Introduction
Over the past few years, there has been a lot of litigation activity in the United States involving the use of various tracking and biometric technologies. These ‘corporate surveillance’ actions have focused on many older statutes, such as the California Invasion of Privacy Act (CIPA) and the federal Video Privacy Protection Act (VPPA), as well as more recent laws such as the Illinois Biometric Information Privacy Act (BIPA). Many of these actions have been commenced as class action lawsuits, which expose businesses to serious risk. When class action lawsuits have not been available, such as where an arbitration agreement is in place, there has been the risk of mass arbitration actions against businesses, which includes its own significant risk and burden to businesses. These three statutes and the recent legal developments regarding them are discussed below.
California Invasion of Privacy Act
CIPA is a Cold War-era wiretapping statute, which was enacted to prevent industrial espionage. Despite its origin, plaintiffs have attempted to apply this law to modern-day website tracking technologies. At its core, CIPA was enacted with the purpose of protecting California residents from wiretapping and eavesdropping, without their prior consent. CIPA provides statutory damages in the amount of $5,000 per violation.
The basic allegations in these lawsuits is that the plaintiff has visited a website, the website has third-party tracking technologies or uses a chatbot that is operated by a third party, that third party has access to the plaintiff’s information to which the plaintiff did not consent and can use the information for its own commercial purposes, and that the website aided and abetted that third party in the foregoing. Some common defences in these actions include whether an internet website falls within this statute, whether the information was accessed by the third party while in transit, whether the plaintiff provided consent (eg, through a pop-up consent banner), whether the information at issue truly is contents of communications, and whether the other party is a mere service provider that does not use the information for its own purposes. Other defences can include whether the court has jurisdiction (depending on the nature of the business’s activities) and, where the action is commenced in federal court, whether the plaintiff has standing.
More recently, plaintiff’s attorneys are alleging that website technologies violate the CIPA provisions relating to pen registers and trap and trace devices without first obtaining a court order. CIPA defines a pen register as a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted. Trap-and-trace is defined as a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing or signaling information reasonably likely to identify the source. Plaintiffs have alleged that a business’s website technology that collects this type of information is violating CIPA’s provisions.
Federal and state courts in California have had mixed reactions to these types of claims. Some courts have outright dismissed these claims as being unable to state a claim. This outcome has been more common in federal courts. Other courts, however, have allowed these claims to survive a motion to dismiss and to proceed to the merits. As such, plaintiffs have changed their strategies. Some have moved away from federal courts to state courts, or attempted to file a mass number of demands for arbitration, where the website has an arbitration clause in its terms of use.
Given these mass arbitrations, on 15 January 2024, the American Arbitration Association issued its Supplementary Mass Arbitration Rules ‘to provide parties and their representatives with an efficient and economical path toward the resolution of multiple individual disputes.’ Nevertheless, it is clear that mass arbitrations can be used as a strategy to put an enormous amount of costs on businesses who have to pay the vast majority of costs associated with consumer arbitrations.
That said, businesses have a number of tools at their disposal, if they correctly implement them. These include having a mandatory information dispute resolution clause before a plaintiff can commence arbitration. Another approach is that the terms of use can require bellwether cases. Businesses can also put language barring mass arbitrations. Finally, businesses can remove the arbitration clause completely, which would allow plaintiffs to sue in court. All of these tactics have potential advantages and pitfalls. As such, it is important to discuss the terms of use with seasoned counsel and determine whether any changes should be made1.
Federal Video Privacy and Protection Act
Over the past year, website operators have experienced a proliferation of lawsuits under the Video Privacy Protection Act (VPPA), which is a federal statute enacted in the 1980s that prohibits non-consensual disclosure of an individual’s video tape rental history. Despite its non-digital origin, litigation under the VPPA has successfully targeted the ubiquitous use of tracking technologies on businesses’ websites, creating a risk of significant class-action damages under VPPA’s $2,500 per violation statutory-damages clause.
The VPPA provides a private cause of action against a ‘video tape service provider who knowingly discloses, to any person, personally identifiable information’ which ‘identifies a person as having requested or obtained specific video materials or services.’ Although ostensibly confined to antiquated media, the VPPA’s definition of ‘video tape service provider’ as a person ‘engaged in the business… of rental, sale, or delivery of pre-recorded video cassette tapes or similar audio-visual materials,’ has permitted a modern interpretation. Beginning in 2022, a flood of litigation under the VPPA has targeted video content featured on websites that employ tracking technologies, like Google Analytics and Meta Pixel, which plaintiffs argue have the effect of disclosing identifiable information about the user’s video consumption to third parties.
Notwithstanding the tenuous analogy between renting videos and consuming online content, courts have been receptive to VPPA suits of this kind, and have adopted plaintiff-favourable standards. For example, to determine whether a defendant is ‘engaged in the business’ of video delivery, courts amorphously analyse whether the defendant’s product is substantially involved in the conveyance of video content to consumers and significantly tailored to serve that purpose. On this basis, any website that features video content arguably renders its owner a ‘video tape service provider’ and, regardless, the fact intensive nature of the inquiry has been deemed incompatible with a motion to dismiss.
In addition, some courts have accepted that the mere use of Meta Pixel is sufficient to demonstrate, for purposes of a motion to dismiss, that a website has disclosed users’ personally identifiable information to Facebook. Of course, this technology and its disclosures to third parties are highly fact dependent and subject to change, so a business’ ultimate liability will depend on the actual practices in place at the time of an alleged violation.
Nonetheless, entities targeted under the VPPA have several defensive options:
- Courts have interpreted the VPPA’s catchall language similar audiovisual materials to incorporate the limitation that the video be ‘pre-recorded’. Thus, as long as this interpretation continues, defendants cannot be held liable for offering live-video content.
- The plaintiff must be a ‘consumer’ of the defendant’s video content, defined as a ‘renter, purchaser, or subscriber’. On this basis, the plaintiff must have at least some relationship with the defendant in order to possess a viable claim. Note, however, that, by including mere subscribers in the definition of ‘consumer’, the relationship between plaintiff and defendant may be somewhat tenuous.
- Finally, and perhaps most importantly, there can be no claim under the VPPA if the business obtains written consent from the consumer that meets various statutory requirements. Subject to additional nuances, the consent must be: (1) in a form distinct and separate from any form setting forth other obligations of the consumer; (2) given at or before the time the disclosure is made, and (3) withdrawable at the consumer’s election.
Based on the expansive view adopted by many courts, a broad sweep of entities may be subject to litigation under the VPPA. Any business with a website that includes video content and employs tracking tools (or otherwise permits third-party access) should be cognisant of the risks. Certain businesses may avoid liability on the basis that they offer only live-video content or do not have a relationship with a consumer, but the most reliable means of avoiding liability is to preemptively adopt a consent policy that meets statutory specifications.
Illinois Biometric Information Privacy Act
BIPA, enacted in 2008, was the first law in the US to regulate the collection, use and handling of biometric information. BIPA provides for a private right of action against an entity that collects or discloses a person’s biometric identifier without opt-in consent. BIPA prescribes statutory damages in the amount of $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. If actual damages are greater, then the aggrieved person can recover that higher amount.
Based on this statutory language, on 17 February 2023, the Illinois Supreme Court opened the door to astronomical damages. The Illinois Supreme Court found that separate claims under BIPA accrued for each non-consensual collection or disclosure, including repeated collections of the same biometric identifier and repeated disclosures of that biometric identifier to the same third party. The court reasoned that the statutory definition of ‘collection’ encompassed scans of a biometric identifier for verification against a database, as well as the initial capture of the identifier for storage in the database. As to disclosure, the court found that the statute’s inclusion of the catchall – to ‘otherwise disseminate’ – suggested that disclosure included any transmission of biometric information to a third party, including one that already possessed the information.
In so holding, the court was not swayed by arguments that its interpretation would allow for astronomical damages under BIPA’s ‘per-violation’ liquidated damages clause. The court acknowledged the class-wide damages for 9,500 persons but could total $17bn, but noted that these damages were discretionary and that the court was nonetheless bound to follow the plain language of the statute. The court suggested that any policy issues should be resolved by the legislature.
Attorneys representing businesses should be aware of two important implications. First, entities without robust opt-in consent policies for biometric data may have exposure in the billions of dollars. Second, plaintiffs are entitled to damages for accumulated violations during a five-year look-back period, and so may delay bringing a claim until the moment that a consent policy is implemented. Consequently, delay in adopting a consent policy will increase liability exposure (provided the entity has collected biometric data for less than five years).
Since this ruling, three further developments have occurred with respect to BIPA. First, in November 2023, the Illinois Supreme Court held that BIPA does not apply to biometric information of healthcare workers collected, used, or stored for healthcare treatment, payment, or operations, as those functions are defined by the Health Insurance Portability and Accountability Act. Second, in December 2023, an Illinois appellate court panel held that two insurance companies owed no duty to defend a BIPA lawsuit under the terms of their policies. As such, it is extremely important for businesses to carefully review their insurance coverage with experience counsel in this field. Third, the Illinois legislature is in the process of potentially amending BIPA which, if passed, may limit business exposure.
Conclusion
There is a tremendous amount of litigation activity against business use of website technologies, as well as use of biometric information, in the US. As such, it is imperative for companies to discuss risks associated with the foregoing with experienced counsel, as well as other stakeholders, such as marketing and IT personnel, and to develop and implement ways in which such risks can be mitigated.
Notes
- Businesses should be mindful that various other states have wiretapping laws, which plaintiffs have used in similar litigation. In particular, plaintiffs have commenced many actions under the Pennsylvania Wiretapping and Electronic Surveillance Control Act.