Seyfarth Synopsis: The U.S. District Court for the Northern District of Illinois recently denied Plaintiff’s motion to reconsider a prior dismissal of his privacy action due to untimeliness.  In a case titled Bonilla, et al. v. Ancestry.com Operations Inc., et al., No. 20-cv-7390 (N.D. Ill.), Plaintiff alleged that consumer DNA network Ancestry DNA violated the Illinois Right of Publicity Act (“IRPA”) when it uploaded his high school yearbook photo to its website. The Court initially granted Ancestry’s motion for summary judgment, finding Plaintiff’s claims to be time-barred under the applicable one-year limitations period.  Upon reconsideration, Plaintiff  – unsuccessfully – made a first-of-its-kind argument that the Court should apply the Illinois Biometric Privacy Act’s five-year statute of limitations to the IRPA.

Background on the Bonilla Lawsuit

Ancestry DNA, most commonly known for its at-home DNA testing kits, also maintains a robust database of various historical information and images.  One subset of this online database is the company’s “Yearbook Database.”  This portion of the website collects yearbook records from throughout the country and uploads the yearbook contents – including students’ photos – to Ancestry.com.  On June 27, 2019, Ancestry DNA uploaded the 1995 yearbook from Central High School in Omaha, Nebraska to its Yearbook Database.

More than a year later, on December 14, 2020, Plaintiff Sergio Bonilla filed a lawsuit against Ancestry DNA over its publication of the Central High School yearbook. Specifically, Plaintiff Bonilla – a current Illinois resident and former student of Central High School whose picture appeared in Ancestry’s database – alleged that Ancestry DNA improperly publicized his private information without obtaining his consent. Plaintiff’s lawsuit asserted violations of the IRPA, as well as a cause of action for unjust enrichment.  Ancestry DNA filed a motion for summary judgment on the basis that Plaintiff’s action was not brought within the requisite one-year limitations period.  The Court agreed, thereby dismissing Plaintiff’s claims.

Court Denies Plaintiff’s Motion for Reconsideration

After the Illinois Supreme Court’s decision in Tims v. Black Horse Carriers (which held that BIPA is subject to a five-year statute of limitations – read our full summary HERE), Plaintiff filed a motion for reconsideration, contending that the Court should actually apply a five-year limitations period to IRPA actions, like it applies to BIPA.  To that end, Plaintiff emphasized that the IRPA (similar to BIPA) does not itself contain a statute of limitations.  Plaintiff also noted that both the IRPA and BIPA derived from legislative concerns centered on Illinois residents’ right to privacy.  Therefore, according to Plaintiff, the IRPA’s legislative purpose would be best served by applying the catch-all five-year limitations period of 735 ILCS 5/13-205. 

On reconsideration, the Court again rejected Plaintiff’s argument.  In its May 23, 2023 decision, the Court first outlined relevant case law precedent, under which the only courts to address this issue previously held that the IRPA’s applicable statute of limitations is one year.  See Toth-Gray v. Lamp Liter, Inc., No. 19-cv-1327, 2019 WL 3555179, at *4 (N.D. Ill. July 31, 2019); see also Blair v. Nevada Landing P’ship, 859 N.E.2d 1188, 1192 (Ill. App. Ct. 2006). 

The Court then analyzed the Tims decision, which held that, “when the law does not specify a statute of limitations, ‘the five-year limitations period applies’ unless the suit is one for ‘slander, libel or for publication of a matter violating the right of privacy.’”  Here, the Court reasoned that an IRPA action squarely falls within the last category identified by the Court in Tims, as IRPA cases necessarily involve alleged violations of a party’s right to privacy.  Finally, the Court rejected Plaintiff’s contention that Tims controls this situation, instead holding that “[u]nlike the BIPA, the IRPA protects the publication of matters related to the right of privacy and, thus, falls under the one-year statute of limitations.”

Implications for Businesses

This decision establishes a welcome pro-business standard in the Illinois privacy law context.  Notably, the Illinois Supreme Court in Tims rejected the defense bar’s argument that BIPA violations were akin to privacy rights violations and subject to the one-year statute of limitations applicable to IRPA claims.  This Ancestry.com decision holds that the converse also is not true.  It is also the first court to reject expansion of the plaintiff-friendly five-year BIPA statute of limitations to claims beyond BIPA.

Though this decision was issued by an Illinois federal court – rather than the Illinois Supreme Court, which decided the recent Tims and Cothron v. White Castle System BIPA cases – it nonetheless offers some privacy protection for Illinois businesses that post or otherwise aggregate third parties’ content or information.  We will monitor whether defendants are able to expand the Bonilla decision into other related privacy law actions, or if Illinois courts will restrict its holding to actions brought under the IRPA.

For more information about the Illinois Right of Publicity Act, the Illinois Biometric Information Privacy Act, or how this decision may affect your business, contact the authors Danielle Kays and James Nasiri, your Seyfarth attorney, or Seyfarth’s Workplace Privacy & Biometrics Practice Group.

On Tuesday, June 13 at 1:00 p.m. Eastern, Seyfarth attorneys Kristine Argentine, John Tomaszewski, and Paul Yovanic will present at the Association of National Advertisers webinar, “Emerging Issues Surrounding Privacy Class Actions and Compliance in 2023.”

This presentation will cover the recent surge in consumer class actions, compliance considerations, and recent developments in the law related to privacy claims, including TCPA and State Mini-TCPAs, the Video Privacy Protection Act, data breach claims, biometric privacy, and claims related to collection of data through google analytics tools, such as chat functions, pixels, and cookies.

For more information and to register, click here.

On April 3, 2023, the CFPB published a new official statement of policy on the authority that Congress passed in the Consumer Financial Protection Act of 2010 (“CFPA”), codified at 12 U.S.C. § 5536(a)(1)(B), banning “abusive conduct” in connection with the offering or provision of consumer financial products or services.  A copy of the new Policy can be found here. It is broad and tilted heavily in favor of consumers.

This is the CFPB’s second effort at promulgating an official statement of policy on abusive acts and practices. On March 11, 2020, the Consumer Financial Protection Bureau (“CFPB”) announced that it was rescinding its January 24, 2020 policy statement, “Statement of Policy Regarding Prohibition on Abusive Acts and Practices,” which was published four days after the Trump administration ended and the Biden administration began.[1]  The CFPB withdrew its prior policy based upon its finding that, “The 2020 Policy Statement was inconsistent with the Bureau’s duty to enforce Congress’s standard and rescinding it will better serve the CFPB’s objective to protect consumers from abusive practices.”[2]  In doing so, the CFPB announced that, “Going forward, the CFPB intends to exercise its supervisory and enforcement authority consistent with the full scope of its statutory authority under the Dodd-Frank Act as established by Congress.” 

Among the highlights:

Under the CFPA, there are two abusive prohibitions. An abusive act or practice: (1) Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or (2) Takes unreasonable advantage of:

  • A lack of understanding on the part of the consumer of the material risks, costs or conditions of a product or service;
  • The inability of the consumer to protect the interests of the consumer in selecting or using a consumer product or service; or
  • The reasonable reliance by the consumer on a covered person to act in the interests of the consumer.

The Policy states that unlike with unfairness but similar to deception, abusiveness requires no showing of substantial injury to establish liability, but rather is focused on conduct that Congress presumed to be harmful or distortionary to the proper functioning of the market. The Policy cites as examples omissions that obscure, withhold, de-emphasize, render confusing or hide information relevant to the ability of a consumer to understand terms and conditions (including buried disclosures, physical or digital interference, overshading, and other means of manipulating consumers’ understanding). 

Intent is not a required element to show material interference. Terms regarding pricing or costs, limitations on the person’s ability to use or benefit from the product or service, and contractually specified consequences of default are listed as examples of terms of a transaction that are so consequential that when they are not conveyed to people prominently or clearly, it may be reasonable to presume that the entity engaged in acts or omissions that materially interfere with the consumers’ ability to understand. 

A product or service’s complexity may interference with consumers’ ability to understand if the material information about it cannot be sufficiently explained or if the entity’s business model functions in a manner that is inconsistent with its product’s or service’s apparent terms. And even a small advantage may be abusive if it is unreasonable.

When there are gaps in understanding regarding the material risks, costs, or conditions of the entity’s product or service, entities may not take unreasonable advantage of that gap. “Risks” include but are not limited to the consequences or likelihood of default and the loss of future benefits. Gaps in understanding related to “costs” include any monetary charge to a person as well as non-monetary costs such as lost time, loss of use, or reputational harm. And gaps in understanding with respect to “conditions” include any circumstance, context, or attribute of a product or service, whether express or implicit. For example, “conditions” could include the length of time it would take a person to realize the benefits of a financial product or service, the relationship between the entity and the consumer’s creditors, the fact a debt is not legally enforceable, or the processes that determine when fees will be assessed. 

The lack of understanding can be caused by third parties and can exist even when there is no contractual relationship between the person and the entity that takes unreasonable advantage of the person’s lack of understanding. Further, the Policy does not require that the consumer’s lack of understanding was reasonable to demonstrate abusive conduct. Since there can be differences among consumers in the risks, costs, and conditions they face and in their understanding of them, there may be a violation with respect to some consumers even if other consumers do not lack understanding. Congress has outlawed taking unreasonable advantage of circumstances where people lack sufficient bargaining power to protect their interests. Such circumstances may occur at the time of, or prior to, the person selecting the product or service, during their use of the product or service, or both.

The Policy states that the consumer “interests” include monetary and non-monetary interests, including but not limited to property, privacy, or reputational interests. People also have interests in limiting the amount of time or effort necessary to obtain consumer financial products or services or remedy problems related to those products or services. This includes, but is not limited to, the time spent trying to obtain customer support assistance, according to the Policy. The CFPB’s relatively newfound asserted dominion over customer service, now ensconced in a formal statement of policy, is expected to be particularly contentious with the financial services industry.


[1] https://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-rescinds-abusiveness-policy-statement-to-better-protect-consumers/.

[2] Id.

To borrow a few of the words spoken in 1926 by F. Scott Fitzgerald to Ernest Hemingway in a quite distinct context, securities class action mediations “are different than” mediations of most other lawsuits.

One reason for this difference is that securities cases often have very large amounts of money at stake (hundreds of millions or even billions of dollars are commonly claimed). Furthermore, securities actions are governed by a highly complex body of case law from state and federal courts at all levels, including the Supreme Court, as well as pleading requirements, discovery stays, defenses and other special provisions and procedures that are unique to the Securities and Exchange Act of 1934, the Securities Act of 1933 and the Private Securities Litigation Reform Act. Because of the complexity of the analysis of the laws at issue, the parties often find themselves taking quite different views of the strength of the claims made. This combination of large amounts of money at stake and the complexity of laws at issue frequently results in parties whose settlement positions are far apart.

In addition to the size and complexity of securities cases, securities class actions are often “different” from other cases, because of the sheer number of people, usually with conflicting interests, involved in resolving these cases. Securities litigation commonly involves, not only multiple plaintiffs and multiple defendants, but also multiple insurers providing directors and officers (“D&O”) insurance to some or all of the defendants, in appropriate case securities underwriters and in some unusual cases indemnitors of defendants are also parties to the negotiations. Each of these parties may have multifaceted and distinct interests, which vary even between parties which are in the same category of participant, resulting in inconsistent views of what constitutes a fair settlement.

All of these specialized and challenging circumstances often make securities cases at least unusual and sometimes with unique challenges. They also strongly support the conclusion that they are generally easier to settle in mediation with the unbiased expertise of an experienced independent mediator rather than among the parties alone with their disparate viewpoints and goals. Moreover, each securities class action mediation also comes with its own set of unique challenges.

When to Start Thinking about Settlement and the Value of Undertaking an Early Case Assessment

Settlement discussions may occur at any time during the course of a securities case. Most often, however, the parties wait until after a motion to dismiss is filed, fully briefed and ruled upon by the Court before beginning settlement discussions. This is because securities cases have an approximately 50% dismissal rate. For a defendant in particular this is one overriding reason to wait until a motion to dismiss is decided to broach settlement and D&O insurers will often oppose funding a settlement, or even discussing a settlement with the plaintiffs, until the motion to dismiss has been resolved. Most of the cases that are not dismissed eventually settle after the motion to dismiss decision and never make it to trial.

Early Case Analysis

In order to prepare for motions to dismiss, settlement negotiations, mediations and discovery, during the earliest stages of a case (pre-discovery), counsel should learn as much as possible about all available evidence, relevant facts and the applicable law(s) as part of an early case assessment. Whether dealing with motions, evaluating the risks and value of a case or preparing for discovery or a mediation, a total mastery of available facts is essential for counsel to best represent their clients. In addition to helping counsel set realistic expectations for clients and prepare for later stages of litigation, it almost always is helpful to counsel in evaluating whether or when to settle a case or to continue to litigate, including whether and when to engage in mediation.

When conducting an early case assessment, defense counsel should, among other things:

  • Conduct interviews of available individuals;
  • Gather important documents from clients;
  • Engage an expert to conduct a preliminary damages analysis and assist in estimating potential ranges of damages as well as possibly other experts; and
  • Evaluate the impact of a settlement on any parallel proceedings.

Why Mediation?

The securities cases that settle most commonly do so through mediation (98 percent of securities class actions either settle or are dismissed. In large part, because of the multiplicity of parties with differing viewpoints, counsel to any one party will likely find it very difficult, if not impossible, to effectively manage the multi-party simultaneous negotiations necessary to settle most securities cases. This is also in part because counsel is viewed as, and are, advocates for their own client(s). Therefore, the parties almost always engage an independent mediator familiar with securities class actions and the applicable law to help resolve the case.

These mediations are most often presided over by one of a relatively small group of mediators with known expertise in handling mediations of large complex cases and, importantly, a strong understanding of the securities laws.  These successful mediators have self-confidence, are persuasive and can be forceful in expressing their own views of a case’s merits, the risks involved for the parties and fair terms of settlement. These mediators all believe it helps them if the parties are represented by experienced, knowledgeable and reasonable counsel.

An experienced and capable mediator can:

  • Provide expertise, impartiality, and creditability in dealing with the multiplicity of parties with conflicting interests and the complexity of the issues.
  • Help foster constructive consideration by all parties of the many issues and risks existing in a case and emphasize the value for all parties in compromise; and
  • Provide an independent, realistic and knowledgeable view of strengths and weaknesses in each party’s position.

Role of D&O Insurers and Others in Mediation

Insurers frequently face potential liability for claims in securities class actions, and as a result, play a critical role in funding a settlement. These carriers are key participants in settlement discussions, including at mediation.

A defendant company, and directors and officers usually have different types of D&O insurance provided by multiple insurers in separate layers of coverage that are relevant to a particular securities litigation. These layers, often referred to as a tower of insurance, consist of a primary insurance carrier with a policy that covers the first layer of liability (for example, the first $5 million of liability above any retention amount called for by the insurance policy) and successive layers of additional insurance that cover liabilities exceeding the tranche of insurance directly below it. These insurance amounts, including the primary policy and successive layers, add up to the total amount of available insurance.

Insurers in different tranches often disagree among themselves on what is a reasonable settlement due to the varying levels at which policies in an insurance tower come into play and therefore have different risks. Frequently, a mediator is faced with the need to persuade insurers to contribute tens of millions of dollars to resolve a case, despite these wide variations in risk.

Not infrequently, there is also disagreement amongst defendants or amongst plaintiffs about risks and reasonable settlement amounts. And, of course, the plaintiffs and defendants generally strongly disagree with each other on the merits of the case, the facts, the proper interpretation of the law and potential damages.

Sometimes expert witnesses are brought to mediation, most often to opine on the complex issue of how to calculate damages in these cases. Damages experts for plaintiffs and defendants almost always disagree by a significant amount on the quantum of damages. It is not uncommon for lawyers to think that some of the methodology used by some class action damage experts is arcane and/or debatable.

Given the surfeit of parties, the amount at stake and the complexity of applicable law, it is not surprising that only an experienced mediator with some gravitas, common sense, credibility and an understanding of the securities laws has a chance of bringing the many viewpoints of the parties at a mediation to a global resolution.

How Settlement Will Impact Parallel Proceedings and Vice Versa

Counsel should consider the impact that a settlement of one securities case may have on other related litigations or investigations in which their clients are involved. Parallel proceedings can include some combination of regulatory and criminal proceedings (both state and federal) and related additional civil litigation. Depending on the specific facts, procedural posture of the proceedings, and the proposed terms of the resolution, resolving a criminal matter first may hamper a defendant’s ability to defend itself in related civil securities proceedings or vice versa. For example, any admission in a settlement with the SEC or the Department of Justice, could impact ongoing civil litigation. Even if the defendant enters into a settlement on a “neither admit nor deny” basis, it risks affecting the civil case. On the other hand, resolving a civil case first may provide criminal prosecutors with access to discovery they might not have requested or had access to. Nevertheless, it may be advantageous, depending on the facts and circumstances, for a defendant to resolve the civil case, which usually involves voluminous and costly discovery, before dealing with a related regulatory or criminal matter.

When deciding whether to settle one or more of multiple proceedings, defense counsel should consider:

  • The strength of the claims. If a party is defending against weak claims, it may decide to continue litigating some or all of the parallel proceedings.
  • The cost of settlement. It may not be worth settling either case where the opposing party has made an excessively costly settlement demand.
  • Adverse party access to unfavorable facts. Prioritizing the litigation and settlement of one parallel proceeding over another, may give an adverse party access to facts that would otherwise be unavailable or unknown.

The authors would be happy to discuss any questions readers may have on any of the above topics.

This post was originally published as a Seyfarth legal update.

Seyfarth Synopsis: A divided Ninth Circuit Court of Appeals panel has ruled that the Federal Arbitration Act (FAA) preempts California Assembly Bill 51 (AB 51), which purports to prohibit employers from requiring job applicants and workers from signing arbitration pacts. The panel further concluded that AB 51’s criminal penalties are preempted by the FAA. Chamber of Commerce of the U.S. v. Bonta.

Facts

AB 51 subjects employers to criminal misdemeanor charges and civil sanctions for mandating arbitration agreements of certain claims as a condition of employment. The law exclusively focuses on pre-arbitration agreement behavior, but does not bar enforcement of improperly-entered into arbitration agreements.

On December 9, 2019, a collection of trade associations and business groups (collectively, “Chamber of Commerce”) filed a complaint for declaratory and injunctive relief against various California officials (collectively, “California”). The Chamber of Commerce sought a declaration finding that AB 51 is preempted by the FAA, a permanent injunction prohibiting California officials from enforcing AB 51, and a temporary restraining order.

The District Court Decision

The District Court granted a preliminary injunction in favor of the Chamber of Commerce explaining that AB 51 criminalizes only contract formation, but the law does not make the arbitration agreement unenforceable. The authors of AB 51 adopted this approach in an attempt to avoid conflict with Supreme Court precedent, which holds that a state rule that discriminates against arbitration is preempted by the FAA.

In essence, in what turned out to be an unsuccessful attempt to avoid FAA preemption, the California Legislature included a provision in AB 51 that an arbitration agreement would be enforceable even if the employer violated the law by making arbitration mandatory. This resulted in the oddity that an employer could be subject to criminal prosecution and civil penalties for requiring an employee to enter into an arbitration agreement, but the agreement would be enforceable once executed.

Consequently, the District Court granted the motion for a temporary restraining order, and after a hearing, issued a minute order granting the motion for a preliminary injunction. The District Court ruled that the Chamber of Commerce was likely to succeed on the merits of its preemption claim because AB 51 “treats arbitration agreements differently from other contracts,” and “conflicts with the purposes and objectives of the FAA.”

The Ninth Circuit Court of Appeals Decision

The issue on appeal was whether the FAA preempts a state rule that discriminates against the formation of an arbitration agreement, even if that agreement is ultimately enforceable. The panel held that such a rule is preempted by the FAA.

In reaching its decision, the panel applied the principles articulated in U.S. Supreme Court cases Doctor’s Assocs., Inc. v. Casaraotto and Kindred Nursing Ctrs. Ltd. P’ship v. Clark. These cases led the panel to conclude that AB 51’s penalty-based scheme to inhibit arbitration agreements before they are formed violates the “equal-treatment principle” inherent in the FAA, and is the type of device evincing hostility towards arbitration that the FAA was enacted to overcome. In short, AB 51 is preempted by the FAA because one of the FAA’s touchstones is to encourage arbitration, and AB 51 is contrary to this purpose.

In an attempt to save AB 51, California argued that the court could rely on AB 51’s severability clause to eliminate AB 51’s penalties, and then uphold the surviving portions of AB 51. However, the panel rejected this argument, concluding that all provisions of AB 51 work together to burden formation of arbitration agreements.

The sole dissenting judge (sitting by designation from the Tenth Circuit Court of Appeals), argued that the majority nullified a California law codifying what the enactors of the FAA and the U.S. Supreme Court took as a given: arbitration is a matter of contract and agreements to arbitrate must be voluntary and consensual. In support of this position, the judge distinguished AB 51 from state rules previously preempted by the FAA.

What Bonta Means for Employers

Not only does the decision reinforce the strong federal policy favoring arbitration, but the decision suggests that California will ultimately be required to respect the right of private enterprises to require employees to waive their right to go to court over most disputes arising out of employment.

While this is a positive decision for employers, they should bear in mind that the matter will now return to the District Court for a determination on the merits of the Chamber of Commerce’s claims. And, California may seek en banc review of the decision, or request review by the U.S. Supreme Court.

This post was originally published on Seyfarth’s Gadgets, Gigabytes & Goodwill blog.

A recent motion for preliminary approval of a class action settlement filed in federal court in Georgia will bring to a close claims asserted on behalf of a class of Porsche owners for a purportedly botched over-the-air (“OTA”) software update sent to their vehicles. But a recent decision by a California federal court suggests that manufacturers may be able to avoid claims for violation of the Computer Fraud and Abuse Act (“CFAA”) so long as they do not “blatantly misdescribe” the OTA updates they transmit to vehicle owners. Taken together, these cases signal the challenges automakers will face in defending software malfunction cases and the benefits of robust disclosure when transmitting OTA software updates.

Proposed Settlement in Bowen

In Bowen v. Porsche Cars, N.A., Inc., filed in the U.S. District Court for the Northern District of Georgia in January 2021, the owner of a 2011 Porsche vehicle filed suit based on a claim that a signal transmitted by Sirius XM Radio and “facilitated” by Porsche during a 2020 Memorial Day weekend promotional campaign caused a serious malfunction in the “infotainment” system of his vehicle. According to the complaint, an OTA software update to the Porsche Communications Management (“PCM”) unit in the vehicle caused the PCM to “continuously reboot,” causing a range of problems including malfunction of the system and draining the vehicle’s battery.

In a September 2021 order, the court granted Porsche’s motion to dismiss claims for negligence and unjust enrichment, but found that Porsche must answer the vehicle owner’s claims for violation of the CFAA and trespass to personality. The court found that “[t]he intent element under the CFAA requires merely that access to a computer system not be a careless or inadvertent mistake,” so that “either directly sending or facilitating the transmittal” of OTA updates could trigger liability.

The unopposed motion for preliminary approval, filed by plaintiff vehicle owners in the Bowen case in January 2023, calls for the certification of a class of “entities and individuals in the United States who, as of May 20, 2020, owned or leased . . . any Porsche vehicle equipped with an XM radio antenna and PCM 3.1 which is the sole PCM model to have been impacted by the rebooting at issue).” The proposed settlement requires Porsche to fund up to $7,500 in repairs per affected vehicle; provide compensation for class members who have already paid out-of-pocket for repairs; and give owners who have not yet been able to obtain satisfactory repairs the ability to do so for up to a year after approval of the settlement. Porsche also agreed to pay up to $1,975,000 in attorneys’ fees and another $75,000 in costs. In their motion for preliminary approval, the plaintiff vehicle owners argued that “this relief approaches—and in some ways may exceed—the level of compensation that realistically may have been obtainable after a successful trial.”

Other OEM Has More Success on Motion to Dismiss

Another major auto manufacturer recently faced a CFAA lawsuit based on faulty OTA software updates, but succeeded in disposing of the case on a motion to dismiss. In that case, a putative class action filed in the U.S. District Court for the Central District of California in January 2021, the plaintiff vehicle owners claimed that the manufacturer had manipulated their vehicle batteries through unauthorized software updates that resulted in diminished battery capacity in violation of the CFAA, as well as breach of warranty in violation of the federal Magnuson-Moss Warranty Act and California’s Song-Beverly Act.

In a May 12, 2022 order granting the manufacturer’s motion to dismiss, the court rejected the CFAA claim on several grounds. See Fish, 2022 WL 1552137 (C.D. Cal. May 12, 2022). First, the court held the vehicle owners failed to plead the requisite $5,000 in damages within the “narrow conception of loss” under the CFAA, which confines losses to the reasonable costs to restore a system to its condition prior to the offense. But the vehicle owners had alleged only that the manufacturers OTA update had purportedly diminished the value of the battery system, not that they actually incurred any costs in attempting to repair the alleged damage.

Second, the court addressed the meaning of “unauthorized access” in the context of the CFAA, and explained that the concept of exceeding authorized access “does not apply to individuals with improper motives who simply utilize access that is ‘otherwise available to them.’” Because the manufacturer had unfettered access to the vehicle owners’ media control units and batteries, “the fact that [the manufacturer] allegedly damaged these systems without [the owners’] consent is irrelevant.” The court left room for claims under the CFAA where a manufacturer is alleged to have “blatantly misdescribed the nature of the . . . updates,” but noted that the plaintiff vehicle owners in that case had failed to do so.

Key Takeaways

Both Bowen and Fish effectively were resolved at the pleading stage on motions to dismiss. In Bowen, the manufacturer settled after an unsuccessful loss on a motion to dismiss, presumably due to the cost of defense and risk of loss given the potential size of the putative class. But the Fish case suggests that manufacturers may be able to score early victories and avoid liability through robust disclosure to vehicle owners concerning OTA software updates prior to installation of those updates.

Seyfarth continues to be on the forefront of issues involving the Illinois Biometric Information Privacy Act (“BIPA”). On February 10, 2023, Seyfarth attorneys Paul Yovanic and Kristine Argentine published an in-depth analysis of the current trends in BIPA litigation and what to expect for 2023 on Bloomberg Law.

The article, examines the recent Illinois Supreme Court Tims decision applying a 5 year statute of limitations to all BIPA claims and the anticipated Illinois Supreme Court decision in White Castle which is expected to address the issue of when a violation accrues under the statute. The article also discusses what businesses and the legal community should expect in 2023 with respect to BIPA claims and viable defenses.

After years of litigation in federal courts across the country over purported Telephone Consumer Protect Act (TCPA) violations, there has been a recent shift in focus to what is known as mini-TCPAs being enacted by state legislatures which seek to regulate intrastate telemarketing communications. In particular, dozens of putative class actions have been filed over the last several weeks in Florida alleging violation of the Florida Telephone Solicitation Act, Florida’s mini-TCPA. Amendments to the Florida Telephone Solicitation Act went into effect July 1, 2021 and included an expansive definition of “automated dialers;” new restrictions for prior express written consent for all telephonic sales calls using an automated system; and a private cause of action that allows recovery of at least $500 per violation.

Because the TCPA does not preempt state laws that are intended to be more protective than the TCPA, businesses utilizing calling campaigns which send marketing calls or text directly to consumers in states such as Florida need to be mindful of these additional regulations. Moreover, Florida courts have been hesitant to dismiss claims under the Florida Telephone Solicitation Act leaving little guidance as to how exactly the definitions and provisions of this statute will be interpreted.

Businesses should note, however, that a clear and conspicuous arbitration provision will likely be enforced, which can limit the exposure to putative class actions. In Kravets v. Anthropologie, Inc., the Southern District of Florida court granted a motion to compel arbitration where the agreement to arbitration was present in the Text Terms and Conditions which were linked in advertisement where the consumer signed up for the company’s text messaging program. Specifically, the court found that because the Text Terms were listed above the “GET FREE SHIPPING NOW when you sign up for email and texts” button and we bold and underlined links, they were sufficient to put the consumer on notice of the arbitration provision and by clicking the button the consumer was assenting to the Text Terms. No. 22-cv-60443, 2022 WL 1978712 (S.D. Fla. June 6, 2022). Likewise, in a recent decision, the Southern District of Florida again granted a motion to compel arbitration in a case involving claims under the Florida Telephone Solicitation Act finding even where the defendant had already filed an answer, the court entered a scheduling order, and the parties filed a joint notice of a mediator selection. Roger Amargos v. Verified Nutrition LLC, No. 22-cv-22111, 2023 WL 1331261 (S.D. Fla. Jan. 31, 2023).

While the Florida Telephone Solicitation Act has been the focus as of late, other state legislatures have either passed or proposed similar statutes with private rights of action which will likely lead to further litigation. On June 9, 2022, Washington passed its own mini-TCPA and November 1, 2022, Oklahoma’s Telephone Solicitation Act took effect. Both resemble the Florida Telephone Solicitation Act but have their own unique provisions and restrictions that businesses need to be aware of when engaging in marketing campaigns through call or text. Additionally, Georgia has a pending bill that remains viable to be enacted during the 2023 legislative session and would potentially allow civil litigants to recovery $1000 per violation and Maryland has proposed a Mini-TCPA bill with a proposed effective date of October 1, 2023.

In light of the rapid changes to the legal landscape governing marketing campaigns using call and text technology, businesses need to re-analyze their procedures to ensure compliance with not only the TCPA but also these state laws. Seyfarth will continue to monitor these changes in law and the case law that develops.

Last year was significant in Illinois Biometric Information Privacy Act (BIPA) litigation, primarily because of the many ‘firsts’ that resulted, including the first-ever BIPA trial that resulted in a staggering judgment of $228 million for 45,600 reckless/intentional violations of the statute. But aside from the jaw-dropping verdict and the Illinois Supreme Court’s decision in early 2022 holding that BIPA is not preempted by the Illinois Workers’ Compensation Act, not all decisions last year were discouraging for those defending BIPA lawsuits. Below we discuss a few of the important defense-friendly decisions from last year’s consumer-side BIPA lawsuits that will shape how businesses defend and plaintiffs prosecute BIPA actions in 2023 and beyond.

Virtual try-on tools can be exempt from BIPA under the “health care exemption.”

As the plaintiffs’ bar finds creative ways for BIPA’s applicability, we have seen a recent trend of lawsuits against businesses offering virtual try-on features for consumers to try various products at home, including glasses and makeup, through the use of a consumer’s computer or phone camera. But in September, the court held in Svoboda v. Frames for America, Inc., 21-C-5509, 2022 WL 4109719 (N.D. Ill. Sept. 8, 2022), that BIPA did not regulate the virtual try-on tool in this instance because it fell under the statute’s “health care exemption.”

Frames for America, Inc. sells prescription and non-prescription eyewear through its website FramesDirect.com, and consumers can use a virtual feature to try on glasses or sunglasses through its website. According to the complaint, the plaintiff alleged that Frames for America used software to scan a consumer’s facial geometry from a photograph uploaded by the consumer and then digitally placed the eyewear over the consumer’s face. Id. at *1. While there are only a few exemptions, BIPA contains an exemption for “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment or operations under the federal Health Insurance Portability and Accountability Act of 1996.” See 740 ILCS 14/10.

The court dismissed the plaintiff’s complaint, holding that she “was a patient receiving a health care service in a health care setting” when she used the virtual try-on tool. Id. at *3. Even though she did not request any medical treatment, consult an eye doctor, or ultimately purchase any eyewear (id. at *1), the court concluded that “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses are all Class 1 medical devices.” Id. at *2. Therefore, “[e]ven if she did not personally consult with any trained or licensed professional, [plaintiff] would have received a health care service had she purchased the glasses ….” Id. In as much, the court analogized the virtual try-on feature in this case to services similarly offered in optometrists’ offices. Id.

Universities are exempt from BIPA under the “financial institution exemption.”

In Powell v. DuPaul Univ., No. 21-cv-3001, 2022 WL 16715887 (N.D. Ill. Dec. 6, 2022), the plaintiff alleged that the university violated BIPA by using an online remote proctoring tool that captured, collected, and stored his biometric information and identifiers. Id. at *1. The plaintiff further alleged that the university collected his biometric data without providing notice, obtaining consent, or disclosing how long the data would be retained before it was permanently destroyed. Id.

In its Rule 12(b)(6) motion to dismiss, DePaul maintained that it is a financial institution under BIPA and thereby exempt from the statute under Section 25(c). Here, DePaul relied upon the express terms of BIPA, which states explicitly that the Act does not apply to financial institutions subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”). Id. at *1. Pointing out that it participates in the U.S. Department of Education’s Federal Student Aid Program, DePaul reasoned that it is therefore considered a financial institution subject to Title V of the GLBA. Id. To further its position, DePaul noted that both the Federal Trade Commission (“FTC”) and the Department of Education (“DOE”) recognize that universities are considered financial institutions under the GLBA and that Title V rulemaking authority lies with the Consumer Financial Protection Bureau (“CFPB”), which adopted and republished the privacy rules initially promulgated by the FTC. Id. at *2. There, the FTC rules state that any institution “significantly engaged in financial activities” is considered a financial institution. Id.

The court agreed with DePaul and determined that section 25(c) of BIPA applies to higher education institutions. The court was notably persuaded by DePaul’s reliance on the FTC’s position because it evidenced a longstanding, consistent, and well-reasoned interpretation of the GLBA it was tasked to administer. Id. at *2. Moreover, documents supporting DePaul’s motion further established that it “engage[d] in student aid and lending funds,” making it a financial institution subject to Title V of the GLBA and exempt from BIPA. Id. at *3. The court also pointed to many other 2022 decisions (and one late 2021 decision) that take a consistent position — that the financial institution exemption of BIPA applies to higher education institutions. Id., citations omitted.

A business may not be held liable under BIPA where there is no showing of acquisition of biometric data in Illinois.

In Vance v. Microsoft Corp., 20-1082, 2022 WL 9983879 (W.D. Wash. Oct. 17, 2022), plaintiffs were longtime Illinois residents who, beginning in 2008, uploaded digital photographs, including photos of themselves, to Flickr, a photo-sharing website. Id. at *1. In 2014, Yahoo!, Flickr’s then-parent company, publicly released a dataset of about 100 million photographs uploaded to Flickr’s website in the past decade. Id. To study fairness and accuracy in facial recognition technology, researchers working with IBM used one million photos from the released dataset to develop the Diversity in Faces Dataset (the “DiF Dataset”). Id. at *2. In 2019, two individuals affiliated with Microsoft downloaded the DiF Dataset. Id. The first individual, a consultant hired by Microsoft to assist with evaluating facial recognition technology, downloaded the DiF Dataset while in Washington State. Id. at *2-3. The other individual was a student intern for Microsoft who downloaded the DiF Dataset in New York to assist with her research on facial recognition facial systems. Id. at *3-5. Even though Microsoft’s two agents downloaded the DiF Dataset outside of Illinois, the plaintiffs brought the class action in a federal court in Washington state alleging that Microsoft’s data management process involved saved data being “chunked (i.e., divided into non-overlapping packets of data bits),” encrypted, and stored in a data center in Chicago, Illinois. Id. at *3.

All of the claims went to summary judgment, and Microsoft argued that plaintiffs’ BIPA claims failed because the statute cannot apply to conduct outside Illinois. Id. at *5. Thus, applying BIPA to Microsoft’s conduct outside of Illinois would violate the Commerce Clause of the United States Constitution. Id. Under Illinois law, a “statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute.” Id. at *6, citation omitted. Microsoft asserted that Illinois’ extraterritoriality doctrine bars plaintiffs’ BIPA claims because none of its conduct relating to those claims took place in Illinois. Id. at *6. Instead, the relevant conduct — downloading, reviewing, and evaluating the DiF Dataset — took place in Washington and New York. Id. Therefore, Microsoft argued that the plaintiffs cannot prove that its conduct occurred “primarily and substantively in Illinois.” Id., citation omitted.

The court granted summary judgment in favor of Microsoft in its entirety and, concerning the BIPA claims, held that even if Microsoft stored “chunked” and encrypted copies of the DiF Dataset on a cloud server in Illinois, “the relevant section of BIPA regulates only the acquisition of data, rather than the encrypted storage of data after it is acquired. Id. at *7, citing BIPA § 14/15(b). Pointedly, the court held that plaintiffs “have not identified any other relevant conduct by Microsoft that took place either primarily or substantively in Illinois. Id. The plaintiffs’ key argument in its opposition was reliance upon various high-profile BIPA cases, including the In re Clearview multi-district litigation, Rivera v. Google, and Monroy v. Shutterfly, to argue that claims relating to photos taken and uploaded to the internet in Illinois survived the extraterritoriality doctrine. Id. The court readily distinguished those cases by highlighting that, in each instance, “the plaintiffs alleged that the defendant itself reached into Illinois to collect their photographs, scan the photographs, and/or generate facial measurements or templates for use in facial recognition systems without the plaintiffs’ consent” Id. Therefore, and not having to address the Commerce Clause argument, the court concluded that “any connection between Microsoft’s conduct and Illinois is too attenuated and de miminis for a reasonable juror to find that the circumstances underlying Microsoft’s alleged BIPA violation ‘occurred primarily and substantively in Illinois.'” Id. at *8.

Plaintiffs are not entitled to nationwide discovery for BIPA claims.

The In re Clearview AI, Inc. multi-district class action, No. 21-cv-135 (N.D. Ill.), is a consolidated lawsuit alleging that Clearview violated BIPA and California and New York laws through its development and use of facial recognition technology. Specifically, the plaintiffs’ complaint alleges that Clearview “covertly scraped billions of photographs of facial images from the internet and then used artificial intelligence algorithms to scan the face geometry of each individual depicted in the photographs to harvest the individuals’ unique biometric identifiers and corresponding biometric information.” Id. at Dkt. 272, p. 1. Retail giant Macy’s is the lone retail defendant in the lawsuit and is alleged to have used Clearview’s database over 6,000 times, each time uploading an image to the database to search for a match. Id. at p. 2.

In June, a discovery dispute arose between plaintiffs and Macy’s after Macy’s limited its discovery responses to activities taking place in Illinois, New York, and California. Dkt. 361, p. 7. Plaintiffs argued that Macy’s limitation was improper because “regardless of whether Macy’s, Inc. performed the search from a store in Texas, Alabama, Delaware or any other location … each such search necessarily involved Plaintiffs’ and class members’ biometrics and possibly resulted in their images being returned as search results.” Id. In response, Macy’s argued that it is only defending state law claims arising under Illinois, New York, and California laws, and its alleged activities and conduct outside those states is irrelevant. Dkt. 378, p. 2. Macy’s further argued that “[p]laintiffs’ request is an attempt to investigate over five-hundred Macy’s store locations, in forty-three jurisdictions that are not at issue in this litigation.” Id.

The court agreed with Macy’s — that its limitation to discovery in only Illinois, New York, and California is appropriate, “given that [p]laintiffs’ current claims are predicated solely on the state laws of those three states.” Dkt. 388, citing Miner v. Gov’t Payment Serv., Inc., No. 14-cv-7474, 2017 WL 3909508, at *5 (N.D. Ill. Sept. 5, 2017) (“[T]he factual allegations of the [putative class action] complaint, confined as they are to Cook County transactions, do not support discovery as to any other counties.”). The court further agreed that requiring Macy’s “to gather discovery for its stores located in forty-three other jurisdictions where [p]laintiffs do not allege claims would be unreasonably burdensome.” Id.


As evidenced above, the BIPA landscape continues to take shape, and 2022 provided substantive decisions to help businesses defend against BIPA class actions moving forward. From a pleading perspective, companies need to understand the type of biometric information at issue in the lawsuit, how it is obtained, and how the technology is described and plead in the complaint. In addition to essential compliance, including providing a publicly available retention schedule, written notice, and obtaining written consent, businesses using biometric technology should also consider auditing their technologies to determine whether any exemptions to BIPA are applicable. While an audit will not eliminate the possibility of a lawsuit, it will allow businesses to analyze potential defenses and take cost-effective measures.

In the third annual installment of Seyfarth Shaw’s Commercial Litigation Outlook, our nationally-recognized team provides insights about litigation issues and trends to expect in 2023.

Join us for the first session of our three-part webinar series, where members of our Commercial Litigation practice group will discuss key trends in the commercial litigation space.

Part 1: Commercial Litigation Outlook: Insights and Predictions for Litigation Trends in 2023

Tuesday, February 7, 2023
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

In the first session of the series, we will provide insight on the tidal wave of ESG demands, reports, and conflicts (legal and otherwise), as well as significant trends, predictions and recommendations in the following areas:

  • Trial Outlook
  • Consumer Class Actions
  • Trade Secrets, Computer Fraud & Non-Competes
  • eDiscovery & Innovation

Speakers

Kristine Argentine, Partner, Seyfarth Shaw
Jay Carle, Partner, Seyfarth Shaw
Rebecca Davis, Partner, Seyfarth Shaw
Dawn Mertineit, Partner, Seyfarth Shaw
Christopher Robertson, Partner, Seyfarth Shaw

Click here to register for the webinar series.