Category: Privacy Law

Rosa Parks Name and Likeness Free for Use?

Rosa and Raymond Parks Institute for Self Development v. Target Corp.

Addressing the balance between privacy rights and matters of public interest, the U.S. Court of Appeals for the Eleventh Circuit affirmed the district court’s dismissal of the plaintiff’s complaint, holding that the defendant was shielded by the First Amendment from a lawsuit claiming the retailer violated the publicity rights of civil rights icon Rosa Parks by selling various products that included the plaintiff’s picture.Rosa and Raymond Parks Institute for Self Development v. Target Corp., Case No. 15-10880 (11th Cir., Jan. 4, 2016) (Rosenbaum, J.).

Target Corporation (the defendant), a national retail chain, sold books, a movie and a plaque that included pictures of Rosa Parks, an icon of the civil rights movement who, in 1955, refused to surrender her seat to a white passenger on a racially segregated Montgomery, Alabama bus. The Rosa and Raymond Parks Institute for Self Development (the plaintiff) owns the right and likeness of Rosa Parks. The plaintiff filed a complaint against the defendant, alleging unjust enrichment, right of publicity and misappropriation under Michigan common law for the defendant’s sales of all items using the name and likeness of Rosa Parks. The plaintiff complained that by selling the products, the defendant had unfairly and without the plaintiff’s prior knowledge, or consent, used Rosa Parks’ name, likeness and image as used on the products. The plaintiff further argued that the defendant promoted and sold the products using Rosa Parks’ name, likeness and image for the defendant’s own commercial advantage. After the defendant filed a motion for summary judgment, the district court dismissed the complaint. The plaintiff appealed.

On appeal, the 11th Circuit, sitting in diversity, applied Alabama’s choice-of-law rules, which holds that the procedural law of the forum state should be applied, while the law of the state in which the injury occurred governs the substantive rights of the case. Accordingly, the 11th Circuit applied the procedural rules of Alabama and the substantive law of Michigan.

In Michigan, the common-law right of privacy protects against four types of invasions of privacy: intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; public disclosure of embarrassing private facts about the plaintiff; publicity which places the plaintiff in a false light in the public eye; and appropriation for the defendant’s advantage, of the plaintiff’s name or likeness. The right of privacy is not absolute, and Michigan courts have long recognized that individual rights must yield to the qualified privilege to communicate on matters of public interest.

Applying Michigan law, the Court affirmed the district court’s dismissal of the plaintiff’s complaint, concluding that “the use of Rosa Parks’ name and likeness in the books, movie, and plaque is necessary to chronicling and discussing the history of the Civil Rights Movement” and that these matters therefore are protected by Michigan’s qualified privilege. As the 11th Circuit noted, “it is difficult to conceive if a discussion of the Civil Rights Movement without reference to Rosa Parks and her role in it.”

Article By Ulrika E. Mattsson of McDermott Will & Emery

© 2016 McDermott Will & Emery

Private Email Woes Infect The Private Sector in Delaware

emailVice Chancellor J. Travis Laster’s ruling in Amalgamated Bank v. Yahoo!, Inc., C.A. No. 10774-VCL (Del. Ch. Feb. 2, 2016) should sound a tocsin to directors that their “private” emails may not be so private.  The ruling addressed Amalgamated Bank’s demand to inspect the books and records of Yahoo! pursuant to Section 220 of the Delaware General Corporation Law.  The bank sought to inspect, among other things, documents that reflect discussions or decisions of Yahoo’s full Board or Committee.  Documents covered by the demand included emails to and from the directors, from management or the compensation consultant, emails among the directors themselves, and documents and communications prepared by Yahoo officers and employees about the Board‘s deliberations.

Vice Chancellor Laster found that emails were records subject to inspection under Section 220 and that through Delaware’s jurisdiction over a corporation, a court can compel production of documents in the possession of officers, directors, and managing agents of the firm.  According to the Vice Chancellor, the court can impose sanctions or other consequences on the firm if the officer, director, or managing agent fails to comply. He further noted that if a personal email account was used to conduct corporate business, the email is subject to production under Section 220. Directors and corporate officers should therefore take heed that emails concerning corporate business may be subject to disclosure even if conducted using a private email address.

Article By Keith Paul Bishop of Allen Matkins Leck Gamble Mallory & Natsis LLP

© 2010-2016 Allen Matkins Leck Gamble Mallory & Natsis LLP

 

Department of Commerce Releases Fact Sheet on EU-U.S. Privacy Shield

As we reported yesterday, the United States and the European Commission have reached a political agreement on a new framework for transatlantic data flows, referred to as the EU-U.S. Privacy Shield.  The U.S. Department of Commerce (“Commerce”) released a fact sheet yesterday to coincide with the announcement of the agreement.

The fact sheet includes a series of bullet points listing ways in which the Privacy Shield (1) “significantly improves commercial oversight and enhances privacy protections,” and (2) “demonstrates the U.S. Commitments to limitations and safeguards on national security.”  On the first point, Commerce states that “EU individuals will have access to multiple avenues to resolve concerns,” including alternative dispute resolution at no cost to individuals.  In addition, Commerce “will step in directly and use best efforts to resolve referred complaints” using a “special team with significant new resources.”  On the second point, the fact sheet references President Obama’s executive actions to enhance privacy protections and oversight relating to U.S. government surveillance activities.  Finally, Commerce states that “the United States is making the commitment to respond to appropriate requests” regarding U.S. intelligence activity, in a manner that is consistent with national security obligations.

Article By David J. Bender of Covington & Burling LLP
© 2016 Covington & Burling LLP

Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

On February 2nd, 2016, the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.

The EU-U.S. Privacy Shield

According to the Commission press release, there will be several new elements to the EU-U.S. Privacy Shield, as compared with the invalidated EU-U.S. Safe Harbor framework.  For instance, in addition to subjecting participating U.S. companies to certain as-yet unspecified safeguards, the Privacy Shield will include:

  • An annual joint review of the program performed by the European Commission and U.S. Department of Commerce – to which European data protection authorities will be invited – to ensure its proper functioning.  This will include a review of access by U.S. intelligence agencies to EU-originating data.

  • Enhanced rights of redress for European data subjects, including (i) subjecting U.S. organizations to firmer deadlines when responding to complaints, (ii) allowing EU citizens and EU data protection authorities to refer complaints to the U.S. Department of Commerce and the U.S. Federal Trade Commission, (iii) establishing, as a last resort, a new binding alternative dispute resolution mechanism to resolve complaints that will be voluntary and free to data subjects, capable of issuing binding injunctive orders, and subject to judicial review consistent with the U.S. Federal Arbitration Act, and (iv) creating a new “Ombudsperson” within the U.S. State Department to handle complaints – channeled through EU Member State representatives – that relate to U.S. intelligence agencies’ access to data.  Disputes relating to human resources/employee data will remain subject to an alternative process that entails somewhat closer involvement of EU data protection authorities, similar to the current Safe Harbor.

Moreover, it is reported that the U.S. Director of National Intelligence will confirm by official letter to the EU that U.S. intelligence agencies do not engage in “indiscriminate mass surveillance” of data transferred under the new arrangement.

The Privacy Shield is expected to retain or enhance many of the elements contained in the original Safe Harbor framework, including substantive commitments made by U.S. companies on such matters as furnishing appropriate notices to EU citizens, maintaining the security of transferred data, and tightened restrictions on onward transfers.  The precise nature of these obligations is not yet known, but will become clearer in the weeks ahead.

Next steps

The EU College of Commissioner’s has mandated Vice-President Ansip and Commissioner Jourová to, over the coming weeks, prepare a draft Decision declaring the U.S. to ensure an adequate level of protection.  The adoption of such a Decision by the Commission must follow a “comitology” procedure which will involve:

  • a proposal from the Commission;

  • an opinion by EU Member States’ data protection authorities and the European Data Protection Supervisor (“EDPS”), in the framework of the Article 29 Working Party;

  • an approval from the “Article 31 Committee”, composed of representatives of Member States, under the comitology “examination procedure”;

  • the formal adoption of the Decision by the College of Commissioners;

  • at any time, the European Parliament and the Council may request the Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the Directive.

The effect of such a Commission Adequacy Decision is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to the U.S. without any further safeguards being necessary.

Commissioner Jourová hopes for the new arrangement to be in force in approximately 3 months’ time.  The U.S. Government, in the meantime, will make the necessary preparations to put in place the new framework, monitoring mechanisms, and new Ombudsperson.

Tomorrow (February 3rd, 2016), Commissioner Jourová will attend the plenary meeting of the Article 29 Working Party to discuss the role of the EU data protection authorities under the EU-U.S. Privacy Shield.  The U.S. Department of Commerce is, in parallel, planning further briefings about the text.

Article By Daniel P. CooperPhilippe Bradley-Schmieg & Joseph Jones of Covington & Burling LLP
© 2016 Covington & Burling LLP

Government Forces Awaken: Rise of Cyber Regulators in 2016

As the sun sets on 2015, but before it rises again in the New Year, we predict that, in the realm of cyber and data security, 2016 will become known as the “Rise of the Regulators.” Regulators across numerous industries and virtually all levels of government will be brandishing their cyber enforcement and regulatory badges and announcing: “We’re from the Government and we’re here to help.”

The Federal Trade Commission will continue to lead the charge in 2016 as it has for the last several years. Pursuing its mission to protect consumers from unfair trade practices, including from unauthorized disclosures of personal information, and with more than 55 administrative consent decrees and other actions booked so far, the FTC (for now) remains the most experienced cop on the beat.   As we described earlier this year, the FTC arrives with bolstered judicial-enforcement authority following the Third Circuit’s decision in the Wyndham Hotel case.  Notwithstanding the relatively long list of administrative actions and its published guidance – businesses that are hacked and that lose consumer data, are at risk of attracting the attention of FTC cops and of proving that their cyber-related systems, acts and practices were “reasonable.”

But the FTC is not alone. In electronic communications, the Federal Communications Commission (FCC) in 2015 meted out $30 million in fines to telecom and cable providers, including to AT&T ($25 million) and Cox Communications ($595K). And this agency, increasingly known for its enforcement activism, may have just begun.  Reading its regulatory authority broadly, the FCC has asserted a mandate to take “such actions as are necessary to prevent unauthorized access” to customers’ personally identifiable information. This proclamation, combined with the enlistment of the FCC’s new cyber lawyer/computer scientist wunderkind to lead that agency’s cyber efforts, places another burly cop on the cyber beat.

The Securities and Exchange Commission (SEC) will be patrolling the securities and financial services industries. Through its Office of Compliance Inspections and Examinations (OCIE), the SEC is assessing cyber preparedness in the securities industry, including investment firms’ ability to protect broker-dealer and investment adviser customer information. It has commenced at least one enforcement action based on the agency’s “Safeguards Rule” (Rule 30(a) of Regulation S‑P), which applies the privacy provisions in Title V of the Gramm-Leach-Bliley Act (GLBA) to all registered broker-dealers, investment advisers, and investment companies. With criminals hacking into networks and stealing customer and other information from financial services and other companies, expect more SEC investigations and enforcement actions in 2016.

Moving to the Department of Defense (DoD), new rules, DFARS clauses, and regulations (e.g., DFARS subpart 204.73, 252.204–7012, and  32 CFR § 236) are likely to prompt the DoD Inspector General and, perhaps, the Defense Contracting Auditing Agency (DCAA) to examine whether certain defense contractors have the required security controls in place.  Neither the DoD nor its auditors have taken action to date.  But don’t mistake a lack of overt action for a lack interest (or planning).  It would come as no surprise if, by this time next year, the DoD has launched its first cyber-regulation mission, be it by the False Claims Act, suspension and debarment proceedings, or through terminations for default.

In addition to these cyber guardians, other federal agencies suiting up for cyber enforcement include:

  • The Consumer Financial Protection Board’s (CFPB) growing Cybersecurity Program Management Office;

  • The Department of Energy’s (DOE) Office of Electricity Delivery and Energy Reliability, examining the security surrounding critical infrastructure systems;

  • The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services, addressing healthcare providers and health insurers’ compliance with health information privacy and security safeguard requirements; and

  • The Food and Drug Administration, examining the cybersecurity for networked medical devices containing off-the-shelf (OTS) software.

But these are just some of the federal agencies poised for action.   State regulators are imposing their own sector-specific cyber security regimes as well.   For example, the State of California’s Cybersecurity Task Force, New York’s Department of Financial Services, and Connecticut’s Public Utility Regulatory Agency are turning their attention toward cyber regulation. We believe that other states will join the fray in 2016.

At this relatively early stage of standards and practices development, the National Institute of Standards and Technology (NIST) 2014 Cyber Security Framework lays much of the foundation for current and future systems, conduct, and practices. The NIST framework is a “must read.” NIST, moreover, has provided additional guidance earlier this year in its June 2015 NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.  While addressing security standards for nonfederal information systems (i.e., government contractors’ information systems), it also provides important guidance for companies who do not operate within the government contracts sphere.  Ultimately, this 2015 NIST publication may serve as an additional general standard against which regulators (and others) may assess institutional cybersecurity environments in 2016 – and beyond.

But for now, the bottom line is that in 2016 companies now must add to its list of actual or potential cyber risks and liability, the hydra-headed specter of multi-sector, multi-tiered government regulation – and regulators.

Article By Dave ThomasAlexander W. Major & Melinda R. Biancuzzo
Copyright © 2015, Sheppard Mullin Richter & Hampton LLP.

Happy Holidays: VTech Data Breach Affects Over 11 million Parents and Children Worldwide

The recent data breach of Hong Kong-based electronic toy manufacturer VTech Holdings Limited (“VTech” or the “Company”) is making headlines around the world for good reason: it exposed sensitive personal information of over 11 million parents and children users of VTech’s Learning Lodge app store, Kid Connect network, and PlanetVTech in 16 countries! VTech’s Learning Lodge website allows customers to download apps, games, e-books and other educational content to their VTech products, the Kid Connect network allows parents using a smartphone app to chat with their children using a VTech tablet, and PlanetVTech is an online gaming site. As of December 3rd, VTech has suspended all its Learning Lodge sites, the KidConnect network and thirteen other websites pending investigation.

VTech announced the cyberattack on November 27th by press release and has since issued follow-on press releases on November 30th and December 3rd, noting that “the Learning Lodge, Kid Connect and PlanetVTech databases have been attacked by a skilled hacker” and that the Company is “deeply shocked by this orchestrated and sophisticated attack.” According to the various press releases, upon learning of the cyber attack, VTech “conducted a comprehensive check of the affected site” and has “taken thorough actions against future attacks.” The Company has reported that it is currently working with FireEye’s Mandiant Incident Response services and with law enforcement worldwide to investigate the attack. According to VTech’s latest update on the incident:

  • 4, 854, 209 parent Learning Lodge accounts containing the following information were affected: name, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted passwords;

  • 6,368,509 children profile containing the following information were affected: name, gender, and birthdate were affected. 1.2 million of the affected profiles have enabled the Kid Connect App, meaning that the hackers could also have access to profile photos and undelivered Kid Connect chat messages;

  • The compromised databases also include encrypted Learning Lodge content (bulletin board postings, ebooks, apps, games etc.), sales report logs and progress logs to track games, but, it did not include credit card, debit card or other financial account information or Social Security numbers, driver’s license numbers, or ID card numbers; and

  • The affected individuals are located in the following countries: USA, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand. The largest number of affected individuals are reported in the U.S. (2,212,863 parent accounts and 2,894,091 children profiles), France (868,650 parent accounts and 1,173,497 children profiles), the UK (560,487 parent accounts and 727,155 children profiles), and Germany (390,985 parent accounts and 508,806 children profiles).

Given the magnitude and wide territorial reach of the VTech cyber attack, the incident is already on the radar of regulators in Hong Kong and at least two attorneys general in the United States. On December 1, the Hong Kong Office of the Privacy Commissioner for Personal Data announced that it has initiated “a compliance check on the data leakage incident” of VTech Learning Lodge.  In addition, on December 3rd, two separate class actions have already been filed against VTech  Electronics North America, L.L.C. and VTech Holdings Limited in the Northern District of Illinois.  Since the data breach compromised personal information of children located in the United States (first and last name, photographs, online contact information, etc.), it is likely that the Federal Trade Commission (FTC) will investigate VTech’s compliance with the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (as amended, the “COPPA Rule”). If a COPPA violation is found, the civil penalties can be steep and go up to $16,000 per violation. In addition to civil penalties imposed by a court, the FTC can require an entity to implement a comprehensive privacy program and to obtain regular, independent privacy assessments for a period of time.

Article By Julia M. Siripurapu & Cynthia J. Larose of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

©1994-2015 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Regulating Recording Features of Personal Wearable Technology in Workplace

With each passing day, personal wearable technology, like the Apple Watch and Google Glass, becomes more mainstream and technologically advanced.  Employers should be aware of the challenges posed by employees wearing their technology into the workplace.  Businesses have already had to consider decreased productivity, exposure to computer viruses, and potential data breaches caused by personal wearable technology in the workplace. In addition, employers are now wondering if personal wearable devices are being used to discretely and instantaneously record events and copy information in the workplace. Several employment laws are implicated when employers seek to regulate the recording features of personal wearable technology in the workplace.

Restrictions on personal wearable technology in the workplace are subject to Section 7 of the National Labor Relations Act, which prohibits workplace rules and policies that chill discussions among non-management employees about wages, working conditions, work instructions, and the exercise of other concerted activities for mutual aid or protection.  NLRB General Counsel Memorandum No. 15-04  contains examples of both over broad and lawful work rules restricting recording devices in the workplace.  These examples are instructive when drafting employment policies restricting personal wearable devices.

Under Section 7, employers may prohibit employees from copying or disclosing confidential or proprietary information about the employer’s business, using wearable technology or otherwise.  Employers may also prohibit employees from taking, distributing, or posting on social media pictures, video, and audio recordings of work areas while on working time, so long as the policy carves an exception for conduct protected by Section 7.  The exception should expressly cite specific examples of permitted recordings, such as “taking pictures of health, safety and/or working condition concerns or of strike, protests and work-related issues and/or other protected concerted activities.”  Existing employment policies restricting personal cell phone and camera use in the workplace should be updated to include restrictions on the use of recording features of wearable technology.

The recording features of personal wearable technology also provide new methods and means for employees to engage in unlawful workplace harassment and other workplace misconduct.  Employers should consider revising their anti-harassment and conduct policies to prohibit the use of wearable technology, including its recording features, in an unlawful manner.  As technology continues to evolve, so too should employment policies, to address the use of such personal devices in the workplace.

Article By Stan Hill of Polsinelli PC
© Polsinelli PC, Polsinelli LLP in California

Target to Pay Nearly $40 Million to Settle with Banks over Data Breach; Total Costs Reach $290 Million

A settlement filed Wednesday provides that Target Corp. will pay $39.4 million to the banks and credit unions who brought class action claims against the retailer for alleged losses the financial institutions suffered as a result of Target’s 2013 data breach.  The breach, which impacted as many as 110 million individuals, compromised as many as 40 million credit cards.

This most recent settlement comes on the heels of a $67 million settlement with Visa, and a $10 million settlement with consumers, both earlier this year.  The most recent settlement brings Target’s total costs to a staggering $290 million.  Target expects insurers to reimburse it for only $90 million of that total, and shareholder derivative lawsuits are still pending, as well as regulatory enforcement and investigation actions by the FTC and various state attorneys general.

While financial institution settlements now top $100 million, trade groups representing banks and credit unions have argued that the Target breach actually cost their members more than $200 million.

Many will recall that the Target breach began after an HVAC vendor was hacked, providing cyber criminals access to Target’s backend system through its vendor interface.  While the breadth and scope of Target’s losses are somewhat mind numbing, this settlement should serve as yet another reminder why a strong vendor management system including privacy and data security policies and audits is especially important in this day and age.

Article By Daniel L. Farris of Polsinelli PC
© Polsinelli PC, Polsinelli LLP in California

Three Trending Topics in IoT: Privacy, Security, and Fog Computing

Cisco has estimated that there will be 50 billion Internet of Things (IoT) devices connected to the Internet by the year 2020. IoT has been a buzzword over the past couple of years. However, the buzz surrounding IoT in the year 2015 has IoT enthusiasts particularly exerted. This year, IoT has taken center stage at many conferences around the world, including the Consumer Electronics Show (CES 2015), SEMI CON 2015, and Createc Japan, among others.

1. IoT will Redefine the Expectations of Privacy

Privacy is of utmost concern to consumers and enterprises alike. For consumers, the deployment of IoT devices in their homes and other places where they typically expect privacy will lead to significant privacy concerns. IoT devices in homes are capable of identifying people’s habits that are otherwise unknown to others. For instance, a washing machine can track how frequently someone does laundry, and what laundry settings they prefer. A shower head can track how often someone showers and what temperature settings they prefer. When consumers purchase these devices, they may not be aware that these IoT devices collect and/or monetize this data.

The world’s biggest Web companies, namely, Google, Facebook, LinkedIn, and Yahoo are currently involved in lawsuits where the issues in the lawsuits relate to consent and whether the Web companies have provided an explicit enough picture of what data is being collected and how the data is being used. To share some perspective on the severity of the legal issues relating to online data collection, more than 250 suits have been filed in the U.S. in the past couple of years against companies’ tracking of online activities, compared to just 10 in the year 2010. As IoT devices become more prevalent, legal issues relating to consent and disclosure of how the data is being collected, used, shared or otherwise monetized will certainly arise.

2. Data and Device Security is Paramount to the Viability of an IoT Solution

At the enterprise level, data security is paramount. IoT devices can be sources of network security breaches and as such, ensuring that IoT devices remain secure is key. When developing and deploying IoT solutions at the enterprise level, enterprises should conduct due diligence to prevent security breaches via the IoT deployment, but also ensure that even if an IoT device is compromised, access to more sensitive data within the network remains secure. Corporations retain confidential data about their customers and are responsible for having adequate safeguards in place to protect the data. Corporations may be liable for deploying IoT solutions that are easily compromised. As we have seen with the countless data breaches over the past couple of years, companies have a lot to lose, financially and otherwise.

3. Immediacy of Access to Data and Fog Computing

For many IoT solutions, timing is everything. Many IoT devices and environments are “latency sensitive,” such that actions need to be taken on the data being collected almost instantaneously. Relying on the “cloud” to process the collected data and generate actions will likely not be a solution for such IoT environments, in which the immediacy of access to data is important. “Fog computing” aims to bring the storage, processing and data intelligence closer to the IoT devices deployed in the physical world to reduce the latency that typically exists with traditional cloud-based solutions. Companies developing large scale IoT solutions should investigate architectures where most of the processing is done at the end of the network and closer to the physical IoT devices.

The Internet of Things has brought about new challenges and opportunities for technology companies. Privacy, security and immediacy of access to data are three important trends companies must consider going forward.

Article By Shabbi S. Kahn of Foley & Lardner LLP

© 2015 Foley & Lardner LLP

Biometrics: Facebook Files Motion to Dismiss Privacy Suit over Facial Recognition Technology

As discussed in a previous post on facial recognition technology, a putative class action has been filed against Facebook over the collection of “faceprints” for its online photo tagging function, Tag Suggestions.  (See e.g., Licata v. Facebook, Inc., No. 2015CH05427 (Ill. Cir. Ct. Cook Cty. filed Apr. 1, 2015) (the case has been transferred to a San Francisco district court, Licata v. Facebook, Inc., No. 15-03748 (N.D. Cal. Consolidated Class Action Complaint filed Aug. 28, 2015)).

The plaintiffs claim that Facebook’s use of facial recognition technology to scan user-uploaded photos for its Tag Suggestions feature violates Illinois’s Biometric Information Privacy Act (BIPA), 740 ILCS 14/1, and has been used to create, what the plaintiffs allege, is “the world’s largest privately held database of consumer biometrics data.”

Plaintiffs allege that Facebook extracts face geometry data (or faceprints) from user-uploaded photographs and retains such “biometric identifiers” within the meaning of the BIPA. The complaint alleges, among other things, that Facebook collected and stored biometric data without adequate consent.  The complaint seeks an injunction and statutory damages for each violation (note: BIPA provides for $1,000 in statutory damages for each negligent violation, and $5,000 for intentional violations, plus attorney’s fees).

Last week, Facebook filed its motion to dismiss, arguing, among other things, that based on the choice of law provision in its terms of service, California, not Illinois, law should apply (thereby precluding users from bringing a claim under BIPA), and that, regardless, Section 10 of BIPA expressly “excludes both ‘photographs’ and ‘information derived from photographs’ from its reach.”

Those wanting a preview of the plaintiffs’ response to Facebook’s motion should look to a similar privacy action against Shutterfly currently being litigated in Illinois federal court.  (See Norberg v. Shutterfly, Inc., No. 15-05351 (N.D. Ill. filed June 17, 2015)).  There, the plaintiff brought claims under BIPA against the photo storage service Shutterfly for allegedly collecting faceprints from user-upload photos for a tag suggestion feature without express written consent and “without consideration for whether a particular face belongs to a Shutterfly user or unwitting nonuser.”  In its motion to dismiss, Shutterfly, like Facebook, argued that scans of face geometry derived from uploaded photographs are not “biometric identifiers” under BIPA because the statute excludes information derived from photographs.

In his rebuttal, the plaintiff Norberg claimed if the intermediation of a photograph before processing face geometry excluded such data from the definition of a biometric identifier, then the statute would be meaningless:

“Defendants’ interpretation of the BIPA as inapplicable to face scans of photographs is contrary to the very nature of biometric technology and thus would undermine the statute’s core purpose. A photograph of a face is exactly what is scanned to map out the unique geometric patterns that establish an individual’s identity. Taken to its logical conclusion, Defendants’ argument would exclude all the biometric identifiers from the definition of biometric identifiers, because they are all based on the initial capture of a photograph or recording.”

We will be watching both disputes closely – if the suits are not dismissed on procedural or contractual grounds, this will be the first time a court will have the opportunity to interpret the contours of the Illinois biometric privacy statute with respect to facial recognition technology.

Article By Jeffrey D Neuburger of Proskauer Rose LLP

© 2015 Proskauer Rose LLP.