As application of the European Union’s (EU’s) General Data Protection Regulation (GDPR)1 quickly approaches, the enforcement authority of the European data protection authorities (DPAs) is rightfully on everyone’s mind. The power to issue monetary fines against non-compliant entities of up to four percent of the entity’s past year worldwide turnover is one of the GDPR’s most striking provisions.2 But, the GDPR also includes a provision that may prove to be equally important: giving individuals the right to bring collective legal action against non-compliant entities. If these collective actions become common, understanding by whom, under what grounds, and where these suits may be brought will be critical in assessing the importance of compliance and the benefits and risks of launching European data initiatives.
Continue Reading GDPR—Collective Actions Under the Privacy Banner

On December 21, 2017, the Illinois Second District Appellate Court dealt a significant blow to the recent wave of Illinois Biometric Information Privacy Act (BIPA) class actions, holding in Rosenbach v. Six Flags Entertainment Corp. that plaintiffs alleging mere procedural violations of BIPA, without “any injury or adverse effect,” are not “aggrieved” persons entitled to any relief—monetary or otherwise—under the statute.1

BIPA prohibits companies from collecting biometric information from individuals without notice and written consent.2 The Illinois legislature passed BIPA in 2008 in response to the growing use of biometric technology in the business and security screening sectors in Illinois.3 Specifically, lawmakers were concerned about companies like Pay By Touch—which, in the early 2000s, brought biometric authentication to payment systems —going bankrupt and, consequently, putting consumers’ sensitive personal information at risk.4 To that end, BIPA contains a private right of action that allows any person “aggrieved” by a violation of the act to bring a claim against the offending party for $1,000 or actual damages per negligent violation, and $5,000 or actual damages per intentional or reckless violation.5 Critically, the statute does not define “aggrieved” persons, which proved to have a decisive impact on the Rosenbach court’s ruling.Continue Reading Illinois Appellate Court Holds That BIPA Plaintiffs Must Show Actual Harm

On February 5, 2018, the Federal Trade Commission (FTC) announced its most recent Children’s Online Privacy Protection Act (COPPA) case against Explore Talent, an online talent agency marketed to aspiring actors and models.1

According to the FTC’s complaint, the company provided a free platform for users to find information about auditions, casting calls, and other opportunities. Users could sign up for accounts and create publicly available, searchable profiles that included personal information such as names, email addresses, telephone numbers, and mailing addresses. The company’s privacy policy stated that it did not knowingly collect personal information from children under age 13 and that accounts for users under 13 had to be created by a legal guardian. In practice, however, users selected their “age range” during registration, which included options of 0-5 and 6-12 years old. On a later registration screen, the company specifically asked for users’ birthdates.Continue Reading Online Talent Agency Stars in FTC’s 30th COPPA Case

In early January 2018, U.S. Customs and Border Protection (CBP) announced an updated policy for searching electronic devices at U.S. borders. The new directive supersedes a previous directive that was released in August 2009.

Under the policy, CBP agents—with or without suspicion—may conduct a “basic search” of electronic devices encountered at the border, including smartphones and tablets, by examining such devices and analyzing information visible on them. In contrast, CBP agents need to have “reasonable suspicion” or a “national security concern” to carry out an “advanced search,” that is, any search in which an agent connects external equipment, through a wired or wireless connection, to an electronic device in order to review, copy, or analyze its contents.Continue Reading New Policy for Device Searches at Borders Issued by CBP

In yet another round of Schrems versus Facebook, on January 25, 2018, the Court of Justice of the European Union (CJEU) ruled that privacy activist Max Schrems is a consumer with regard to his Facebook
Continue Reading Court of Justice Dismisses Privacy Class Action Against Facebook but Allows Max Schrems to Sue in Austria