Illinois Supreme Court Sheds Light on the Importance of Strict Compliance with State’s Biometric Information Privacy Act

On January 25, 2019, in Rosenbach v. Six Flags Entm’t Corp., the Illinois Supreme Court held that an individual is an “aggrieved” party under the Illinois Biometric Information Privacy Act (“BIPA”) and may seek damages absent an allegation of harm beyond a violation of the rights conferred by the statute.


In 2008, Illinois passed the BIPA in order to regulate “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”  The BIPA imposes several obligations on entities collecting, retaining, and disclosing biometric data, including the obligation to (1) inform the individual or the individual’s representative in writing that biometric data is being collected or stored, (2) inform the individual or the individual’s representative in writing of the purpose and length of term for which the biometric data is being collected, stored, and used, and (3) receive a written release executed by the subject of the biometric data.  As part of the BIPA’s enforcement mechanism, “aggrieved” parties are granted a private right of action.

The Rosenbach Decision

In Rosenbach, the plaintiff filed a class action complaint against Six Flags Entertainment Corporation (“Six Flags”) asserting violations of the BIPA.  The complaint alleged that in 2014, the plaintiff went online to purchase her 14-year-old son a Six Flags season pass.  The plaintiff paid for the pass online, but her son was required to complete the sign-up process in person.  During a school trip to Six Flags, the plaintiff’s son completed the sign-up process by scanning his thumb into Six Flags’ biometric data capture system and obtaining a pass card, which permitted reentry when used together.

Among other things, the complaint alleged that Six Flags violated the BIPA because (1) the plaintiff was never notified that her son’s fingerprint would be scanned when he completed his sign-up in person, (2) neither the plaintiff nor her son were informed in writing (or in any other way) of the purpose or length of term for which the fingerprint was collected, and (3) neither the plaintiff nor her son signed a written release.

Six Flags sought to dismiss the action by arguing that in order to bring a claim as an “aggrieved” party under the statute, the plaintiff was required to allege an actual injury or harm apart from the statutory violation.  The appellate court agreed with Six Flags and held that “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person[.]”

On appeal, the Illinois Supreme Court unanimously reversed the appellate court’s decision, finding that the term “aggrieved” does not require an allegation of harm beyond a violation of the rights conferred by the BIPA.  In reaching its conclusion, the court stated that although the term “aggrieved” is not defined in the BIPA, the understanding of aggrieved—that “‘[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment[]’”—was embedded in Illinois jurisprudence when the BIPA was adopted and that the court “must presume that the legislature was aware of that precedent . . . .”  Additionally, the court highlighted the fact that a requirement of actual harm has been specifically identified in some statutory schemes but not in others, which led the court to further conclude that if lawmakers intended the BIPA to require an allegation of actual harm, the statute would have explicitly said so.  To illustrate this point, the court likened the BIPA to the AIDS Confidentiality Act, which authorizes relief to “aggrieved” parties and does not require proof of actual damages.  In contrast, the court referenced the Illinois Consumer Fraud and Deceptive Business Practices Act, which permits a private right of action only when the plaintiff alleges “actual” damages.

The court further reasoned that a party need not allege a harm beyond a statutory violation because when an entity violates the BIPA, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air . . .” and constitutes an injury that is “real and significant.”


The BIPA is already a hotly-litigated statute, however, the Rosenbach decision will likely lead to a significant uptick of BIPA claims; and in light of the availability of the greater of actual damages or statutory damages ranging from $1,000 to $5,000 per violation, companies subject to the BIPA must now, more than ever, ensure strict compliance with the law.

Tagged with: , , , , ,
Posted in Legislation, Litigation, Privacy, Regulations

Senators Introduce Data Care Act to Establish Duties for Online Service Providers

On December 12, 2018, Senator Schatz (D-HI), along with 15 other Senators, introduced the Data Care Act of 2018 “to establish duties for online service providers with respect to end user data that such providers collect and use.”

The bill would require online service providers (“OSPs”)—defined as entities (1) “engaged in interstate commerce over the [I]nternet or any other digital network” and (2) that collect individual identifying information (“IID”) about end users in the course of or incidental to the course of business—to exercise the duties of care, loyalty, and confidentiality with respect to that information. If the bill becomes law, it will apply 180 days after the date of enactment.

The bill’s definition of IID is limited to information that is collected over the Internet or any other digital network and is information that can be “linked” or is “linkable” to an end user or device that is “associated with or routinely used by an end user.” The bill does not define “linkable”; however, to the extent the GDPR’s definition of “identifiable” in the context of personal data can be a guide, “linkable” is likely to have a broad reach. Under the GDPR, information is identifiable when it can be combined with other pieces of information in order to determine the identity of an individual, but a hypothetical possibility of identification is not sufficient; it must be reasonably likely in light of considerations such as time, cost, and technology.

The duties under the bill are as follows:

The Duty of Care

  • OSPs must:
    • reasonably secure IID from unauthorized access
    • promptly notify end users of any breach of sensitive data; the FTC, subject to defined exceptions and considerations, has the power to promulgate rules for breach notification with respect to categories of IID other than sensitive data

The Duty of Loyalty

  • OSPs cannot use IID in a manner that:
    • benefits the OSP to the detriment of an end user
    • will result in reasonably foreseeable physical or financial harm to the end user
    • would be unexpected or highly offensive to a reasonable end user

They Duty of Confidentiality

  • OSPs cannot disclose, sell, or share IID with any other person:
    • except as consistent with the duties of care and loyalty
    • unless that person enters into an agreement with the OSP that imposes the same duties of care, loyalty, and confidentiality owed to the end user by the OSP
  • Must ensure any person to whom IID is disclosed, sold, or shared abides by the duties of care, loyalty, and confidentiality by, including but not limited to, regularly auditing that person’s data security and information practices

The bill gives the FTC enforcement and rulemaking authority and the ability to impose penalties, which will be an amount not to exceed the penalties permitted by 15 U.S.C. 45 (m)(1)(A) ($10,000) multiplied by the greater of (1) the number of days of non-compliance or (2) the number of end users harmed. The bill also allows for enforcement by state attorneys general.

Notably, and as was clearly favored by the Commissioners during the Senate subcommittee hearing on FTC Oversight on November 27, 2018, the bill also gives the FTC jurisdiction over non-profits and common carriers subject to the Communications Act of 1934




Tagged with: , , , , , , , ,
Posted in FTC, Legislation, Privacy, Standards

Amazon Echo Data at Center of Another Legal Battle

Amazon, Inc. is on the receiving end of another court order demanding it release the data and recordings associated with one of its Echo smart devices. For the uninitiated, Echo smart devices support voice interaction, music playback, and other administrative tasks for its users. The device responds whenever a user says a “wake word,” such as “Alexa” or “Echo.” After performing the given task, the device records and stores the interaction, which can later be accessed by the user or by Amazon.

In its November 5th order, the New Hampshire Superior Court demanded Amazon release two days-worth of data that state prosecutors believe may assist in proving a double murder. The case involves the tragic slaying of two female victims, Christine Sullivan and Jenna Pellegrini, on January 27, 2017 at Ms. Sullivan’s home in Farmington, NH. Timothy Verrill of Dover, NH stands accused of stabbing both women to death inside the home and for tampering with evidence. Upon searching the crime scene, police investigators found and seized Ms. Sullivan’s Echo smart device, which was sitting on the kitchen counter. The Echo device, if it was recording at the time of the killings, could be the state’s star witness.

Amazon, however, has said that it “will not release customer information without a valid and binding legal demand properly served on us.” This is not the first time that Amazon has argued over the admissibility of Echo data. Back in 2015, Amazon was served with a similar court order to produce Echo data and recordings potentially related to the drowning of an Arkansas man in a privately owned hot tub. In response to the order, Amazon filed a 91-page brief arguing that the prosecution should have to meet a higher burden of proof to get a warrant for the data and recordings. Amazon’s proposed standard would require the prosecution to prove there is no less intrusive way to obtain the information and to establish that there is a “sufficient nexus” between the device and the crime. Amazon argued that the First Amendment protected both user requests and Echo’s responses, claiming that permitting government access to the data “chills the exercise of First Amendment rights.” This is similar to the argument Apple made in its opposition to an order demanding it decrypt the iPhone password of one of the defendants in the San Bernardino terrorist case.

The defendant in the Arkansas case ultimately consented to releasing his data. Therefore the court did not have to answer the question of whether the data fell under the protection of the First Amendment. However, the question requires answering.

Amazon has yet to file a response to the New Hampshire court order. Unlike the Arkansas case, where the device belonged to the defendant, here, the device belonged to Ms. Sullivan—one of the two victims. This distinguishes the two cases because Verrill does not have standing to object to production of the evidence, and Ms. Sullivan’s right to privacy likely ceased to exist when she died. It will be interesting to see what, if any, arguments Amazon proposes to address these two issues.

One thing is certain: this will not be the last case to address the production of smart device data. As people’s lives continue to become more and more dependent on smart devices, state and federal courts must determine the protection afforded to smart device data, and what standard should be applied to access it.

Tagged with: , , , ,
Posted in Internet of Things, Litigation, Privacy

Senate Subcommittee Evaluates Expansion of the FTC’s Data and Privacy Authority

On November 27, 2018, the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security held a hearing titled “Oversight of the Federal Trade Commission,” which included testimony from Chairman Joseph Simons and Commissioners Rohit Chopra, Noah Phillips, Rebecca Slaughter, and Christine Wilson. The hearing examined a range of topics within the purview of the FTC, but of particular importance to privacy professionals was the discussion of whether the FTC should have expanded authority over privacy and data security.

The hearing followed two Subcommittee hearings on the creation of a federal privacy law, which Senator Moran (R-KS) noted was necessary in the wake of several large-scale data incidents and in light of the “implementation of the General Data Protection Regulation (“GDPR”) in Europe, and the recent passage of the California Consumer Privacy Act [(“CCPA”)].” Senator Blumenthal (D-CT), echoing the need for a federal privacy law, stated that “[the U.S.] need[s] to do it not only because Europe has done it, not only because California has done it, but [because] these rules are long overdue” and that congress must “[p]rovide the FTC with the resources[,] expertise and structure to enforce the rules [and] establish meaningful penalties on first offenses to pose a credible deterrent . . . .”

In working toward a bipartisan federal privacy law, the Subcommittee was specifically interested in input from the Commissioners on what should be included in the law as well as any additional tools the FTC would need to enforce it. Although little testimony was given on specific aspects of what should be included in the law, there appeared to be a consensus among the Commissioners that the FTC needs (1) direct authority to asses civil penalties, (2) authority over non-profits and common carriers for which there is currently an exemption, and (3) rulemaking authority under the Administrative Procedure Act.

In predicting what may be to come from the FTC in light of growing privacy concerns, Chairman Simons indicated that the FTC may use its Section 6(b) power under the FTC Act—which empowers the FTC to require an entity to file “annual or special . . . reports or answers in writing to specific questions”—to investigate big tech companies such as Amazon, Apple, Facebook, and Google regarding what consumer information is being collected and how that information used, shared, and sold.

Privacy professionals should continue to monitor the development of a federal U.S. privacy law and should keep an eye on potential FTC investigation efforts into big tech as the discussion develops and continues.

Tagged with: , , , , , ,
Posted in FTC, Legislation, Privacy, Regulations

California Passes Internet of Things Law

California continues to pave the way for privacy and cybersecurity legislation as Governor Brown recently signed the first Internet of Things (“IoT”) security law in the United States (SB-327).

While connected devices offer users convenience and efficiency, California lawmakers recognized that such devices also raise serious security and privacy issues. The stated purpose of SB-327 is “to ensure that [I]nternet-connected devices are equipped with reasonable security measures to protect them from unauthorized access, use, destruction, disclosure, or modification by hackers.” Lawmakers identified several concerns, including physical dangers posed by connected cars and medical devices (e.g., connected insulin pumps that can be hacked to deliver lethal doses), as well as concerns over hacks of connected devices to create “botnets,” which have already resulted in major Internet crashes and Denial of Service attacks (attacks intended to prohibit authorized users from accessing networks or devices).

SB-327 has received criticism for its vague terminology, which critics argue fails to provide covered entities with clear direction, thereby preventing them from knowing whether they achieved compliance. Some have also said that SB-327’s requirements are not strict enough. Others applauded the law, saying that despite potential flaws, it was a necessary step in the right direction.

What does SB-327 Require?

Manufacturers must equip connected devices with “reasonable” security features. The bill lacks specificity but, at a minimum, the security features must be (1) appropriate to the nature and function of the device; (2) appropriate to the information it may collect, contain, or transmit; and (3) designed to protect information contained on the device from unauthorized access, destruction, use, modification, or disclosure.

Subject to (1)-(3) in the preceding paragraph, if a device provides a method of authentication outside a local area network (i.e., a remote method of verifying the user’s authority to access the device), it will be deemed to have a reasonable security feature if the manufacturer includes (1) preprogramed passwords that are unique to each device, or (2) a feature requiring a user to generate a new means of authentication before the device can be accessed for the first time (e.g., password set-up, verification code, etc.).

Who does SB-327 Apply to?

Companies that manufacture, or contract to manufacture, connected devices that are sold in or offered for sale in California. Notably, the law does not apply to companies that “contract only to purchase [] connected device[s], or only to purchase and brand [] connected device[s].”

Who Enforces SB-327?

Unlike the recent California Consumer Privacy Act of 2018, SB-327 does not provide a private right of action, nor does it include specific monetary penalties. Rather, enforcement authority belongs exclusively to the Attorney General, a city attorney, a county counsel, or a district attorney.

When does SB-327 go into Effect?

The law is currently scheduled to go into effect on January 1, 2020.

Tagged with: , , , , , ,
Posted in Data Security, Internet of Things

Recent Decision Sends Companies Rushing to Review Browsewrap Agreements

A California federal court recently held in Rushing v. Viacom, Inc. that an arbitration provision in Viacom’s End User License Agreement (“EULA”) was one click shy of enforceability, and denied the company’s motion to dismiss claims against it pending arbitration. Plaintiffs did not receive sufficient notice of the provision when downloading a children’s game called Llama Spit Spit, the court found, because the user could access the application without clicking on the link to the EULA.

The court relied on this fact in rejecting Viacom’s contentions that the plaintiff had either actual or constructive notice of the arbitration provision. Viacom attempted to establish actual notice by arguing that the underlying complaint contained a quote from the section of the app description that also notifies readers that “use of [the] app is subject to the Nickelodeon End User License Agreement” and that the EULA contains an arbitration provision.

That argument fell flat, the court reasoned, because to read that description the plaintiffs would have had to click a hyperlink titled “more” — and the plaintiffs could have downloaded the app without doing so. “In this circumstance, the mere fact that the complaint happens to quote from the same section of the app description that helps Viacom on this motion is not at all sufficient for Viacom to carry its burden of proving actual notice by a preponderance of the evidence,” the court concluded.

Likewise, Viacom failed to show that the plaintiffs had constructive notice of the arbitration provision. The EULA in question is a “browsewrap agreement,” to which a user agrees simply by using the website. The validity of this type of agreement “turns on whether the website puts a reasonably prudent user on inquiry notice of the terms of the contract,” the court noted. Again, the “more” hyperlink sunk Viacom’s argument for enforceability. The court reasoned that because there was no need for users to click on that hyperlink to download and use the app, and nowhere else were they warned that using the site constituted acceptance of the EULA, they could not be held to its terms.

Key Takeaway: The Rushing case serves as a reminder that arbitration is a creature of contract, and basic rules of offer and acceptance apply. As noted by the court: “A user cannot accept an offer through silence and inaction where she could not reasonably have known that an offer was ever made to her.” At least in this instance, an arbitration provision in an EULA tucked behind an ignorable hyperlink did not get the job done.

Tagged with: , , ,
Posted in Litigation

Anthem Agrees to Record Data Breach Settlement

In the wake of the largest U.S. health care data breach in history, Anthem, Inc., has agreed to pay $16 million to the Office for Civil Rights, which is a record settlement for alleged HIPAA violations. According to the Department of Health and Human Services (“HHS”), the previous high was a $5.55 million settlement paid in 2016. In addition to the monetary payment, Anthem has also agreed to take “substantial” corrective action to prevent a similar breach from occurring in the future.

The settlement arose out of a 2014 breach involving the electronic protected health information (“ePHI”) of nearly 79 million people. On January 29, 2015, Anthem discovered that hackers had gained accessed to its IT system through a persistent threat attack. Further investigation revealed that hackers had sent spear phishing emails to one of Anthem’s subsidiaries and at least one employee took the bait. Through that seemingly simple act, the hackers were then able to infiltrate Anthem’s system and compromise its stored ePHI, consisting of names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

Anthem has already agreed to settle the class action litigation filed on behalf of its consumers, which was approved in August of 2018. Anthem will pay $115 million to approximately 19 million consumers, which includes a pool of $15 million for out-of-pocket expenses, along with free credit monitoring and identity theft protection services. Anthem also agreed to nearly triple its annual spending on data security for the next three years and implement various cybersecurity controls and reforms, such as changing its data retention policies, adhering to specific remediation schedules, and conducting annual IT security risk assessments and settlement compliance review.

The Anthem breach places the spotlight squarely on the need for employee education and training, emphasizing that data security is as much a people problem as it is an IT problem. The best security measures in the world are only as good as those implementing them. As hackers become more sophisticated, companies who maintain sensitive data must become more vigilant, as even a minor lapse like opening a suspicious email can have devastating consequences. Indeed, as HHS noted in its press release, “OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI” well before the breach was discovered. You can read HHS’s press release here.

With cybersecurity experts stressing that being hacked is a not a question of if, but when, we would all do well to heed Ben Franklin’s advice that “an ounce of prevention is worth a pound of cure.”

Tagged with: , , , , , ,
Posted in Cyberattack, Data Breach, Data Security, HIPAA, OCR

Key Takeaways from the California Consumer Privacy Act of 2018

On June 28, 2018, a month after the European Union’s General Data Protection Regulation went into effect, California passed its own comprehensive piece of privacy legislation—the California Consumer Privacy Act of 2018 (“CCPA”).  The bill was passed as part of an effort to give California residents the “ability to protect and safeguard their privacy” as a result of increased consumer awareness over privacy issues such as those involving Cambridge Analytica. Due to how quickly the bill made its way through the legislature, it lacks clarity in many areas.  It is likely that the bill will undergo several amendments between now and its enforcement date of January 1, 2020 and as such, businesses and those in charge of compliance should stay abreast of further developments.

As drafted, the CCPA affords California residents the right to: (1) know what personal information is being collected about them, (2) know whether their personal information is sold or disclosed and to whom, (3) say no to the sale of personal information, (4) access their personal information, and (5) receive equal service and price, even if they exercise their privacy rights.  The key takeaways of the current version of the CCPA are as follows: Read more ›

Tagged with: ,
Posted in Regulations

Technical FACTA Violation Insufficient to Confer Standing

A federal court in Texas cut short a putative class action alleging violation of the truncation requirement under the Fair and Accurate Credit Transactions Act (FACTA), sending a clear message to plaintiffs that minor inconvenience flowing from a procedural violation of FACTA does not establish standing. This decision comes as more good news to the defense bar, as it joins a growing list of cases extending the U.S. Supreme Court’s watershed Spokeo decision to cases brought under FACTA.

The plaintiff sued Houston-based restaurant company Luby’s, Inc. after twice purchasing meals using his debit card and receiving computer-generated receipts displaying more than the last five digits of his card number. FACTA provides that “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction.” 15 U.S.C. § 1681c(g)(1). Thus, the plaintiff alleged a clear violation of the statute.

But that isn’t enough, the court held, granting the defendant’s motion to dismiss for lack of subject matter jurisdiction and rejecting the plaintiff’s argument that simply alleging a statutory violation is sufficient to confer standing. “The Fifth Circuit has not had the occasion to consider the question of standing in a case involving a FACTA violation,” the court noted. “The U.S. Supreme Court’s holding in Spokeo, Inc. v. Robins, however, is instructive and does not support the plaintiff’s position,” reasoned U.S. District Judge Kenneth M. Hoyt.

Under Spokeo, a plaintiff must show an actual injury flowing from the statutory violation in question. That injury must be “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” As a consequence of receiving the offending receipts from Luby’s, the plaintiff alleged that he had to check his bank statements and credit report to ensure that he was not the victim of identity theft. Further, he argued that the defendant’s statutory violation “wrongfully placed a burden on [him] to make sure the receipts were either destroyed or secured.”

The court made short work of these allegations, holding that such inconveniences do not rise to the level of actual injury. Further, because it was undisputed that the plaintiff discovered the violation immediately and the receipts remained in his possession, there was no impending risk of harm. So the court sent the plaintiff packing pursuant to Fed. R. Civ. P. 12(b)(1) — and gave the defense bar an additional arrow in their 12(b)(1) quiver.

Tagged with: , , , , ,
Posted in Litigation, Privacy

Updated SEC Guidance Highlights Importance of Solid Cybersecurity Policies and Procedures

The Securities and Exchange Commission (“SEC” or “Commission”) has given public companies a heads up on where the Commission is setting its sights in the ever-developing world of cybersecurity. Here’s what you need to know, and what you need to do, to stay on the right side of the SEC.

Public companies have experienced some significant and high-profile data breaches since the SEC issued its previous cybersecurity guidance in 2011. In light of the issues we have seen in recent years, the SEC released a new interpretive guidance (available here), updating the 2011 document and emphasizing the importance and complexity of companies’ reporting obligations as they relate to cybersecurity.

Two topics included in the new guidance did not appear in the prior version, and therefore should be particularly heeded: (1) the need for public companies to have strong cybersecurity policies and procedures in place; and (2) how prohibitions on insider trading apply in the cybersecurity arena. The new guidance also drives home the SEC’s continuing commitment to monitoring cybersecurity-related disclosures.

The guidance makes clear that a head-in-the-sand approach to cybersecurity issues is not an option. Effective, proactive disclosure protocols and procedures are essential elements of appropriately handling cybersecurity threats (potential or actualized), the guidance notes, and “the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks that the company has faced or is likely to face.”

The SEC also reminds public companies that cybersecurity policies and procedures must address insider trading, because information about a cybersecurity incident can easily fall under the “nonpublic material information” umbrella. When in possession of such information, directors, officers, and other corporate insiders must not trade company securities.

While the guidance contains many details that public companies should study carefully, the overarching lesson is that the SEC is taking cybersecurity very seriously and seems to be taking the position that the best defense is a good offense. Cozen O’Connor’s cybersecurity team stands ready to help companies develop and implement effective policies and procedures to minimize risk and maximize compliance with SEC rules and regulations as they relate to cybersecurity.

Tagged with: , , , , , ,
Posted in Data Security, Privacy, Regulations
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates


Cozen O’Connor Blogs