SAN FRANCISCO — With the May 8 filing of a putative class complaint in California federal court by a group of minors, social network app company TikTok Inc. has been sued in three lawsuits for violating the Illinois Biometric Information Privacy Act (BIPA) for the surreptitious collection and retention of users’ biometric identifiers without consent or notice (P.S., et al. v. TikTok Inc., et al., No. 3:20-cv-02992, N.D. Calif., E.R., et al. v. TikTok Inc., et al., No. 1:20-cv-02810, N.D. Ill.; D.M., et al. v. TikTok Inc., et al., No. 3:20-cv-03185, N.D. Calif.).
ALEXANDRIA, Va. — On May 6, Capital One Financial Corp. filed its opposition to a motion to compel production of a report by a cybersecurity firm after the credit card company’s 2019 data breach, telling a Virginia federal court that the report constitutes protected work product because it was prepared to assist Capital One’s counsel in defending against the present litigation brought by consumers over the exposure of their data in the breach (In re Capital One Customer Data Security Breach Litigation, No. 1:19-md-02915, E.D. Va.).
WAUKEGAN, Ill. — The sheriff of Lake County, Ill., filed a declaratory complaint against the county’s health department on April 28, asking an Illinois state court to find that law enforcement and emergency response personnel are entitled to the names and addresses of residents that have tested positive for COVID-19, arguing that state and federal law support the release of such private personal data during a public health emergency (John Idleburg v. Mark Pfister, et al., No. 20MR0000269, Ill. Cir., Lake Co.).
ERIE, Pa. — A nine-year old privacy lawsuit over a rent-to-own (RTO) dealer’s surreptitious installation of spyware on customers’ computers came to an end May 5, when a Pennsylvania federal judge approved and signed a stipulation of dismissal the same day it was filed by the plaintiffs (Crystal Byrd, et al. v. Aaron’s Inc., et al., No. 1:11-cv-00101, W.D. Pa.).
CHICAGO — Putative class claims for violations of the Illinois Biometric Information Privacy Act (BIPA) via vending machines’ collection of users’ fingerprints sufficiently allege concrete and particularized invasions of personal rights to establish federal jurisdiction under Article III of the U.S. Constitution, a Seventh Circuit U.S. Court of Appeals panel ruled May 5, reversing a trial court’s grant of the plaintiff’s motion to remand to state court (Christine Bryant v. Compass Group USA Inc., No. 20-1443, 7th Cir., 2020 U.S. App. LEXIS 14256).
CHICAGO — An Illinois judge on May 1 declined to require a state health department to provide a list of residents infected with COVID-19 to an emergency dispatch company, denying the plaintiff’s motion for a temporary restraining order (TRO) or preliminary injunction compelling disclosure due to a failure to establish a right to the information sought and out of a concern for citizens’ privacy rights (Northwest Central Dispatch System v. Cook County Department of Public Health, et al., No. 2020 CH 03914, Ill. Cir., Chanc. Div., Cook Co.).
CHICAGO — The lead plaintiffs in a class action over a 2013 cybersecurity incident experienced by The Neiman Marcus Group LLC moved for final approval of a $1.6 million settlement with the retailer on May 2, asking an Illinois federal judge to deem the agreement “fair, reasonable, and adequate” as she did six months earlier in a preliminary approval ruling (Hilary Remijas, et al. v. The Neiman Marcus Group, LLC, No. 1:14-cv-01735, N.D. Ill.).
ATLANTA — Nine months after the 11th Circuit U.S. Court of Appeals reversed and remanded a previous attorney fees award connected with Home Depot Inc.’s settlement with a group of financial institutions (FIs) of a class action over a 2014 data breach, the retailer filed an appellant brief on April 27, telling the appeals court that the trial court inappropriately used the percentage methodology in calculating the revised fees award (Northeastern Engineers Federal Credit Union, et al. v. The Home Depot Inc., et al., No. 20-10667, 11th Cir.).
SAN JOSE, Calif. — One day after the plaintiffs in eight putative class actions against Zoom Video Communications Inc. stipulated that their complaints should be related, a California federal judge on April 24 granted their administrative motion, relating the suits, which all similarly allege that the maker of the popular teleconferencing platform violated privacy and consumer laws by sharing users’ personal details with third parties (Robert Cullen v. Zoom Video Communications Inc., 5:20-cv-02155, N.D. Calif.).
WASHINGTON, D.C. — In its April 27 order list, the U.S. Supreme Court denied without comment the petition for certiorari by Electronic Privacy Information Center (EPIC), in which the civil liberties organization sought clarification of standing to challenge a government agency’s compliance with statutory disclosure requirements, specifically related to privacy impact assessments (PIAs) for a now-scrapped censorship question on the 2020 U.S. Census (Electronic Privacy Information Center v. Department of Commerce, et al., No. 19-777, U.S. Sup.; 2020 U.S. LEXIS 2421).
WASHINGTON, D.C. — Nine months after the Federal Trade Commission sought approval of a $5 billion settlement with Facebook Inc. of the social network’s failure to comply with a 2012 settlement of privacy violations, a District of Columbia federal judge on April 23 granted his approval, deeming the new settlement to be fair and in the public interest, while decrying Facebook’s “stunning” violations of the law and the previous agreement (United States v. Facebook Inc., No. 1:19-cv-02184, D. D.C., 2020 U.S. Dist. LEXIS 72162).
DENVER — Finding that the Drug Enforcement Administration sufficiently established that several years’ worth of patient prescription data it seeks via subpoenas has a reasonable relevance to an investigation over the distribution of controlled substances, a Colorado federal judge on April 21 granted the agency’s request to enforce compliance with the subpoenas by the Colorado Board of Pharmacy, which raised privacy concerns (U.S. Department of Justice, Drug Enforcement Administration v. Colorado Board of Pharmacy, et al., No. 1:19-cv-00105, D. Colo., 2020 U.S. Dist. LEXIS 69726).
CHICAGO — A Florida woman who says that she was one of the pharmacy customers whose data was exposed by a breach of Walgreen Co.’s website filed a putative class complaint against the drugstore chain on April 21 in Illinois federal court, alleging negligence and invasion of privacy (Laura Hernandez v. Walgreen Co., No. 1:20-cv-02434, N.D. Ill.).
SAN DIEGO — Epic Games Inc. was hit with a class complaint in California federal court on April 17 by a user of its Houseparty app who claims negligence and privacy violations related to the purported sharing of her personally identifiable information (PII) with third parties, notably Facebook Inc., without her consent (Heather Sweeney v. Life On Air Inc., et al., No. 3:20-cv-00742, S.D. Calif.).
SAN FRANCISCO — On the date that a preliminary settlement approval motion was due in a class action alleging biometric collection violations by Facebook Inc., the plaintiffs instead on April 17, filed a status report in California federal court reporting that the parties had experienced delays due, in part, to the novel coronavirus pandemic (In re Facebook Biometric Information Privacy Litigation, No. 3:15-cv-03747, N.D. Calif.).
PEORIA, Ill. — In an April 20 ruling, an Illinois federal judge partly granted Hy-Vee Inc.’s motion to dismiss a putative class action over a data breach it experienced, dismissing breach of contract and unjust enrichment claims as inadequately pleaded and some negligence claims as barred by state law (Noreen Perdue, et al. v. Hy-Vee Inc., No. 1:19-cv-01330, C.D. Ill., 2020 U.S. Dist. LEXIS 68607).
OAKLAND, Calif. — In a case that she said “underscores the tension between the First Amendment and national security,” a California federal judge on April 17 reversed a three-year old ruling in favor of Twitter Inc., holding that subsequent declarations from Federal Bureau of Investigation personnel demonstrated that information the social network sought to publicly disclose about its mandated compliance with government surveillance requests was classified (Twitter Inc. v. William P. Barr, et al., No. 4:14-cv-04480, N.D. Calif.).
WASHINGTON, D.C. — The U.S. Supreme Court on April 20 declined review of a Ninth Circuit U.S. Court of Appeals panel’s ruling upholding the dismissal of claims brought by two business owners and several businesses they owned stemming from the Financial Industry Regulatory Authority’s (FINRA) seizure of materials and information during a raid of one of the businesses (John Hurry, et al. v. Financial Industry Regulatory Authority Inc., et al., No. 19-643, U.S. Sup.).
PHILADELPHIA — In a “narrow” precedential opinion, a Third Circuit U.S. Court of Appeals panel on April 16 affirmed the dismissal of a Pennsylvania State University employee’s Stored Communications Act (SCA) lawsuit over the production of her emails to law enforcement without a valid subpoena, clarifying that if the university’s production had been induced, rather than voluntary, there may have been liability under the statute (Carol Lee Walker v. Senior Deputy Brian T. Coffey, et al., No. 19-1067, 3rd Cir., 2020 U.S. App. LEXIS 12063).
SAN JOSE, Calif. — The plaintiffs suing Google LLC for privacy violations related to the purported tracking of their devices without consent were denied a bid for interlocutory appeal of a December dismissal order on April 15, with a California federal judge finding that they presented no controlling questions of law that would merit the rarely granted form of relief (In re Google Location History Litigation, No. 5:18-cv-05062, N.D. Calif.).