellate review.

Union Exemption

Last year, the Illinois Supreme Court also gave employers a favorable decision when it decided that Section 301 of the Labor Management Relations Act (LMRA) preempts BIPA claims brought by bargaining unit employees covered by a collective bargaining agreement (CBA) where there is a broad management rights clause.

In Walton v. Roosevelt University (2023 IL 128338), the plaintiff alleged that he was required to scan biometric identifiers for timekeeping without being given notice and providing written consent, as required under BIPA. The trial court rejected Roosevelt University’s argument that the plaintiff’s claims were preempted by Section 301 of the LMRA. The Illinois Appellate Court reversed the trial court, relying on a 2021 Seventh Circuit BIPA decision in Fernandez v. Kerry, Inc., 14 F.4th 644, 646 (7th Cir. 2021), and explained that “when the employer invokes a broad management rights clause from a [CBA] in response to a [BIPA] claim, the claim is preempted because it requires an arbitrator to determine whether the employer and the union bargained about the issue or the union consented on the employees’ behalf.” See 2022 IL App (1st) 210011, ¶ 19.

Affirming the appellate court’s decision, the Illinois Supreme Court held that, “[g]iven the language in the CBA and the LMRA, it is both logical and reasonable to conclude any dispute [under BIPA] must be resolved according to federal law and the agreement between the parties. Therefore . . . we defer to the uniform federal case law on this matter and find that when an employer invokes a broad management rights clause from a CBA in response to a [BIPA] claim brought by bargaining unit employees, there is an arguable claim for preemption. Accordingly, because we do not believe the federal decisions were wrongly decided, and here the CBA contained a broad management rights clause, we find Walton’s [BIPA] claims are preempted by the LMRA.”

Although the ruling doesn’t entirely prohibit a BIPA claim by a bargaining unit employee under a CBA, Walton confirms the legitimacy of a preemption defense for employers who have established CBAs with expansive management rights clauses that may encompass mandated actions pertaining to BIPA claims. In such cases, employee claims under BIPA must adhere to the procedures specified in the relevant CBA, potentially involving individual private arbitration rather than class-wide proceedings.

Virtual Try-On Medical Exemption

As the plaintiffs’ bar continued to find creative ways to move beyond time clock BIPA cases, one trend included targeting businesses offering virtual try-on features for consumers to try various products at home, including glasses and makeup, through the use of a consumer’s computer or phone camera. But in September 2022, the court held in Svoboda v. Frames for America, Inc. (2022 WL 4109719 (N.D. Ill. Sept. 8, 2022)), that BIPA did not regulate the virtual try-on tool in this instance because it fell under the statute’s health care exemption.

Frames for America, Inc., which operates FramesDirect.com (an online platform selling prescription and non-prescription eyewear), offered a virtual feature on its website that allowed consumers to digitally try on glasses or sunglasses. The plaintiff alleged that Frames for America utilized software to scan a consumer’s facial geometry from a uploaded photograph and then digitally superimposed the eyewear on the consumer’s face. Id. at *1. Applying the same crucial exemption as in Mosby, the court dismissed the plaintiff’s complaint, reasoning that she qualified as a “patient receiving a health care service in a health care setting” when using the virtual try-on tool. Id. at *3. Even though the plaintiff did not seek medical treatment, consult an eye doctor, or make a purchase during the virtual try-on experience (id. at *1), the court concluded that “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses are all Class 1 medical devices.” Id. at *2. Consequently, the court held that the plaintiff “would have received a health care service had she purchased the glasses….” Id. Drawing an analogy, the court equated the virtual try-on feature in this case to services offered in optometrists’ offices. Id.

Illinois businesses providing a virtual try-on tool must meticulously assess the applicability of the medical exemption, particularly in situations where a potential connection can be argued between the product offered and a medical service. This careful analysis is crucial to navigate the complex regulatory landscape and ensure compliance, or exemption, with relevant statutes.

State Contractor Exemption

BIPA explicitly states that private entities that are “a contractor, subcontractor, or agent of a State or local unit of government when working for that State agency or local unit of government” are not subject to its mandates. (BIPA, Section 25(e)). While the exemption for state contractors under Section 25(e) has not been extensively explored by reviewing courts, the sole appellate decision addressing this provision, in Enriquez v. Navy Pier, Inc., clarifies that an entity qualifies for exemption if it meets three criteria: (1) it is a contractor, (2) of a unit of government, and (3) was working for that unit of government when collecting or disseminating biometric information. 2022 IL App (1st) 211414-U, ¶ 19, appeal denied, 201 N.E.3d 582 (Ill. 2023).

This interpretation aligns with previous rulings by trial courts, as exemplified in Thornley v. CDW-Government, LLC, 2022-CH-04246 (Cir. Ct. Cook Cty., Ill. June 25, 2001). The court in Thornley dismissed a class action lawsuit, reasoning that Section 25(e) of BIPA is straightforward and unambiguous. According to the court, the term “working” is commonly understood to mean “relating to or designating one that works,” leading to the conclusion that Section 25(e) applies to “one whom a state agency or local unit of government engages to … provide services….” The appellate court’s ruling in Enriquez not only affirms this interpretation but also provides a comprehensive analysis and a clear roadmap for businesses contracted to provide services for a state agency or local unit of government seeking to assert a defense under BIPA.

Financial Institution Exemption

According to Section 25(c) of BIPA, the provisions of the Act do not apply “in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 [GLBA] and the rules promulgated thereunder.” In a notable 2022 case, DePaul University successfully had a BIPA class action lawsuit dismissed by invoking this financial institution exemption. The plaintiff had alleged that the university violated BIPA by using an online remote proctoring tool that purportedly captured, collected, and stored plaintiff’s biometric information. Powell v. DePaul Univ., 2022 WL 16715887, at *1 (N.D. Ill. Dec. 6, 2022).

DePaul University argued that its participation in U.S. Department of Education’s Federal Student Aid Program qualified it as a financial institution under the GLBA. Id. Supporting its stance, DePaul highlighted the acknowledgment by both the Federal Trade Commission (FTC) and the Department of Education that universities fall under the definition of financial institutions as per the GLBA. Id. Moreover, DePaul emphasized that rulemaking authority for Title V lies with the Consumer Financial Protection Bureau, which adopted and republished the privacy rules initially promulgated by the FTC. Id. at *2. According to the FTC rules, any institution “significantly engaged in financial activities” is considered a financial institution. Id. The court sided with DePaul, concluding that BIPA’s Section 25(c) applies to higher education institutions. The court was swayed by DePaul’s reliance on the FTC’s consistent and reasoned interpretation of the GLBA it administers. Id.

Despite being in the context of higher education, this decision should prompt any Illinois business facing BIPA claims to carefully analyze its reporting obligations and affiliations to determine whether they are in fact subject to Title V of the GLBA, and/or the rules promulgated thereunder.


Aside from analyzing compliance with and exposure under BIPA, Illinois businesses should be mindful of the everchanging landscape of the statute as lawsuits continue to progress. Businesses falling short of compliance standards should thoroughly examine whether any applicable BIPA exemptions may provide relief.

For further information, or to initiate a comprehensive review and audit of your BIPA compliance, feel free to reach out to Kristine Argentine, National Chair of Seyfarth Shaw’s Consumer Class Action Defense Practice Group, or Paul Yovanic, a seasoned BIPA litigator and counselor within the practice group.

With so many companies being hauled into court in California based on claims that the functionalities on their website and use of service providers for marketing or analytics purposes violate consumer privacy rights, it is important to exhaust all possible defenses available to defendants. Late last year, the Ninth Circuit issued a ruling upholding a dismissal based on a lack of personal jurisdiction over a web-based payment company. Companies operating interactive websites may be able to take advantage of this ruling as part of their defense strategy in 2024.

In Briskin v. Shopify, Inc., the plaintiff sued Shopify in California in a putative class action alleging that its collection, retention, and use of consumer data obtained from persons who made online purchases violated various California privacy and unfair competition laws. 87 F.4th 404 (9th Cir. Nov. 28, 2023). The district court dismissed plaintiff’s complaint based on a lack of specific jurisdiction over the defendant, and the Ninth Circuit affirmed. Id.

The plaintiff conceded that there was no general jurisdiction over Shopify because it was neither incorporated nor maintained a principal place of business in California, but argued that Shopify was subject to specific jurisdiction based on its contractual relationships with California merchants, its operation of one physical location in California, and its knowledge that California residents were being potential injured based on the allegations. Id. at 409-10. The Ninth Circuit conducted an in-dept analysis of specific jurisdiction as it relates to claims that involve interactive websites. The court noted that in order for specific jurisdiction to exist, the defendant must either purposefully direct its activities toward the forum or the claim must be one that arises out of or relates to the defendant’s forum related activities. Id. at 411. The court found that while Shopify committed an intentional act and caused harm it knew was likely to be suffered in the forum state, there was no conduct which Shopify “expressly aimed at the forum state” to create specific jurisdiction. Id. at 412.

In conducting this analysis, the court isolated the activities relevant to the specific jurisdiction analysis: Shopify’s alleged collection, retention and use of consumer data obtained from online purchases processed through its platform. Id. at 415. Thus, the key issue was whether Shopify’s web-based processing service is expressly aimed at California in any way. Id. The court relied on precedent involving out-of-state interactive websites finding those cases to be the most analogous to this “novel” issue. Id. at 415-20. The court noted that operation of an interactive website does not, by itself, establish express aiming but there must be something more. Id. at 418. That is, “when the website is the only jurisdictional contact, [the] analysis turns on whether the site had a forum specific focus or the defendant exhibited an intent to cultivate an audience in the forum” such as through the platform itself having a forum-specific aim, evidence showing that the website appeals to an audience of a particular state, or that the website actively targeted the forum in some way.  Id. at 418-20. In reaching its conclusion, the Ninth Circuit agreed that Shopify’s web payment platform did not have a forum specific focus and is indifferent to the location of the merchant or the end-consumer. Id. at 422-23. While Shopify benefits from consumers who are present in California, that alone does not answer the purposeful direction question because it does not demonstrate “express aiming.”  Id. at 423.

The claims alleged in Briskin are similar to those being asserted against hundreds of retailers alleging violations of various privacy laws including the California Invasion of Privacy Act. Thus, similar to Briskin, personal jurisdiction over companies based outside of California but operating an interactive website that is accessible to California residents should be analyzed under a similar specific jurisdiction framework. This is a defense that may be applicable in these cases and could provide defendants with early relief. With no clear direction being taken yet on as to the merits of these privacy claims and no slowdown in the filings of these claims under evolving theories of privacy violations, a successful personal jurisdiction argument could be an important arrow in the defense bar’s quiver.

This week, Seyfarth attorneys from multiple offices will be attending and presenting at the 2023 Association of National Advertisers Masters of Advertising Law Conference in Orlando, Florida.

On Wednesday, Seyfarth Partners Kristine Argentine (Chicago) and Joe Orzano (Boston) will be presenting alongside in-house counsel on a panel covering the “Effective Collaboration Between Legal and Marketing.” The panel will focus on the effective involvement of both in-house and outside counsel in managing the legal risk of advertising and marketing. The discussion will include hot topics in advertising and marketing, and strategies for managing legal risk in collaboration with the marketing team.

Then on Friday, Kristine Argentine and Senior Associate Paul Yovanic (Chicago) will be hosting a roundtable on “Striking the Right Balance: Biometric Privacy In Virtual Try-On Tools.” Paul and Kristine will lead a discussion about the exciting world of virtual try-on tools and the relevant biometric privacy laws that should be considered when implementing the tools. The discussion will include the potential risks associated with the collection and storage of biometric data, as well as the recent legal authority on virtual try-on tools, and how it should guide retailers in their marketing and advertising efforts.

Seyfarth Shaw’s Consumer Class Action and Product Liability groups have achieved a prestigious ranking in the highly regarded Legal 500 United States 2023 edition, solidifying their reputation as one of the nation’s top legal teams. This recognition reaffirms Seyfarth’s unwavering commitment to excellence in Product Liability, Mass Tort, and Class Action law.

The Legal 500 United States guide lauds Seyfarth’s Consumer Class Action and Product Liability practices for their exceptional professionalism and meticulous attention to detail. The guide highlights their ability to consider cost sensitivity while providing insightful advice, ensuring informed clients are ultimately empowered to make decisions with confidence. The guide specifically recognizes the exemplary client service demonstrated by Kristine Argentine, Tom Locke, Joe Orzano, William Prickett, Esther Slater McDonald, Giovanna Ferrari, Aaron Belzer, and Renee Appel.

Renowned for its comprehensive coverage of legal services, The Legal 500 United States is an esteemed and independent guide that offers authoritative assessments of law firms. Its rigorous research conducted over the past 12 months recognizes and rewards outstanding in-house and private practice teams and individuals. The inclusion of Seyfarth Shaw’s Consumer Class Action and Product Liability groups in these rankings reflects their status as trusted authorities in Product Liability, Mass Tort, and Class Action law. Through their unwavering dedication to providing exceptional legal counsel, clear communication, and efficient service, Seyfarth continues to serve as a valuable partner for companies seeking comprehensive Product Liability, Mass Tort, and Class Action service offering and strategic guidance in today’s fiercely competitive business landscape.