Class action lawsuits accusing companies of violating the Illinois Biometric Information Privacy Act (“BIPA”) have more than doubled following a February 2023 ruling by the Illinois Supreme Court, which found, based on a plain reading of the statute, a separate claim accrues each time a person’s biometric identifier is scanned in violation of the statute.  

Last month, TikTok sued Montana’s attorney general—alleging the state’s recent TikTok ban is unconstitutional and is preempted by federal law.

On May 17, Montana Governor Greg Gianforte signed a first-of-its-kind law banning TikTok from operating in the state, in order “[t]o protect Montanans’ personal, private, and sensitive data and information from intelligence gathering by the Chinese Communist Party.”

The Ninth Circuit recently issued an opinion that could shape how companies draft and revise two oft-encountered types of contracts: terms of service agreements (“TOS”) and arbitration clauses.

In Jackson v. Amazon.com, Inc., the Ninth Circuit affirmed the district court’s order denying Amazon.com, Inc.’s motion to compel arbitration in a case brought by a proposed class of “Amazon Flex” drivers. Amazon Flex is a delivery program run through a smartphone app that Amazon uses to engage individuals to make Amazon deliveries in their personal cars. 

On February 4, 2021, the Eleventh Circuit affirmed the dismissal of a customer’s proposed class action lawsuit against a Florida-based fast-food chain, PDQ, over a data breach. The three-judge panel rejected the argument that an increased risk of identity theft was a concrete injury sufficient to confer Article III standing, deepening a circuit split on this issue.

A federal court recently issued a decision approving a class action settlement resolving litigation stemming from five Yahoo! data breaches that occurred from 2012 to 2016 and affected at least 194 million Yahoo! customers. The company agreed to establish a $117.5 million settlement fund and institute numerous business practice changes designed to prevent future data breaches. Of particular interest in the approval order, however, was the Court’s comparison of the instant settlement to a prior in-district data breach settlement. A review of the approval order provides insight into the factors judges analyze to ensure settlements are reasonable, proper, and in the best interests of the class.

As we previously reported, the Magistrate Judge in In re: Capital One Customer Data Security Breach Litigation, found that a forensic report that Capital One had claimed was protected by the privilege and work product doctrines needed to be produced because Capital One had not met its burden under the dual-purpose doctrine to show that the report was protected. In re: Capital One Customer Data Sec. Breach Litig. (“Magistrate’s Order”). The forensic report at issue (the “Report”) related to a 2019 data breach where a hacker purportedly accessed and stole highly sensitive customer information from Capital One’s online cloud environment (the “Breach”). Capital One hired outside counsel to investigate the Breach and to help the company prepare for anticipated litigation and regulatory inquiries. To assist counsel’s investigation, outside counsel engaged a cybersecurity consultant (“Consultant”). As developed in the Magistrate’s Order, Capital One had used this same Consultant prior to the Breach in the normal course of its business.

On Friday, March 22, a split panel of the Ninth Circuit Court of Appeals found that a company with no direct contractual relationship with independent contractors could be found vicariously liable for the actions of those contractors in a class action suit. The majority held that ratification may create an agency relationship when none existed before, and that a reasonable jury could have found the defendant, owners of billions of dollars in student loan debt, vicariously liable for violations of third party debt collectors. The holding in Henderson potentially could have widespread agency law ramifications, especially when it comes to Telephone Consumer Protection Act (TCPA) violations.