Blog image

This post was originally published to Seyfarth’s Global Privacy Watch blog.

California Senate Bill 690 (SB 690), introduced by Senator Anna Caballero, is continuing to proceed through the California state legislative process. The proposed bill would amend the California Invasion of Privacy Act (CIPA) by adding an exception to the statute which has the effect of permitting use of tracking technologies for “commercial business purposes.” CIPA, enacted in 1967, was originally established to prohibit the unauthorized recording of or eavesdropping on confidential communications, including telephone calls and other forms of electronic communication. However, over recent years CIPA claims in lawsuits have been used to target business’ online use of cookies, pixels, trackers, chatbots, and session replay tools on their websites. 

If passed, SB 690 would exempt the use of such online tracking technologies from violating CIPA, provided they are used for a “commercial business purpose” and comply with existing privacy laws like the California Consumer Privacy Act (CCPA).  SB 690 could significantly impact current litigation under CIPA for online business activities. Not only will plaintiffs be far less likely to file new lawsuits alleging violations of CIPA, but SB 690’s provisions are explicitly made retroactive to any cases pending as of January 1, 2026, which could lead to dismissals of ongoing lawsuits, as well.

On April 29, 2025, the Senate Public Safety Committee unanimously voted to advance SB 690, and it was subsequently re-referred to the Senate Appropriations Committee. A hearing before the Appropriations Committee is currently scheduled for May 19, 2025.

Screenshot 2025-05-19 162435

We are pleased to share that Seyfarth attorneys Paul Yovanic, Jason Priebe, Ada Dolph, and Michael Jacobsen co-authored the “USA – Illinois: Trends & Developments” section in the recently released Chambers Data Protection & Privacy Global Practice Guide 2025. This highly regarded publication provides timely insights and analysis on key developments in data privacy and cybersecurity law across jurisdictions worldwide.

In their chapter, Paul, Jason, Ada, and Michael examine the rapidly evolving privacy landscape in Illinois, including:

  • The latest trends in litigation under the Biometric Information Privacy Act (BIPA)
  • Expanding protections under the Genetic Information Privacy Act (GIPA)
  • The emerging regulation of artificial intelligence in the workplace

Their analysis offers practical guidance for businesses seeking to navigate these complex and developing areas of law, while also reflecting the breadth of Seyfarth’s national capabilities in privacy, technology, and workplace compliance.

As legal scrutiny around biometric data, genetic information, and workplace technologies continues to intensify, staying ahead of these issues is critical. Our attorneys’ contribution to this leading publication demonstrates Seyfarth’s position at the forefront of data privacy law and our commitment to helping clients manage risk in an increasingly digital world.

For those confronting the challenges of data protection, biometric compliance, and AI regulation, the Chambers Data Protection & Privacy Global Practice Guide is an essential resource.

Read the full guide here: Chambers Global Practice Guide: USA – Illinois Chapter

1747239500-2862-608-lxb_photow7ZyuGYNpRQlxb_photo-
Kevin Ku, Unsplash

The California Privacy Protection Agency (“CPPA”) has made it abundantly clear: privacy compliance isn’t just about publishing the right disclosures – it’s about whether your systems actually work. On May 6, the agency fined Todd Snyder, Inc. $345,178 for failures that highlight a growing regulatory focus on execution of California Consumer Privacy Act (“CCPA”) compliance. The action sends a powerful message: even well-resourced companies are not insulated from enforcement if they don’t actively test and manage how privacy rights are honored in practice.

Not Just Tools – Working Tools

The action against Todd Snyder was rooted in executional failure. The company had a portal in place for consumer rights requests, but it wasn’t processing opt-out submissions – a failure that lasted for roughly 40 days, according to the CPPA. The cookie banner that should have enabled consumers to opt out of cookie tracking would disappear prematurely, preventing users from completing their requests.

The company further required users to verify their identity before opting out and requested sensitive personal information, such as a photograph of their driver’s license. The CPPA determined this was not only unnecessary, but a violation in itself. The allegations around improper verification reflect concerns raised in a CPPA Enforcement Advisory issued last year, which cautioned businesses against collecting excessive information from consumers asserting their privacy rights.

Although the company relied on third-party compliance tools, the enforcement action made clear that having those tools in place is not enough. When a consent mechanism malfunctions or creates friction for consumers attempting to exercise their rights, the company – not the vendor – is accountable.

The Vendor Defense Doesn’t Work

A central theme of the CPPA’s enforcement action is that businesses cannot outsource responsibility. While Todd Snyder used a vendor to manage parts of its compliance program, the CPPA emphasized that it’s the business, not the vendor, that will be held accountable when things go wrong. The agency explicitly noted that relying on a third party “without knowing their limitations or validating their operation” is not a defense.

This message raises the bar for privacy governance. Businesses need to go beyond implementation and actively test how vendor tools function in real-world conditions. Technical configuration matters. Monitoring matters. And when a system breaks or doesn’t operate as expected, companies must detect and fix it quickly.

A Shift Toward Operational Audits

This decision also marks a shift in how the CPPA approaches enforcement. In the early days of the CCPA, much of the focus was on written policies and disclosures. Now, enforcement is more hands-on. Regulators are acting like users – submitting rights requests, testing site functionality, and keeping track of whether and how companies respond. That means businesses need to maintain end-to-end visibility and ownership of the entire consumer rights process.

Even well-intentioned features can lead to violations if they’re implemented carelessly. A marketing team’s redesign might accidentally break a consent banner, or an IT update might change how opt-outs are tracked. Without routine quality assurance and ongoing audits, these kinds of issues can quietly persist for weeks, as they did with Todd Snyder.

Looking Ahead

As part of the stipulated resolution, Todd Snyder agreed to overhaul its CCPA compliance program within 90 days. That includes properly configuring its opt-out mechanisms, implementing new internal procedures, and providing CCPA-specific training to employees. The company must also document these changes and demonstrate compliance to the CPPA, signaling that post-order monitoring is likely to follow.

More broadly, the decision confirms that the CPPA is prepared to use its enforcement powers to address not just egregious violations, but operational breakdowns, like a non-functioning website banner, that interfere with consumer rights. It also reinforces that privacy enforcement is no longer confined to data brokers or tech companies. Retailers, hospitality providers, manufacturers, and any consumer-facing business collecting Californians’ personal information should expect scrutiny.

Now is the time for businesses to move beyond policy drafting and focus on how their compliance tools actually perform. That means:

  • Reassessing vendor relationships and validating how consent management and privacy tools are configured and maintained;
  • Avoiding the collection of unnecessary or sensitive personal data when processing rights requests;
  • Conducting periodic quality checks on consumer-facing interfaces; and
  • Establishing clear internal accountability for honoring consumer privacy rights in a timely and effective manner.

The CPPA’s message is clear: businesses can no longer treat CCPA compliance as a static exercise. Functionality, oversight, and continuous improvement are the new baseline.

Commercial Lit

We are excited to share the 2025 edition of our Commercial Litigation Outlook, offering key insights into the evolving legal landscape.

This year’s Outlook explores anticipated shifts under the second Trump Administration, including regulatory changes, agency governance shifts, and the growing role of AI in legal proceedings. AI-related challenges, such as deepfakes and data privacy, continue to shape litigation. The False Claims Act faces constitutional scrutiny, while health care litigation evolves under new DOJ and FTC priorities.

Consumer class actions remain on the rise, particularly in privacy-related litigation involving tracking technologies, AI-driven data collection, and misleading advertising claims. Emerging concerns include “dark pattern” lawsuits, unauthorized cookie tracking, and evolving California consumer protection laws under the CCPA.

The year ahead promises significant developments for businesses and the legal community. Stay informed and adaptable with our insights into these key trends.

Download the 2025 Outlook

Coming Soon! 2025 Commercial Litigation Outlook Webinar Series

Join us for a three-part webinar series featuring expert discussions on the key trends highlighted in this year’s Outlook. Sign up below to receive notifications and stay ahead of the curve.

Receive Notifications for our Webinar Series

Cyber security image
FlyD, Unsplash

Wednesday, March 12, 2025
3:00 p.m. to 3:30 p.m. Eastern
2:00 p.m. to 2:30 p.m. Central
1:00 p.m. to 1:30 p.m. Mountain
12:00 p.m. to 12:30 p.m. Pacific

Register Here

About the Program

Join us for an informative program that offers valuable insights into the evolving landscape of privacy law in Illinois. The panelists will cover the latest developments in the Biometric Information Privacy Act (BIPA) and the Genetic Information Privacy Act (GIPA), along with their implications for businesses.

Our panelists will explore trends in Illinois privacy litigation, particularly the growing number of class actions arising under GIPA, driven by the years of voluminous BIPA filings. Don’t miss this opportunity to stay informed and prepared.

Speakers

Ada W. Dolph, Partner, Seyfarth Shaw LLP
Paul Yovanic, Associate, Seyfarth Shaw LLP

Register Here

If you have any questions, please contact Donna Tomkiewicz at dtomkiewicz@seyfarth.com and reference this event.

Learn more about our Workplace Privacy & Biometrics practice. To comply with State CLE Requirements, CLE forms requesting credit in IL or CA must be received before the end of the month in which the program took place. Credit will not be issued for forms received after such date. For all other jurisdictions forms must be submitted within 10 business days of the program taking place or we will not be able to process the request.

Our live programming is accredited for CLE in CA, IL, and NY (for both newly admitted and experienced).  Credit will be applied as requested, but cannot be guaranteed for TX, NJ, GA, NC and WA. The following jurisdictions may accept reciprocal credit with our accredited states, and individuals can use the certificate they receive to gain CLE credit therein: AZ, AR, CT, HI and ME. For all other jurisdictions, a general certificate of attendance and the necessary materials will be issued that can be used for self-application. CLE decisions are made by each local board, and can take up to 12 weeks to process. If you have questions about jurisdictions, please email CLE@seyfarth.com.

Please note that programming under 60 minutes of CLE content is not eligible for credit in GA. programs that are not open to the public are not eligible for credit in NC.

robert-murray-9-WVTrFrlWI-unsplash
More Information & To Register

Seyfarth Shaw is a sponsor for the 2024 ANA Masters of Advertising Law Conference, the biggest advertising, marketing, and promotion law conference in the nation. The conference will take place November 11-13 at the Fairmont Scottsdale Princess in Scottsdale, Arizona. During the conference Seyfarth attorneys Joe Orzano and Kristine Argentine will present on a breakout panel and Ken Wilton, Ameena Majid, and Gina Ferrari will lead a roundtable discussion. Additional details are provided below. 

BREAKOUT 5D: CONSUMER CLASS ACTION LITIGATION UPDATE

Monday, November 11, 2024

This session will focus on consumer class actions, including false advertising and privacy class actions. The panel will feature insights on litigation trends including common claims and types of products and services targeted, as well as theories of liability, over the past year.  The panel will also discuss defenses to commonly asserted false advertising and privacy claims and how those defenses are being received by courts. The panel will also include the latest proactive tips and strategies to maintain active advertising and marketing of products and services, while minimizing the risk of being targeted by the plaintiffs’ bar.

Panelists:

Joe Orzano
Partner and National Co-Chair, Advertising & Marketing Group
Seyfarth Shaw LLP

Kristine Argentine
Partner and National Chair, Consumer Class Action Defense Group
Seyfarth Shaw LLP

Jessica Bahr
Vice President, Deputy General Counsel
Constellation Brands

Jennifer Greenberg
General Counsel
Frida

ROUNDTABLES WITH THE EXPERTS: THE PERILS OF OVERHYPE: UNMASKING GREENWASHING AND AI WASHING

Tuesday, November 12, 2024

In today’s world, companies are expected – and even required – to share their environmental and other ESG advancements to gain consumer trust. It’s table stakes to maintain and increase market share. Not all claims are as genuine as they seem; even if well-intentioned. This roundtable will explore the potentially deceptive practices of greenwashing, AI washing, rainbow washing, and other exaggerations of an organization’s progress. We’ll touch on the risks and consequences of these misleading tactics, from both a regulatory and a civil liability perspective. Join Ameena Majid, Gina Ferrari and Ken Wilton of Seyfarth Shaw as they prompt discussions surrounding these timely and increasingly important topics.

Presenters:

Ken Wilton
National Co-Chair, Advertising & Marketing Group and National Trademark Practice Lead

Ameena Majid
Impact & Sustainability Partner 

Gina Ferrari
Partner and Co-Chair of the firm’s Impact & Sustainability Practice Group

What is the range of a federal district court’s power to compel a nonparty’s attendance at a hearing? Every practicing litigator knows the answer—“within 100 miles of where the person resides, is employed, or regularly transacts business in person.” FRCP 45(c)(1). But that is only half the answer. As the Federal Circuit recently held, when a lawyer issues a subpoena, the geographical limits of Rule 45 apply. But when the court acts on its own? That’s a different matter.

The case, Backertop Licensing LLC v. Canary Connect, was originally patent litigation filed in 2022—one of a series of twelve cases filed by Backertop, and also part of a much larger set of cases (at least ninety-seven) filed by affiliated entities that, as the Federal Circuit panel put it, all “seem to be associated with IP Edge, a patent monetization firm, and Mavexar, an affiliated consulting shop.” But this particular case landed on the desk of Chief Judge Colm Connolly of the District of Delaware, whose standing order contains very particular real-party-in-interest disclosure requirements: an LLC, joint venture, or partnership appearing in his court as a party “must include in its disclosure statement filed pursuant to Federal Rule of Civil Procedure 7.1 the name of every owner, member, and partner of the party, proceeding up the chain of ownership until the name of every individual and corporation with a direct or indirect interest in the party has been identified.”

Judge Connolly takes this requirement seriously, and when parties submit what appear to be insufficient disclosures, he investigates. Thus, as the Federal Circuit noted, “[o]ver the past year and a half, the Chief Judge . . . has identified potential attorney and party misconduct in dozens of related patent cases” filed by LLCs apparently associated with IP Edge and Mavexar. Indeed, Judge Connolly’s investigations suggest that “those real parties in interest perpetrated a fraud on the court by fraudulently conveying to a shell LLC [the patents] and filing a fictitious patent assignment with the PTO designed to shield those parties from potential liability they would otherwise face in asserting [the patents] in litigation”—as well as failing to abide by the court’s own disclosure requirements.

Judge Connolly ordered the principal of Backertop to appear in his court to “sort out the morass” after Backertop initially refused to produce documents in response to the court’s fraud concerns and its attorney attempted to withdraw from the case.  The principal objected, asserting that travel would pose a hardship for her due to childcare obligations. When she still refused after the court reset the hearing to accommodate her, the court initiated contempt proceedings. The principal filed a motion asserting that the court lacked the authority to compel her to travel, as she was outside the range specified in Rule 45—an argument Judge Connolly rejected, holding her in contempt and imposing a $200/day fine until she appeared.

The Federal Circuit panel agreed with Judge Connolly, holding that “the District Court’s order requiring [the principal] to appear at an in-person hearing falls squarely within its inherent powers,” not Rule 45’s subpoena power, and thus “that Rule does not limit the geographical range of a court’s ability to sua sponte issue an order to appear.”

Key to the court’s holding was Rule 45’s purpose in enabling “a party or attorney’s efforts to subpoena a person”—not the district court’s.  The opinion walked through the plain language of the Rule—“[a] party or attorney” is “responsible for issuing and serving” a subpoena—as well as its structure, noting that “many of FRCP 45’s requirements would be illogical if applied to a court’s own orders,” such as mandatory sanctions on a subpoenaing party for certain abuses. (Obviously, the court will not sanction itself.)

The court also examined the history of Rule 45, noting that “[s]ince its inception” the Rule “has expressly applied to subpoenas that parties requested and served without initial court oversight.” And in 1991 the Rule was amended to allow attorneys to issue subpoenas without even having the request them from the clerk. In the absence of any supervision or check, the court concluded, “it makes sense that the Rules would impose bright-line rules on the scope of party- and attorney-initiated subpoenas—as well as specific mechanisms to hold parties and attorneys accountable.” But a court’s own order to appear does not raise those issues—the court is involved directly and can weigh for itself the burden of an order requiring long-distance travel against the needs of the case.

The panel did not endow the district court with unlimited power, of course: it indirectly left open the possibility that an order to appear could be reviewable if “unreasonable or an abuse of discretion.” But because the witness being compelled was the sole human representative of the plaintiff, which was suspected of fraudulent behavior, the order was a “reasonable response to the problems and needs confronting the court’s fair administration of justice.” 

Lawyers refer to the limitations in Rule 45 so often that it is easy to get into the habit of thinking it is a limitation on the power of the court. But according to the Federal Circuit it is actually a limitation on us; and we and our clients can still be subject to a federal court’s power no matter where we are.

And for class action litigators, there’s an additional lesson here: following this ruling and Judge Connolly’s example, district courts may be more emboldened to demand clarity about the real parties in interest controlling litigation before them. While serial patent litigation is one business model where real parties may prefer to stay hidden, the same issues of real parties controlling litigation but shielding themselves from scrutiny can arise in class cases, potentially distorting the usual settlement incentives and affecting the rights of large numbers of absent plaintiffs. State borders and the 100-mile rule notwithstanding, federal district courts are broadly empowered to investigate and punish fraud, procedural abuse, and other misconduct related to their cases—including class cases.

susanne-preisinger-5nfcPuGMkCU-unsplash

Earlier this year, we reported that the Illinois Senate passed Senate Bill 2979 with a vote of 46 to 13, and the Illinois House of Representatives passed Senate Bill 2979 with a vote 81 to 30. This bill addressed concerns arising from recent legal interpretations of the Illinois Biometric Information Privacy Act (“BIPA,” 740 ILCS 14/ et seq.), particularly following the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle System Inc., in which the Court held that a claim under BIPA accrues each time that an individual’s biometric information or identifier is captured or collected.

Last Friday, after nearly a three-month wait, Governor J.B. Pritzker signed Senate Bill 2979 into law. This marks the first ever amendment to BIPA in its 16-year history.

Before the amendment, BIPA allowed aggrieved individuals to claim $1,000 or actual damages for “each” negligent violation, and $5,000 or actual damages for “each” reckless or intentional violation. In Cothron, the Court held that “each” violation under the statute is a separate claim, which led some plaintiffs’ attorneys to pursue a “per scan” damages theory whereby plaintiffs would purport to seek $1,000 or $5,000 for each scan of their biometric information or identifiers. Recognizing the potential for excessive statutory damages under this theory, the Court urged the Illinois legislature to take action, and the legislature responded with this significant amendment.

The amendment, which took effect on August 2, 2024, provides that an aggrieved person may recover for only one statutory violation under Sections 15(b) and 15(d). Specifically, the changes to BIPA’s damages provisions are as follows:

(b) For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.

(c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.

740 ILCS 14/25(b) and (c).

Notably, as amended, BIPA further suggests now that an aggrieved person cannot recover separate statutory amounts for violations of Section 15(b) and Section 15(d). Instead, each amendment explicitly states that an aggrieved individual is entitled to “a single violation … of Section 15 for which the aggrieved individual is entitled to, at most, one recovery under this Section …” Id. (emphasis added). In other words, although the amendment acknowledges that Section 15 includes subsections 15(b) and 15(d) as distinct subsections, its language nonetheless could be read to state that an individual may only recover for a single violation of Section 15 as a whole, regardless of which subsection is violated.

The amendment also expressly includes an “electronic signature” as a permissible means of a “written release,” as defined under the statute. Prior to this amendment, it was unclear whether an electronic signature was a proper means for affixing signature under the statute. Although electronic signatures to BIPA releases were not subject to frequent challenges by the plaintiffs’ bar, this aspect of the amendment provides additional clarity that should be welcome to Illinois employers and other businesses.

While the amendment is unlikely to halt BIPA filings entirely, they will mitigate the weaponization by some plaintiffs’ attorneys who viewed Cothron as their green light to pursue a per-scan damages theory, which could have exposed Illinois businesses to tens or even hundreds of millions of dollars in damages for even the smallest of putative classes. Until now, businesses were left to rely on the discretion of trial and appellate courts to keep this theory in check; with the amendment, the statute accomplishes that unequivocally. The amendment also prevents plaintiffs from seeking separate damages for each subsection under Section 15, thereby rebuffing another tactic for increasing damages that other plaintiffs’ counsel attempted to utilize in the alternative.   

If you have any questions about how this BIPA amendment may impact your business practices, please do not hesitate to contact the authors or your trusted Seyfarth Shaw advisor.

This post has been cross-posted from Seyfarth’s Employment Law Lookout blog.

Welcome to Decoding Appeals, where Seyfarth’s Appellate Team brings to in-house counsel our insights and expertise from the front lines of the appellate courts. Throughout this short video series, we break down the nuances of appellate advocacy, sharing tips and lessons we’ve learned to help companies’ in-house legal teams understand the complexities of the appeals process.

In this first episode, host Owen Wolfe is joined by Amanda Williams and Cat Johns, two former judicial law clerks who offer their unique perspectives on the appeals process, drawing from their firsthand experiences and behind-the-scenes knowledge of how it all works.

george-prentzas-SRFG7iwktDk-unsplash

In a significant legislative development, the Illinois House of Representatives has overwhelmingly approved Senate Bill 2979, with a vote of 81 to 30, which amends the Illinois Biometric Information Privacy Act (BIPA) to limit damages to one violation per individual, rather than each instance their biometric information is captured, collected, disclosed, redisclosed, or otherwise disseminated. The bill also amended the definition of “written release” to include an electronic signature.

Last month, we reported on the Illinois Senate’s passage of the bill by a vote of 46 to 13. This legislative move is a direct response to the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle. The Court ruled that under BIPA, a claim accrues each time an individual’s biometric information is captured or collected. This decision highlighted the urgent need for legislative clarity, as White Castle argued that it could face damages exceeding $17 billion if each of its employee’s time clock scans were found to recklessly or intentionally violate BIPA. Recognizing the potential for such devastating liability, the Court called on the Illinois legislature to act.

In its original form, BIPA stated that an individual may be entitled to $1,000 or actual damages for each negligent violation, or $5,000 or actual damages for each reckless or intentional violation. The newly passed bill amends Sections 15(b) and 15(d) of BIPA to state that an “aggrieved person is entitled to, at most, one recovery under this Section.”

Having cleared both legislative chambers, the bill is now headed to Governor Pritzker for his signature.

If you have any questions about how this BIPA amendment may impact your business practices, please do not hesitate to contact your trusted Seyfarth Shaw advisor.