This year will see an increased focus on several areas of biometric litigation—particularly in Illinois—with more fines coming for tech and financial companies, making privacy compliance a key priority for all companies with national and international exposure. And additional privacy, data, and cybersecurity regulations are in the works federally, in states, and in Europe.
BIPA
Illinois will continue to be particularly active. There’s already been an uptick in class action lawsuits focused on voice recognition technology. And in the past two years, dozens of lawsuits were filed against various companies, including McDonald’s, Amazon, Walmart, and others, alleging that they collect consumer or employee voice data in violation of Illinois’ Biometric Information Privacy Act.
A number of defendants in BIPA lawsuits have successfully invoked the statutory exception for “financial institutions” that are regulated by federal law. And courts have given a broad reading to the term “financial institutions,” finding that universities, among other entities, are shielded from BIPA because of the nature of their economic transactions.
The upshot for defendants is that a company or institution doesn’t need to be primarily engaged in financial activities to qualify for the exception.
Meanwhile, the Illinois Supreme Court is poised to rule in Cothron v. White Castle on the critical question of when a claim under BIPA accrues—one time at the first scan or transmission, or each and every time it is scanned or transmitted.
How the court rules will have enormous implications on damages calculations for these cases, many of which already are settling for eight- and nine-figure sums.
Litigation More Expensive
As privacy class action litigation continues to evolve, one thing is increasingly clear: The price of resolution is climbing.
Over the past year or so, we have seen class settlements routinely involve substantial eight-figure commitments. For example:
- $92 million for the TikTok BIPA multidistrict litigation, with final settlement approval granted in August.
- $90 million for Meta’s long-running tracking MDL, with final settlement approval granted in November.
- $85 million for Zoom’s privacy MDL, with final settlement approval granted in August.
- $58 million for Plaid’s privacy MDL, with final settlement approval granted in July.
- $650 million for Meta’s BIPA settlement—the largest settlement currently on the books—with the US Court of Appeals for the Ninth Circuit having granted final approval in March.
The regulatory environment also has seen its share of large privacy settlements.
In November, a coalition of state attorneys general announced a $392 million settlement with Google over location tracking. And EU member states levied nine-figure General Data Protection Regulation fines against a number of tech giants, including Amazon.
Given that data collection and use are ubiquitous, these developments make privacy compliance a key priority for all companies. And the exposure is international.
US privacy class action litigation now routinely involves parallel proceedings in countries such as Canada, Brazil, and Israel, with the UK continuing to inch toward US-style civil class action procedure. Arbitration clauses in user agreements don’t necessarily eliminate class-level financial exposure.
Mass arbitration pursued by plaintiffs’ firms has resulted in eight-figure payouts as companies grapple with arbitration at scale.
Combined, these developments show that big-ticket litigation routinely involves privacy disputes—and it’s only a matter of time before a billion-dollar class settlement is announced.
Uptick in Lawsuits
The plaintiffs’ bar is deploying decades-old statutes to challenge relatively new data analytics tools.
First, we will see decisions in the recent wave of lawsuits filed against financial and health sector websites using analytics code that tracks visitor activity. Plaintiffs have lodged similar claims under the Video Privacy Protection Act against general-purpose websites embedded with streaming videos.
These lawsuits will evaluate the application of legacy laws such as the Health Insurance Portability and Accountability Act and VPPA to relatively new analytics-tracking technology.
Second, the recent uptick in litigation challenging session replay technology—which allows a website to “replay” a site visit, including what the user viewed, clicked on, or hovered on—will continue.
Relatedly, plaintiffs have started to bring “chatbot” cases, attacking websites’ use of digital tools to have automated “conversations” with site visitors without using live customer service agents. Plaintiffs allege that dated wiretapping laws are violated when companies use session replay or chatbot technology without their explicit consent.
As the defense bar previously succeeded in obtaining early dismissal of prior session replay cases in “one-party consent” states, where the company’s consent itself suffices, these newly filed cases invoke the laws of the minority of states that require all-party consent.
Increasing Regulation
Meanwhile, 2023 is slated to usher in an explosion of privacy, data, and cybersecurity regulations at every level, from local to cross-border. Several federal agencies are considering new regulations.
The Federal Trade Commission is evaluating commercial surveillance and data security rulemaking. The Securities and Exchange Commission may issue cybersecurity disclosure regulations. The Cybersecurity and Infrastructure Security Agency may issue regulations for cyber incident and ransom payment reporting. The Transportation Security Administration may engage in cybersecurity rulemaking directed at the pipeline and rail sectors. The Federal Energy Regulatory Commission is considering rulemaking governing incentives for utilities voluntarily investing in cybersecurity improvements. In turn, states that are debuting omnibus privacy legislation in 2023, including California and Colorado, are in the process of developing implementing regulations.
And European regulators are evaluating the Data Act, which would establish a harmonized framework for industrial, non-personal data sharing in the EU, and the Artificial Intelligence Act, which would be the first major, AI-specific law—and would regulate AI applications to varying extents based on their degree of risk.
The trends in the coming year will accelerate, and there will be an increase in the size and scope of new privacy regulations at all levels of government. There will also be a surge in privacy litigation challenging various practices as violating biometrics, video privacy, or wiretapping laws. Finally, there will be a higher threshold for resolving disputes through individual and classwide settlements.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for Us: Author Guidelines
Author Information
Travis LeBlanc co-leads Cooley’s global litigation department and the firm’s cyber/data/privacy practice. He represents clients at all stages of their company lifecycle, including Chegg, Coinbase, DraftKings, FabFitFun, Google, Intuit, Marsh McLennan, Meta, T-Mobile, and Zoom.
Bethany Lobo is a partner in Cooley’s cyber/data/privacy practice group whose practice focuses on privacy consumer class actions and Internet, eCommerce, and technology litigation. She counsels social media and other technology companies on biometrics, scraping, incident response, and other data and privacy issues.
Mike Rhodes is global chair of Cooley’s cyber/data/privacy and internet practice groups. He is nationally recognized as a leading trial lawyer and privacy class action litigator for Google, Facebook, the Kardashians, Microsoft, Zoom, Coinbase, and the Golden State Warriors.
Cooley partner Kyle Wong contributed to this article.
