December 2020: Privacy Litigation Update

A significant amount of litigation action has occurred in 2020's fourth quarter, with a diverse set of claims and postures. Nixon Peabody's Data Privacy and Cybersecurity Group is tracking these developments closely.

 Apple Appeals Photos Ruling in Illinois

Apple Inc. is appealing a November 12, 2020, district court decision that allowed a consumer claim to proceed in connection with biometric data collected through the company's Photos app. The original class action suit contained three claims, all grounded in Illinois's Biometric Information Privacy Act (BIPA). The claims allege violations of BIPA's: (1) requirement for a data retention and deletion policy, (2) prohibition on profiting from a person's biometric data, and (3) consent requirement for the collection of biometric data.

The November 12, 2020, ruling, now being appealed by Apple, allowed only Claim 3 to proceed in federal court. The district court ruled that the plaintiffs lacked standing in federal court for Claims 1 and 2, which may proceed in state court.

In passing BIPA, Illinois was one of the first states to enact a law protecting biometric data. BIPA allows a private right of action with statutory fines of up to $1,000 (for each negligent violation) and $5,000 (for each reckless or intentional violation), plus attorneys' fees. In 2019, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp. that BIPA claimants do not need to allege actual harm to receive statutory damages.

States Settle with Home Depot Over Data Breach

Home Depot has agreed to a $17.5 million settlement with states attorneys general around the country over a data breach. The 2014 data breach exposed more than 40 million consumers' credit card numbers. The breach was ultimately traced back to malware that was placed in the company's point-of-sale system. California and Texas will collect $1.8 million and $1.78 million from the settlement, respectively.

Home Depot did not admit liability in the settlement, which mandates Home Depot to upgrade security procedures, employ training, and to hire a chief information security officer. The settlement is in addition to the $198 million Home Depot recorded in expenses due to the breach, including other resolved litigation with customers, banks, and credit card issuers.