As reported on the Hunton Retail Law resource blog, on August 2, 2024, Illinois amended its Biometric Information Privacy Act (“BIPA”), curbing the potential for massive damages and modernizing the law’s written consent provisions. On their face, the amendments are not retroactive. It remains unclear, however, whether this change in Illinois law will nonetheless be applied retroactively by the courts.
On September 29, 2023, the Supreme Court of the United States (“SCOTUS”) accepted petitions challenging the constitutionality of social media laws in Florida and Texas. Florida’s law, S.B. 7072, prohibits “a social media platform from willfully deplatforming a [political] candidate.” Texas’s law, H.B. 20, refers to social media platforms as “common carriers” that are “central public forums for public debate,” and requires common carriers to publicly disclose information related to the common carrier’s method of recommending content to users, content moderation efforts, use of algorithms to determine search results, and the common carrier’s ordinary disclosures to its users on user performance data for each of its platforms. Both of these laws were challenged by NetChoice, LLC, a national trade association of large online businesses, who had recent successes in blocking several laws, including the California Age-Appropriate Design Code and a similar social media law in Arkansas.
On February 17, 2023, the Illinois Supreme Court issued an opinion in Cothron v. White Castle Systems, Inc., in response to a certified question from the Seventh Circuit, ruling that the plain language of Section 15(b) and 15(d) of the Illinois Biometric Privacy Act (“BIPA”) shows that a claim accrues under BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent.
On February 2, 2023, the Illinois Supreme Court reversed in part and remanded a judgment of the lower appellate court in a class action lawsuit alleging violation of the Illinois Biometric Information Privacy Act (“BIPA”).
On June 10, 2022, New York became the first state to require attorneys to complete at least one credit of cybersecurity, privacy and data protection training as part of their continuing legal education (“CLE”) requirements. The new requirement will take effect July 1, 2023.
On September 17, 2021, in Tims v. Black Horse Carriers Inc., Ill. App. Ct., 1st Dist., No. 1-20-563, the Illinois Appellate Court, in a case of first impression at the appellate level, addressed the statute of limitations under the state’s Biometric Information Privacy Act (“BIPA”), holding that a five-year period applies to BIPA claims that allege the failure to (1) provide notice of the collection of biometric data, (2) take care in storing or transmitting biometric data, or (3) develop a publicly-available retention and destruction schedule for biometric data. The Court also held that a one-year period applies to claims alleging the improper disclosure of, or improper sale, lease, trade or profit from, biometric data.
On June 3, 2021, the U.S. Supreme Court in Van Buren v. United States reversed the U.S. Court of Appeals for the Eleventh Circuit’s decision to uphold the conviction of Nathan Van Buren, a former Georgia police sergeant alleged to have violated the Computer Fraud and Abuse Act of 1986 (“CFAA”) when accessing a law enforcement database for a non-law-enforcement purpose against his department’s policy. Van Buren, the target of an FBI sting operation, had accessed the database to look up license plate information in exchange for money. The Court addressed a split in authority among the circuits regarding the scope of liability under the CFAA.
As reported on the Hunton Retail Law Blog, on April 22, 2021, the U.S. Supreme Court unanimously held in a highly-anticipated case, AMG Capital Management, LLC v. FTC, that the FTC cannot seek or obtain equitable monetary relief pursuant to §13(b) of the FTC Act.
On June 22, 2018, the United States Supreme Court held in Carpenter v. United States that law enforcement agencies must obtain a warrant supported by probable cause to obtain historical cell-site location information (“CSLI”) from third-party providers. The government argued in Carpenter that it could access historical CSLI through a court order alone under the Stored Communications Act (the “SCA”). Under 18 U.S.C. § 2703(d), obtaining an SCA court order for stored records only requires the government to “offer specific and articulable facts showing that there are reasonable grounds.” However, in a split 5-4 decision, the Supreme Court held that the Fourth Amendment requires law enforcement agencies to obtain a warrant supported by probable cause to obtain historical CSLI.
On January 24, 2017, the UK Supreme Court handed down its judgment in the case of R (on the application of Miller and another) (Respondents) v. Secretary of State for Exiting the European Union (Appellant) [2017] UKSC 5. The case concerned the process to be followed to effect the UK’s withdrawal from the European Union and, in particular, whether the UK government may commence the UK’s withdrawal using executive powers, or whether Parliamentary approval is required. The Supreme Court held, by majority, that the UK government cannot commence the UK’s withdrawal from the EU without the approval of Parliament.
As we previously reported, the Supreme Court’s decision in Spokeo v. Robins has been nearly universally lauded by defense counsel as a new bulwark against class actions alleging technical violations of federal statutes. It may be that. But Spokeo also poses a significant threat to defendants by defeating their ability to remove exactly the types of cases that defendants most want in federal court. The decision circumscribes the federal jurisdiction, with all its advantages, that defendants have enjoyed under Class Action Fairness Act (“CAFA”) for the past decade.
On May 16, 2016, the United States Supreme Court issued a decision in Spokeo Inc. v. Thomas Robins, holding 6-2 that the Ninth Circuit’s ruling applied an incomplete analysis when it failed to consider both aspects of the injury-in-fact requirement under Article III. Writing for the Court, Justice Samuel Alito found that a consumer could not sue Spokeo, Inc., an alleged consumer reporting agency that operates a “people search engine,” for a mere statutory violation without alleging actual injury.
On June 25, 2014, the United States Supreme Court issued a unanimous opinion in Riley v. California, holding 9-0 that law enforcement personnel cannot search detained suspects’ cell phones without a warrant. Writing for the Court, Chief Justice John Roberts found that the practice of searching cell phones implicates “substantially greater” individual privacy interests than other physical objects that may be found on an arrestee and deserves heightened protections. Roberts stated:
It appears as though 2014 will be a banner year for class actions, including numerous cases concerning privacy and cybersecurity issues. In an article published in Law360, two Hunton & Williams litigation partners summarize recent case law and statistics related to class actions and offer predictions for the year ahead.
As reported in the Hunton Employment & Labor Perspectives Blog:
On March 19, 2013, in Standard Fire Insurance Co .v. Knowles, the United States Supreme Court ruled that stipulations by a named plaintiff on behalf of a proposed class prior to class certification cannot serve as the basis for avoiding federal jurisdiction under the Class Action Fairness Act of 2005 (“CAFA”).
On February 26, 2013, the United States Supreme Court decided in Clapper v. Amnesty International that U.S. persons who engage in communications with individuals who may be potential targets of surveillance under the Foreign Intelligence Surveillance Act (“FISA”) lack standing to challenge the statute’s constitutionality. The Supreme Court determined that the plaintiffs’ alleged injuries were not “certainly impending” and that the measures they claimed to have taken to avoid surveillance were not “fairly traceable” to the challenged statute. Although this 5-4 decision would not be considered a “privacy” or “data breach” case, the Court’s analysis will have a significant impact on such cases going forward, and may thwart the ability of individuals affected by data breaches to assert standing based on possible future harm.
On January 23, 2012, the U.S. Supreme Court issued its ruling in the landmark United States v. Jones case, holding 9-0 that attaching a GPS device to a suspect’s car to monitor the vehicle’s movements constitutes a Fourth Amendment search that requires a warrant. Writing for the Court, Justice Scalia found that it was not necessary to determine whether Jones had a “reasonable expectation of privacy” in the underbody of his Jeep parked on a public street because the search violated the Court’s traditional common-law trespass test. Scalia stated:
“It is important to be ...
On November 8, 2011, the U.S. Supreme Court is set to hear oral arguments in United States v. Jones, a case examining the Fourth Amendment implications of warrantless GPS tracking of suspects’ vehicles. The Court directed the parties to brief and argue “whether the government violated respondent’s Fourth Amendment rights by installing the GPS tracking device on his vehicle without a valid warrant and without his consent.”
Following the U.S. Supreme Court’s ruling in Sorrell v. IMS Health, Thomas Julin, partner at Hunton & Williams LLP who represented IMS Health in the case, closely studied the Court’s decision to assess its implications, including with respect to other forthcoming legislation. In an interview with Marty Abrams, President of the Centre for Information Policy Leadership, during the Centre’s First Friday Call on September 9, 2011, Julin discussed the close parallels between the law invalidated in Sorrell v. IMS Health and proposed federal regulation of behavioral ...
On June 23, 2011, in a 6-3 decision, the United States Supreme Court ruled in IMS Health Inc. v. Sorrell that a Vermont law prohibiting the sale of prescriber-identifiable data to drug companies was an unconstitutional violation of the First Amendment right to free speech. Thomas Julin, a partner at Hunton & Williams LLP, represented IMS Health in this case. The Supreme Court’s ruling affirmed the holding of the U.S. Court of Appeals for the Second Circuit, resolving a split with the First Circuit (which upheld a similar law in New Hampshire), and likely preventing the enactment of similar restrictive laws across the country.
On April 26, 2011, the United States Supreme Court heard oral argument in Sorrell v. IMS Health, a case concerning the constitutionality of a Vermont law that restricts access to prescription drug records. Laws enacted by New Hampshire, Maine and Vermont prohibit pharmacies from selling prescriber-identifiable information in prescription records to third parties for marketing purposes. The Supreme Court seeks to resolve a circuit split that resulted from legal challenges to the statutes in all three states. Thomas Julin, partner at Hunton & Williams LLP, represents IMS Health ...
On March 1, 2011, the United States Supreme Court issued a unanimous ruling in Federal Communications Commission v. AT&T Inc., finding that corporations are not entitled to “personal privacy” and therefore may not invoke Exemption 7(C) of the Freedom of Information Act (“FOIA”). AT&T sought to employ this exemption, which prevents the disclosure of law enforcement records that “could reasonably be expected to constitute an unwarranted invasion of personal privacy,” to prohibit the Federal Communications Commission (the “FCC”) from turning over documents in response to a trade association’s FOIA request. Applicable federal law defines “person” to include “an individual, partnership, corporation, association, or public or private organization other than an agency;” AT&T contended that the adjective “personal” is a derivative of the noun “person,” giving it “personal privacy” rights as a “private corporate citizen.”
On January 19, 2011, the United States Supreme Court issued a unanimous ruling in National Aeronautics and Space Administration v. Nelson, finding that questions contained in background checks NASA conducted on independent contractors are reasonable, employment-related inquiries that further the government’s interests in managing its internal operations. Stating that “[t]he challenged portions of the forms consist of reasonable inquiries in an employment background check,” the Court reversed a Ninth Circuit decision that the questions NASA asked of the contractors invaded their privacy.
Breaking -- The Supreme Court has issued its decision in City of Ontario, California v. Quon, ruling unanimously that the police department did not violate an officer's Fourth Amendment rights when supervisors reviewed text messages transmitted using a work-issued pager. In reaching this decision, the Court did not resolve whether the officer had a reasonable expectation of privacy, rather the Court based its decision on a determination that the search itself was reasonable.
The U.S. Supreme Court has set oral argument for April 19, 2010, to review the Ninth Circuit’s 2008 decision on employee privacy in Quon v. Arch Wireless Operating Co. Although Quon concerns the scope of privacy rights afforded to public employees under the Fourth Amendment, the case also has forced private employers to renew their focus on ensuring robust and consistent enforcement of employee monitoring policies. Unlike government employers, private employers are not subject to the Fourth Amendment’s prohibition against unreasonable searches and seizures; instead, they must comply with federal wiretap statutes and state law. In practice, however, the “reasonable expectation of privacy” test courts apply to state common law privacy claims that govern private employers is virtually identical to the Fourth Amendment test. Accordingly, the Supreme Court’s review of the Constitutional test likely will affect how courts view privacy claims brought against private employers.
The U.S. Supreme Court announced Monday that it will review the Ninth Circuit’s 2008 decision on employee privacy in Quon v. Arch Wireless Operating Co. In Quon, the Ninth Circuit considered whether the Ontario, California police department and the City of Ontario violated a police officer’s privacy rights by reviewing private text messages the officer sent using a two-way pager issued by the police department. The police officer had on several occasions exceeded the limit on the text messages provided by the department-paid plan. Each time, the officer paid for the overage without anyone reviewing his text messages. When the officer again exceeded the limit, his supervisor requested from the service provider and subsequently reviewed transcripts of the officer’s messages to determine if the messages were work-related.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code