This post was originally published on Seyfarth’s Gadgets, Gigabytes & Goodwill blog.

A recent motion for preliminary approval of a class action settlement filed in federal court in Georgia will bring to a close claims asserted on behalf of a class of Porsche owners for a purportedly botched over-the-air (“OTA”) software update sent to their vehicles. But a recent decision by a California federal court suggests that manufacturers may be able to avoid claims for violation of the Computer Fraud and Abuse Act (“CFAA”) so long as they do not “blatantly misdescribe” the OTA updates they transmit to vehicle owners. Taken together, these cases signal the challenges automakers will face in defending software malfunction cases and the benefits of robust disclosure when transmitting OTA software updates.

Proposed Settlement in Bowen

In Bowen v. Porsche Cars, N.A., Inc., filed in the U.S. District Court for the Northern District of Georgia in January 2021, the owner of a 2011 Porsche vehicle filed suit based on a claim that a signal transmitted by Sirius XM Radio and “facilitated” by Porsche during a 2020 Memorial Day weekend promotional campaign caused a serious malfunction in the “infotainment” system of his vehicle. According to the complaint, an OTA software update to the Porsche Communications Management (“PCM”) unit in the vehicle caused the PCM to “continuously reboot,” causing a range of problems including malfunction of the system and draining the vehicle’s battery.

In a September 2021 order, the court granted Porsche’s motion to dismiss claims for negligence and unjust enrichment, but found that Porsche must answer the vehicle owner’s claims for violation of the CFAA and trespass to personality. The court found that “[t]he intent element under the CFAA requires merely that access to a computer system not be a careless or inadvertent mistake,” so that “either directly sending or facilitating the transmittal” of OTA updates could trigger liability.

The unopposed motion for preliminary approval, filed by plaintiff vehicle owners in the Bowen case in January 2023, calls for the certification of a class of “entities and individuals in the United States who, as of May 20, 2020, owned or leased . . . any Porsche vehicle equipped with an XM radio antenna and PCM 3.1 which is the sole PCM model to have been impacted by the rebooting at issue).” The proposed settlement requires Porsche to fund up to $7,500 in repairs per affected vehicle; provide compensation for class members who have already paid out-of-pocket for repairs; and give owners who have not yet been able to obtain satisfactory repairs the ability to do so for up to a year after approval of the settlement. Porsche also agreed to pay up to $1,975,000 in attorneys’ fees and another $75,000 in costs. In their motion for preliminary approval, the plaintiff vehicle owners argued that “this relief approaches—and in some ways may exceed—the level of compensation that realistically may have been obtainable after a successful trial.”

Other OEM Has More Success on Motion to Dismiss

Another major auto manufacturer recently faced a CFAA lawsuit based on faulty OTA software updates, but succeeded in disposing of the case on a motion to dismiss. In that case, a putative class action filed in the U.S. District Court for the Central District of California in January 2021, the plaintiff vehicle owners claimed that the manufacturer had manipulated their vehicle batteries through unauthorized software updates that resulted in diminished battery capacity in violation of the CFAA, as well as breach of warranty in violation of the federal Magnuson-Moss Warranty Act and California’s Song-Beverly Act.

In a May 12, 2022 order granting the manufacturer’s motion to dismiss, the court rejected the CFAA claim on several grounds. See Fish, 2022 WL 1552137 (C.D. Cal. May 12, 2022). First, the court held the vehicle owners failed to plead the requisite $5,000 in damages within the “narrow conception of loss” under the CFAA, which confines losses to the reasonable costs to restore a system to its condition prior to the offense. But the vehicle owners had alleged only that the manufacturers OTA update had purportedly diminished the value of the battery system, not that they actually incurred any costs in attempting to repair the alleged damage.

Second, the court addressed the meaning of “unauthorized access” in the context of the CFAA, and explained that the concept of exceeding authorized access “does not apply to individuals with improper motives who simply utilize access that is ‘otherwise available to them.’” Because the manufacturer had unfettered access to the vehicle owners’ media control units and batteries, “the fact that [the manufacturer] allegedly damaged these systems without [the owners’] consent is irrelevant.” The court left room for claims under the CFAA where a manufacturer is alleged to have “blatantly misdescribed the nature of the . . . updates,” but noted that the plaintiff vehicle owners in that case had failed to do so.

Key Takeaways

Both Bowen and Fish effectively were resolved at the pleading stage on motions to dismiss. In Bowen, the manufacturer settled after an unsuccessful loss on a motion to dismiss, presumably due to the cost of defense and risk of loss given the potential size of the putative class. But the Fish case suggests that manufacturers may be able to score early victories and avoid liability through robust disclosure to vehicle owners concerning OTA software updates prior to installation of those updates.

Seyfarth continues to be on the forefront of issues involving the Illinois Biometric Information Privacy Act (“BIPA”). On February 10, 2023, Seyfarth attorneys Paul Yovanic and Kristine Argentine published an in-depth analysis of the current trends in BIPA litigation and what to expect for 2023 on Bloomberg Law.

The article, examines the recent Illinois Supreme Court Tims decision applying a 5 year statute of limitations to all BIPA claims and the anticipated Illinois Supreme Court decision in White Castle which is expected to address the issue of when a violation accrues under the statute. The article also discusses what businesses and the legal community should expect in 2023 with respect to BIPA claims and viable defenses.

After years of litigation in federal courts across the country over purported Telephone Consumer Protect Act (TCPA) violations, there has been a recent shift in focus to what is known as mini-TCPAs being enacted by state legislatures which seek to regulate intrastate telemarketing communications. In particular, dozens of putative class actions have been filed over the last several weeks in Florida alleging violation of the Florida Telephone Solicitation Act, Florida’s mini-TCPA. Amendments to the Florida Telephone Solicitation Act went into effect July 1, 2021 and included an expansive definition of “automated dialers;” new restrictions for prior express written consent for all telephonic sales calls using an automated system; and a private cause of action that allows recovery of at least $500 per violation.

Because the TCPA does not preempt state laws that are intended to be more protective than the TCPA, businesses utilizing calling campaigns which send marketing calls or text directly to consumers in states such as Florida need to be mindful of these additional regulations. Moreover, Florida courts have been hesitant to dismiss claims under the Florida Telephone Solicitation Act leaving little guidance as to how exactly the definitions and provisions of this statute will be interpreted.

Businesses should note, however, that a clear and conspicuous arbitration provision will likely be enforced, which can limit the exposure to putative class actions. In Kravets v. Anthropologie, Inc., the Southern District of Florida court granted a motion to compel arbitration where the agreement to arbitration was present in the Text Terms and Conditions which were linked in advertisement where the consumer signed up for the company’s text messaging program. Specifically, the court found that because the Text Terms were listed above the “GET FREE SHIPPING NOW when you sign up for email and texts” button and we bold and underlined links, they were sufficient to put the consumer on notice of the arbitration provision and by clicking the button the consumer was assenting to the Text Terms. No. 22-cv-60443, 2022 WL 1978712 (S.D. Fla. June 6, 2022). Likewise, in a recent decision, the Southern District of Florida again granted a motion to compel arbitration in a case involving claims under the Florida Telephone Solicitation Act finding even where the defendant had already filed an answer, the court entered a scheduling order, and the parties filed a joint notice of a mediator selection. Roger Amargos v. Verified Nutrition LLC, No. 22-cv-22111, 2023 WL 1331261 (S.D. Fla. Jan. 31, 2023).

While the Florida Telephone Solicitation Act has been the focus as of late, other state legislatures have either passed or proposed similar statutes with private rights of action which will likely lead to further litigation. On June 9, 2022, Washington passed its own mini-TCPA and November 1, 2022, Oklahoma’s Telephone Solicitation Act took effect. Both resemble the Florida Telephone Solicitation Act but have their own unique provisions and restrictions that businesses need to be aware of when engaging in marketing campaigns through call or text. Additionally, Georgia has a pending bill that remains viable to be enacted during the 2023 legislative session and would potentially allow civil litigants to recovery $1000 per violation and Maryland has proposed a Mini-TCPA bill with a proposed effective date of October 1, 2023.

In light of the rapid changes to the legal landscape governing marketing campaigns using call and text technology, businesses need to re-analyze their procedures to ensure compliance with not only the TCPA but also these state laws. Seyfarth will continue to monitor these changes in law and the case law that develops.

Last year was significant in Illinois Biometric Information Privacy Act (BIPA) litigation, primarily because of the many ‘firsts’ that resulted, including the first-ever BIPA trial that resulted in a staggering judgment of $228 million for 45,600 reckless/intentional violations of the statute. But aside from the jaw-dropping verdict and the Illinois Supreme Court’s decision in early 2022 holding that BIPA is not preempted by the Illinois Workers’ Compensation Act, not all decisions last year were discouraging for those defending BIPA lawsuits. Below we discuss a few of the important defense-friendly decisions from last year’s consumer-side BIPA lawsuits that will shape how businesses defend and plaintiffs prosecute BIPA actions in 2023 and beyond.

Virtual try-on tools can be exempt from BIPA under the “health care exemption.”

As the plaintiffs’ bar finds creative ways for BIPA’s applicability, we have seen a recent trend of lawsuits against businesses offering virtual try-on features for consumers to try various products at home, including glasses and makeup, through the use of a consumer’s computer or phone camera. But in September, the court held in Svoboda v. Frames for America, Inc., 21-C-5509, 2022 WL 4109719 (N.D. Ill. Sept. 8, 2022), that BIPA did not regulate the virtual try-on tool in this instance because it fell under the statute’s “health care exemption.”

Frames for America, Inc. sells prescription and non-prescription eyewear through its website FramesDirect.com, and consumers can use a virtual feature to try on glasses or sunglasses through its website. According to the complaint, the plaintiff alleged that Frames for America used software to scan a consumer’s facial geometry from a photograph uploaded by the consumer and then digitally placed the eyewear over the consumer’s face. Id. at *1. While there are only a few exemptions, BIPA contains an exemption for “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment or operations under the federal Health Insurance Portability and Accountability Act of 1996.” See 740 ILCS 14/10.

The court dismissed the plaintiff’s complaint, holding that she “was a patient receiving a health care service in a health care setting” when she used the virtual try-on tool. Id. at *3. Even though she did not request any medical treatment, consult an eye doctor, or ultimately purchase any eyewear (id. at *1), the court concluded that “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses are all Class 1 medical devices.” Id. at *2. Therefore, “[e]ven if she did not personally consult with any trained or licensed professional, [plaintiff] would have received a health care service had she purchased the glasses ….” Id. In as much, the court analogized the virtual try-on feature in this case to services similarly offered in optometrists’ offices. Id.

Universities are exempt from BIPA under the “financial institution exemption.”

In Powell v. DuPaul Univ., No. 21-cv-3001, 2022 WL 16715887 (N.D. Ill. Dec. 6, 2022), the plaintiff alleged that the university violated BIPA by using an online remote proctoring tool that captured, collected, and stored his biometric information and identifiers. Id. at *1. The plaintiff further alleged that the university collected his biometric data without providing notice, obtaining consent, or disclosing how long the data would be retained before it was permanently destroyed. Id.

In its Rule 12(b)(6) motion to dismiss, DePaul maintained that it is a financial institution under BIPA and thereby exempt from the statute under Section 25(c). Here, DePaul relied upon the express terms of BIPA, which states explicitly that the Act does not apply to financial institutions subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”). Id. at *1. Pointing out that it participates in the U.S. Department of Education’s Federal Student Aid Program, DePaul reasoned that it is therefore considered a financial institution subject to Title V of the GLBA. Id. To further its position, DePaul noted that both the Federal Trade Commission (“FTC”) and the Department of Education (“DOE”) recognize that universities are considered financial institutions under the GLBA and that Title V rulemaking authority lies with the Consumer Financial Protection Bureau (“CFPB”), which adopted and republished the privacy rules initially promulgated by the FTC. Id. at *2. There, the FTC rules state that any institution “significantly engaged in financial activities” is considered a financial institution. Id.

The court agreed with DePaul and determined that section 25(c) of BIPA applies to higher education institutions. The court was notably persuaded by DePaul’s reliance on the FTC’s position because it evidenced a longstanding, consistent, and well-reasoned interpretation of the GLBA it was tasked to administer. Id. at *2. Moreover, documents supporting DePaul’s motion further established that it “engage[d] in student aid and lending funds,” making it a financial institution subject to Title V of the GLBA and exempt from BIPA. Id. at *3. The court also pointed to many other 2022 decisions (and one late 2021 decision) that take a consistent position — that the financial institution exemption of BIPA applies to higher education institutions. Id., citations omitted.

A business may not be held liable under BIPA where there is no showing of acquisition of biometric data in Illinois.

In Vance v. Microsoft Corp., 20-1082, 2022 WL 9983879 (W.D. Wash. Oct. 17, 2022), plaintiffs were longtime Illinois residents who, beginning in 2008, uploaded digital photographs, including photos of themselves, to Flickr, a photo-sharing website. Id. at *1. In 2014, Yahoo!, Flickr’s then-parent company, publicly released a dataset of about 100 million photographs uploaded to Flickr’s website in the past decade. Id. To study fairness and accuracy in facial recognition technology, researchers working with IBM used one million photos from the released dataset to develop the Diversity in Faces Dataset (the “DiF Dataset”). Id. at *2. In 2019, two individuals affiliated with Microsoft downloaded the DiF Dataset. Id. The first individual, a consultant hired by Microsoft to assist with evaluating facial recognition technology, downloaded the DiF Dataset while in Washington State. Id. at *2-3. The other individual was a student intern for Microsoft who downloaded the DiF Dataset in New York to assist with her research on facial recognition facial systems. Id. at *3-5. Even though Microsoft’s two agents downloaded the DiF Dataset outside of Illinois, the plaintiffs brought the class action in a federal court in Washington state alleging that Microsoft’s data management process involved saved data being “chunked (i.e., divided into non-overlapping packets of data bits),” encrypted, and stored in a data center in Chicago, Illinois. Id. at *3.

All of the claims went to summary judgment, and Microsoft argued that plaintiffs’ BIPA claims failed because the statute cannot apply to conduct outside Illinois. Id. at *5. Thus, applying BIPA to Microsoft’s conduct outside of Illinois would violate the Commerce Clause of the United States Constitution. Id. Under Illinois law, a “statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute.” Id. at *6, citation omitted. Microsoft asserted that Illinois’ extraterritoriality doctrine bars plaintiffs’ BIPA claims because none of its conduct relating to those claims took place in Illinois. Id. at *6. Instead, the relevant conduct — downloading, reviewing, and evaluating the DiF Dataset — took place in Washington and New York. Id. Therefore, Microsoft argued that the plaintiffs cannot prove that its conduct occurred “primarily and substantively in Illinois.” Id., citation omitted.

The court granted summary judgment in favor of Microsoft in its entirety and, concerning the BIPA claims, held that even if Microsoft stored “chunked” and encrypted copies of the DiF Dataset on a cloud server in Illinois, “the relevant section of BIPA regulates only the acquisition of data, rather than the encrypted storage of data after it is acquired. Id. at *7, citing BIPA § 14/15(b). Pointedly, the court held that plaintiffs “have not identified any other relevant conduct by Microsoft that took place either primarily or substantively in Illinois. Id. The plaintiffs’ key argument in its opposition was reliance upon various high-profile BIPA cases, including the In re Clearview multi-district litigation, Rivera v. Google, and Monroy v. Shutterfly, to argue that claims relating to photos taken and uploaded to the internet in Illinois survived the extraterritoriality doctrine. Id. The court readily distinguished those cases by highlighting that, in each instance, “the plaintiffs alleged that the defendant itself reached into Illinois to collect their photographs, scan the photographs, and/or generate facial measurements or templates for use in facial recognition systems without the plaintiffs’ consent” Id. Therefore, and not having to address the Commerce Clause argument, the court concluded that “any connection between Microsoft’s conduct and Illinois is too attenuated and de miminis for a reasonable juror to find that the circumstances underlying Microsoft’s alleged BIPA violation ‘occurred primarily and substantively in Illinois.'” Id. at *8.

Plaintiffs are not entitled to nationwide discovery for BIPA claims.

The In re Clearview AI, Inc. multi-district class action, No. 21-cv-135 (N.D. Ill.), is a consolidated lawsuit alleging that Clearview violated BIPA and California and New York laws through its development and use of facial recognition technology. Specifically, the plaintiffs’ complaint alleges that Clearview “covertly scraped billions of photographs of facial images from the internet and then used artificial intelligence algorithms to scan the face geometry of each individual depicted in the photographs to harvest the individuals’ unique biometric identifiers and corresponding biometric information.” Id. at Dkt. 272, p. 1. Retail giant Macy’s is the lone retail defendant in the lawsuit and is alleged to have used Clearview’s database over 6,000 times, each time uploading an image to the database to search for a match. Id. at p. 2.

In June, a discovery dispute arose between plaintiffs and Macy’s after Macy’s limited its discovery responses to activities taking place in Illinois, New York, and California. Dkt. 361, p. 7. Plaintiffs argued that Macy’s limitation was improper because “regardless of whether Macy’s, Inc. performed the search from a store in Texas, Alabama, Delaware or any other location … each such search necessarily involved Plaintiffs’ and class members’ biometrics and possibly resulted in their images being returned as search results.” Id. In response, Macy’s argued that it is only defending state law claims arising under Illinois, New York, and California laws, and its alleged activities and conduct outside those states is irrelevant. Dkt. 378, p. 2. Macy’s further argued that “[p]laintiffs’ request is an attempt to investigate over five-hundred Macy’s store locations, in forty-three jurisdictions that are not at issue in this litigation.” Id.

The court agreed with Macy’s — that its limitation to discovery in only Illinois, New York, and California is appropriate, “given that [p]laintiffs’ current claims are predicated solely on the state laws of those three states.” Dkt. 388, citing Miner v. Gov’t Payment Serv., Inc., No. 14-cv-7474, 2017 WL 3909508, at *5 (N.D. Ill. Sept. 5, 2017) (“[T]he factual allegations of the [putative class action] complaint, confined as they are to Cook County transactions, do not support discovery as to any other counties.”). The court further agreed that requiring Macy’s “to gather discovery for its stores located in forty-three other jurisdictions where [p]laintiffs do not allege claims would be unreasonably burdensome.” Id.


As evidenced above, the BIPA landscape continues to take shape, and 2022 provided substantive decisions to help businesses defend against BIPA class actions moving forward. From a pleading perspective, companies need to understand the type of biometric information at issue in the lawsuit, how it is obtained, and how the technology is described and plead in the complaint. In addition to essential compliance, including providing a publicly available retention schedule, written notice, and obtaining written consent, businesses using biometric technology should also consider auditing their technologies to determine whether any exemptions to BIPA are applicable. While an audit will not eliminate the possibility of a lawsuit, it will allow businesses to analyze potential defenses and take cost-effective measures.

In the third annual installment of Seyfarth Shaw’s Commercial Litigation Outlook, our nationally-recognized team provides insights about litigation issues and trends to expect in 2023.

Join us for the first session of our three-part webinar series, where members of our Commercial Litigation practice group will discuss key trends in the commercial litigation space.

Part 1: Commercial Litigation Outlook: Insights and Predictions for Litigation Trends in 2023

Tuesday, February 7, 2023
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

In the first session of the series, we will provide insight on the tidal wave of ESG demands, reports, and conflicts (legal and otherwise), as well as significant trends, predictions and recommendations in the following areas:

  • Trial Outlook
  • Consumer Class Actions
  • Trade Secrets, Computer Fraud & Non-Competes
  • eDiscovery & Innovation

Speakers

Kristine Argentine, Partner, Seyfarth Shaw
Jay Carle, Partner, Seyfarth Shaw
Rebecca Davis, Partner, Seyfarth Shaw
Dawn Mertineit, Partner, Seyfarth Shaw
Christopher Robertson, Partner, Seyfarth Shaw

Click here to register for the webinar series.

Today, the Illinois Supreme Court issued its much-anticipated decision in Tims v. Black Horse Carriers, which determined whether the one-year or five-year statute of limitation applies to claims filed under the Illinois Biometric Privacy Act. In the landmark decision (found here), the Court veered from the Illinois Appellate Court’s splicing of limitations and claims and decided that the “catch-all” five-year statute of limitation applies to all BIPA claims.

Background

The Tims lawsuit has been pending since March 2019. It is premised on the defendant’s failure to institute a retention schedule available to the public, in violation of Section 15(a) of BIPA, and for obtaining their employees’ biometric data and disclosing it to third parties without first obtaining their written, informed consent, in violation of Sections 15(d) and (b), respectively.

Following the denial of the defendant’s motion to dismiss as untimely, the trial court allowed the defendant to take an interlocutory appeal to settle the issue of which statute of limitation applies to BIPA since the law is silent on the subject. Before the Illinois Appellate Court, the defendant argued that the one-year limitations period for privacy actions outlined in 735 ILCS 5/13-201 should apply. On the other hand, plaintiffs argued that the five-year “catch-all” limitations period contained in 735 ILCS 5/13-205 is more appropriate for actions under BIPA because the legislature did not intend to create a specific or shorter limitation for claims under the statute.

In September 2021, the Illinois Appellate Court complicated matters, agreeing with both parties in part, and decided that the one-year and five-year limitations periods applied to different sections of the Act. See, generally, 2021 IL App (1st) 200563. Specifically, the Appellate Court held that the one-year period under § 13-201 applies to Section 15(c) and 15(d) BIPA claims because those sections involve the “publication” of biometric data, which is a term explicitly used in § 13-201. Conversely, since the Appellate Court found that Sections 15(a), (b), and (e) of BIPA does not involve the publication of an individual’s biometric data, it applied the five-year limitations period from § 13-205 to those sections.

Illinois Supreme Court’s Decision

Having stated at oral argument by Justice Michael Burke that the Illinois Appellate Court’s holding seemed “unworkable,” the Court’s decision to have all BIPA claims fall under a single statute of limitation is no surprise.

For its analysis, the Court started by highlighting that the purpose of a limitations period is “to reduce uncertainty and create finality in the administration of justice” and that “[t]he appellate court’s decision to invoke two different statutes of limitations to different [sections of BIPA] does not align with this purpose.” See, 2023 IL 127801, ¶ 20. In as much, the Court recognized that “[t]wo limitations periods could confuse future litigants about when claims are time-barred, particularly when the same facts could support causes of action under more than one subsection of [BIPA].” Id. Therefore, “applying two different limitations periods or time-bar standards to different subsections of [BIPA] would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.” Id., ¶ 21.

In arriving at its decision to apply the five-year statute of limitation to all claims under BIPA, the Court first pointed to the statutory construction of the law. There, the Court recognized that the plain language of BIPA is designed to regulate the collection, retention, disclosure, and destruction of biometric identifiers and biometric information. Id., ¶ 29. Therefore, since Sections 15(a), (b), and (e) contain no words that are construed as meaning publication, there was no support that such claims could fall under the limited one-year statute of limitations under § 13-201, thereby agreeing with the Appellate Court’s decision for those claims. Id., ¶ 30. And while the Court recognized that the one-year statute of limitation could be applied to Sections 15(c) and (d), given its publication-esque buzzwords, it referred back to legislative intent and purpose and its unwillingness to split claims like the Appellate Court, holding that “it would be best to apply the five-year catchall limitations period” for BIPA. Id., ¶ 32.

To close out its decision, the Court further pointed to the plain language of § 13-205, which states that “all civil actions not otherwise provided for, shall be commenced within 5 years after the cause of action accrued.” Id., ¶ 34, citing 735 ILCS 5/13-205 (West 2018). The Court further noted, “Illinois courts have routinely applied this five-year catchall limitations period to other statutes lacking a specific limitations period.” Id., ¶ 34. Therefore, the Court reasoned that “because the Act does not have its own limitations period; because subsections are causes of action ‘not otherwise provided for’ [citing the language of § 13-205]; and because we must ensure certainty, predictability, and uniformity as to when the limitations period expires in each subsection,” the five-year statute of limitation under § 13-205 is the appropriate limitation. Id., ¶ 37 (citations omitted).


Today’s decision paints a bleak picture for businesses defending against BIPA lawsuits. In the days and weeks to come, it is expected that many plaintiffs will seek to lift stays and push businesses to litigate or settle their cases. And while today’s decision brings finality to the statute of limitation issue, BIPA largely remains undeveloped. For example, the issue of claim accrual is still pending before the Illinois Supreme Court in Cothron v. White Castle, and a decision is expected later this quarter. Moreover, given the undeveloped nature of the statute, there is no doubt that another issue will arise that needs resolving by the Illinois Supreme Court, which could lead to another round of stays as cases progress.

Seyfarth Synopsis: In 2022, the Third Circuit Court of Appeals revived a class action lawsuit asserting violations of the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”). The lawsuit alleged that an online retailer and its marketing agency violated WESCA by tracking visitors’ activity on the website through the use of session replay code. Following the Third Circuit’s ruling that WESCA does not contain an exception for direct parties to a communication, plaintiffs across the country have begun filing similar lawsuits against companies whose websites use this type of tracking software. As businesses examine the privacy landscape in 2023, it is important to recognize and monitor this novel legal theory.

What is Session Replay Code?

At the center of this recent privacy trend is a software commonly known as “session replay.” From a high level, session replay is a type of technology that allows companies to track every action that a user undertakes on a website or mobile application. More importantly, though, what sets session replay code apart in the internet marketing space is its ability to recreate a user’s path through the website. As its name suggests, session reply code creates for businesses a visual record of any activity by a user, including their clicks, mouse movements, scrolls, and time spent on the website or application. While session replay does not literally record user’s screen, it reconstructs every user move in a visual manner that many companies find useful for internet marketing and user behavior research.

3rd Circuit Decision Leads to Flood of Wiretapping Lawsuits

One of the early lawsuits related to session replay code is entitled Popa v. Harriet Carter Gifts & Navistone, Inc., No. 2:19-cv-00450 (W.D. Pa.). In this case, the plaintiff alleged that, while she shopped for pet stairs on Harriet Carter Gifts’ website, the company’s marketing agency Navistone secretly “intercepted” her online activity without her consent. The lawsuit, filed on behalf of all Pennsylvania residents who used Harriet Carter’s website and had their data intercepted by Navistone, alleged violations of Pennsylvania’s WESCA (as well as a common law cause of action for invasion of privacy that was later dismissed).

The Pennsylvania District Court initially granted the defendants’ motion for summary judgment, holding the defendants not liable under WESCA because the plaintiff and defendants were direct parties to the communications, and thus could not have “intercepted” the communication. On appeal, a Third Circuit panel reversed that decision, reasoning that WESCA contains no exception from liability for direct parties.

In its motion for summary judgment, the defendants relied on two cases where Pennsylvania courts held that law enforcement officers did not “intercept” communications because they were direct recipients of the communications at issue. According to the Third Circuit, however, these decisions lost their precedential value in 2012 when the Pennsylvania legislature amended WESCA to clarify that the “direct recipient” exception only applies to law enforcement officers with prior approval from a supervisor. The defendants also sought summary judgment on two separate grounds–on jurisdictional grounds because Navistone did not intercept the data in Pennsylvania (but outside of the state), and on the basis that plaintiff consented to any interception by accepting the website’s privacy policy–but the Third Circuit found these issues more appropriate for the District Court on remand.

After the Third Circuit’s decision in Popa, a flood of wiretapping class actions were filed in Pennsylvania. Moreover, because the Third Circuit opted not to opine on the jurisdictional component of Popa, these subsequent complaints have also alleged wiretapping violations against businesses throughout the country (i.e., against businesses in every state).

This decision also fueled the expansion of wiretapping lawsuits under similar state and federal statutes that have spread to numerous states across the country. Plaintiffs also have raised these claims under broader state tort laws and statutes, including the California Invasion of Privacy Act, which allows consumers to recover damages of up to $5,000 per violation.

Implications for Businesses

Session replay lawsuits are flooding courts across the country, and these claims are evolving. Despite the marketing and customer research benefits associated with session replay, businesses using this software should keep a close eye on the privacy space as this trend continues to develop. Businesses everywhere also should pay close attention to their user tracking methods utilized on websites and mobile applications as well as their policies and procedures for consent.

For more information about these wiretapping lawsuits and how this recent privacy trend may affect your business, contact the authors Danielle Kays and James Nasiri, your Seyfarth attorney, or Seyfarth’s Workplace Privacy & Biometrics Practice Group.

Despite its enactment in 2008, the Illinois Biometric Information Privacy Act’s (BIPA) legal standards were largely undeveloped until its emergence to the main stage circa 2017. But with the decisions in Rosenbach v. Six Flags in 2019 (standing) and McDonald v. Symphony in 2022 (workers’ compensation), and the recent $228 million jury verdict against BNSF Railway in the first-ever BIPA trial, we continue to see the BIPA landscape take shape. With more than 250 lawsuits filed in 2022 alone, BIPA litigation shows no signs of slowing down. As we look forward to another busy year of BIPA litigation in 2023, attorneys on both sides of the ‘v.’ eagerly await two critical decisions from the Illinois Supreme Court that could significantly impact pending and future litigation.

Statute of Limitations – decision to be issued on February 2, 2023

Tims v. Black Horse Carriers, Inc. (No. 127801) seeks to resolve the longstanding debate about the appropriate statute of limitations for BIPA actions. Because the law is silent on the issue, the defense bar (including in Tims) argues that the one-year limitations period for privacy actions outlined in 735 ILCS 5/13-201 should apply. On the other hand, plaintiffs argue (like in Tims) that the five-year “catch-all” limitations period contained in 735 ILCS 5/13-205 is more appropriate for actions under BIPA. However, in 2021, the Illinois Appellate Court complicated matters when it decided that the one-year and five-year limitations periods applied to different sections of the Act. See, generally, 2021 IL App (1st) 200563. Specifically, the Appellate Court held that the one-year period under § 201 applies to Section 15(c) and 15(d) BIPA claims because those sections involve the “publication” of biometric data, which is a term explicitly used in § 201. Conversely, since the Appellate Court found that Sections 15(a), (b), and (e) of the BIPA do not involve the publication of an individual’s biometric data, it applied the five-year limitations period from § 205 to those sections.

Given the split among limitations and claims by the Appellate Court, a reversal by the Illinois Supreme Court on any claim could be significant for both plaintiffs and defendants. For example, suppose the Supreme Court decides that a blanketed one-year limitation applies to BIPA claims. In that case, it could significantly reduce the class size of current class actions and certainly result in some time-barred lawsuits. However, the opposite would hold if the Supreme Court decides that a blanketed five-year limitation applies. Indeed, hundreds of BIPA lawsuits have been stayed for more than a year as this issue gets resolved, many with a pending motion to dismiss, raising the statute of limitations issue. Tims was argued before the court in September 2022, and today, the Illinois Supreme Court announced that a decision will come down on February 2, 2023.

Claim Accrual

Cothron v. White Castle (No. 128004) will determine whether claims asserted under 15(b) and 15(d) of BIPA accrue only once upon the initial collection or disclosure of biometric information, or each time a private entity collects or discloses biometric information. While currently before the Illinois Supreme Court, the case is pending in the U.S. District Court for the Northern District of Illinois. Following the district court’s rejection of White Castle’s “one time only” accrual theory at summary judgment, the court found the question close enough to warrant an interlocutory appeal under 28 U.S.C. § 1292(b). During the appeal, the plaintiff asked the Seventh Circuit to certify the question to the Illinois Supreme Court. See 20 F.4th 1156, 1159 (7th Cir. 2021). The Seventh Circuit obliged and directed the Illinois Supreme Court to answer the following question: “Do Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” Id. at 1167.

Oral argument before the Illinois Supreme Court in Cothron occurred in May 2022. White Castle argued that a first-scan theory is appropriate because that is when the privacy right is first invaded, and the loss of control occurs. White Castle also stressed that the issue of damages is necessarily intertwined with the issue of accrual and encouraged the court to weigh the consequences of holding that accrual occurs at each collection. Citing proximity to the issue before the court, White Castle suggested that the damages component be analyzed because the only safeguard against future plaintiffs seeking damages on a “per-scan” model are Due Process concerns and the possibility that lower courts may not find such significant awards appropriate. While conceding that Due Process concerns would likely safeguard against a per-scan damages model, the plaintiff argued that White Castle’s view would obviate the need for defendants to course correct and would avoid consequences for existing issues.

Resolution of the claim accrual issue is crucial for BIPA litigation. If the court decides that a claim accrues upon each scan without addressing the damages component, penalties for even the smallest of companies could be astronomical with only a Due Process argument to rely upon. Indeed, if the court does not address the damages component of accrual at this juncture, it will likely result in another round of stays until the issue is decided on a later appeal. A decision on this matter is expected in the first quarter of 2023.

For up to date information on these cases, the Seyfarth Shaw Commercial Consumer Class Action Defense practice group will provide detailed summaries of the decisions as they are released by the Illinois Supreme Court.

Compliance Recommendations

Despite these BIPA issues still up in the air, there are a few basic practices that can already be followed to avoid, or mitigate exposure under the statute:

  1. Maintain a public privacy policy;
  2. Permanently destroy biometric information in a timely manner;
  3. Provide pre-collection notice;
  4. Obtain pre-collection consent;
  5. Maintain security measures to safeguard biometric information;
  6. Strictly prohibit sales and any other form of profiting from biometric information, including for any vendors; and
  7. Obtain vendor compliance with BIPA.

Seyfarth Shaw LLP is an Amlaw 100 firm with a nationally recognized class action defense practice group. For information regarding Seyfarth’s Commercial Consumer Class Action Defense practice group, contact the National Chair, Kristine Argentine, at kargentine@seyfarth.com. Seyfarth is also a leader in BIPA class action litigation and routinely counsels clients on compliance and defense strategies to mitigate exposure from the statute. For more information regarding BIPA compliance or litigation, contact Paul Yovanic, at pyovanic@seyfarth.com.

Seyfarth’s Commercial Litigation practice group is pleased to provide the third annual installment the Commercial Litigation Outlook, where our nationally-recognized team provides insights about litigation issues and trends to expect in 2023.

The continuing global tumult and increasing chances for a recession will weigh heavily on the litigation outlook for 2023. We expect an uneven year where some litigation booms, some busts. As was true last year, the trick to navigating the upcoming challenges will require clients and their counsel to be adaptive, creative, and proactive.

Trends covered in this edition include: Antitrust, Bankruptcy, Consumer Class Actions, Consumer Financial Services Litigation, eDiscovery & Innovation, ESG, Franchise & Distribution, Health Care Litigation, Insurance, International Dispute Resolution, Privacy, Real Estate Litigation, Securities Litigation, Trade Secrets, Computer Fraud & Non-Competes and the Trial Outlook.

Click here to download the 2023 Commercial Litigation Outlook.

Over the term of this Administration, the DOJ and FTC have taken aggressive and novel antitrust positions as it relates to the labor market, launching broad investigations and criminal and civil prosecutions against companies and their employees for alleged labor market allocations, misuse of non-compete and non-solicitation provisions, and wage fixing. The State Attorney General Antitrust Divisions have followed suit investigating and pursuing these claims at the state level. As so often happens, these government investigations and public inquiries then serve as the basis for expansive class actions.

On Episode 33 of Seyfarth’s Health Care Beat Podcast, host Chris DeMeo is joined by Kristine Argentine, partner in Seyfarth’s Chicago office and chair of the firm’s Commercial Consumer Class Action Defense group. Their discussion focusses on a string of recent cases involving the pursuit of employers across the health care industry (and others) for labor-related antitrust violations. Kristine also provides insight on how businesses can protect their investments in personnel, while successfully mitigating the threat of criminal prosecution.

Click here to listen to the podcast.