Photo of Eric Bosset

An Illinois state appellate court recently issued a ruling that could reduce defendants’ litigation exposure on certain types of Biometric Information Privacy Act (“BIPA”) claims.  On September 17, the panel clarified in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (1st Dist. Sept. 17, 2021), that the statutes of limitation applicable to BIPA claims vary depending on the nature of the claim.  Claims for failing to provide a written retention policy, give notice, or obtain consent prior to collecting an individual’s biometric information may be brought within five years.  But claims for violating BIPA’s selling, disclosing, or disseminating information provisions must be brought within one year.

Continue Reading Illinois Court Splits Time on BIPA Statute of Limitations

In one of the first decisions evaluating Telephone Consumer Protection Act (TCPA) claims under the FCC’s recent omnibus TCPA order, the Northern District of California dismissed a putative class action lawsuit alleging that AOL violated the TCPA when users of its Instant Messenger service (AIM) sent text messages to incorrect recipients.  After the court dismissed

By Eric Bosset

Judge Phyllis Hamilton of the U.S. District Court for the Northern District of California recently permitted a lawsuit arising out of a major data security breach suffered by social-media application developer RockYou to survive a motion to dismiss in part, based on the theory that plaintiff had  stated a “generalized injury” sufficient to maintain Article III standing—at least at the initial pleading stage—because the breach of plaintiff’s personally identifiable information (“PII”) allegedly caused loss of an “ascertainable but unidentified ‘value’ and/or property right inherent in [plaintiff’s] PII.”  Although this decision trends away from a recent dismissal [PDF] of a privacy suit by the U.S. District Court for the Central District of California on standing grounds, based on failure by that plaintiff to allege that the defendant caused any “actual or imminent harm,” it is a narrow ruling, the primary impact of which was to shift on these facts the timing of application of the operative standing test from the pleadings stage to the summary judgment stage.

Recognizing that the plaintiff was advancing a novel theory of damages for which supporting case law is scarce and that there is no clearly established law regarding the sufficiency of allegations of injury in the context of the disclosure of online personal information, the RockYou Court declined to hold as a matter of law that plaintiff had failed to allege an injury in fact sufficient to support Article III standing.  (Under Lujan, Article  III  standing requires “injury in fact” that is “concrete and particularized”).  Notably, though, the Court also stated that it would dismiss plaintiff’s claims for lack of standing should it become apparent, after discovery, “that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of PII” (emphasis added).  The Court also rejected as a matter of law the characterization of PII disclosure as “lost money or property” and noted its doubts about plaintiff’s ultimate ability to prove the damages alleged in the complaint.  Additionally, the Court dismissed with prejudice several of the causes of action asserted, based on plaintiff’s failure to allege the more particularized elements of injury required for these claims—including a claim under California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200 et seq.), which requires a plaintiff to prove that a violation caused loss of money or property.


Continue Reading For Now, RockYou Court Finds Standing Based on PII Disclosure