Class Actions

Liquor Store Chain Binny’s Is Latest Target of BIPA

• In a putative class action complaint filed in Cook County Circuit Court, employees of Illinois liquor store chain Binny’s Beverage Depot alleged the company violates Illinois’ Biometric Information Privacy Act.

• Among Binny’s alleged BIPA violations are failing to obtain consent before using employees’ fingerprint for timekeeping purposes, failing to obtain consent before disseminating such biometric data to third parties and failing to maintain lawful data-retention practices.

Third Time Not the Charm for Uber Drivers’ Data Breach Suit

  • The U.S. District Court for the Northern District of California granted Uber’s motion to dismiss the putative class action complaint of former Uber drivers whose personal information was obtained by an unknown individual in 2014.
  • According to the order, “[t]he plaintiffs do not allege a disclosure about their personally identifiable information that plausibly suggests an immediate, credible risk of harm.”
  • After having given the plaintiffs two prior chances to amend their complaint, the court this time dismissed the complaint without leave to amend, stating “[t]he issues have been the same in the three motions to dismiss. The court gave leave to amend, and the plaintiffs did not cure the complaint’s deficiencies to plausibly allege an immediate, credible risk of fraud or ID theft.”

Data Breaches

Fuel Card and Workforce Payment Provider Announces Data Breach

  • FLEETCOR Technologies Inc., a company that provides fuel card and workforce payment solutions, announced a data breach that involved a “significant number” of gift cards that are at least six months old, as well as PINs for those cards.
  • According to the company’s statement announcing its first-quarter financials, the company “did not see any evidence of access to its systems involving fleet cards and other payment products, or to the proprietary and third-party payment networks used to deliver the Company’s payment solutions,” and the data involved did not involve any personal information such as names, or Social Security or driver’s license numbers.

EU/GDPR

EU Privacy Regulators Not Ready for GDPR

  • According to a survey issued by Reuters, 17 of 24 European data privacy regulators are not ready for the General Data Protection Regulation (GDPR), which comes into force on May 25.
  • Isabelle Falque-Pierrotin, president of France’s Commission Nationale de l’Informatique et des Libertés (CNIL) stated that her office “realized that our resources were insufficient to cope with the new missions given by the GDPR.”
  • Other regulators agreed that they did not have the necessary funding, or otherwise lacked the power, to enforce GDPR.

Italy Follows UK and Spain, Fines WhatsApp for Sharing Data with Facebook

  • Following on activity of privacy regulators in the U.K. and Spain, the Italian Competition and Markets Authority (AGCM) fined WhatsApp €3M for requiring users to agree to share their data with Facebook.
  • The AGCM also announced other elements of WhatsApp’s terms of use were unfair, including only allowing WhatsApp to terminate the agreement and for permitting unexplained service interruptions.

States

California Closer to Passing Data Privacy Measure

  • A group known as Californians for Consumer Privacy announced that it had collected enough signatures to get a data privacy ballot initiative on November’s ballot.
  • The bill would require companies to inform users as to what types of personal information they collect and whether they have sold that information, and would allow consumers to sue companies for data breaches, even if consumers cannot prove any harm.
  • Opponents of the measure allege that it would apply different standards for companies in California, and have argued that “[i]t is unworkable, requiring the internet and businesses in California to operate differently than the rest of the world – limiting our choices, hurting our businesses, and cutting our connection to the global economy.”

New Jersey Attorney General Establishes Data Privacy Unit and Settles With Chinese App Developer

  • New Jersey Attorney General Gurbir S. Grewal announced the creation of a new unit in his office to combat “growing threats to the online privacy of New Jersey’s residents.”
  • The new Data Privacy & Cybersecurity (DPC) Section will be housed in the existing Division of Law’s Affirmative Civil Enforcement Practice Group and will be charged with enforcing laws that protect New Jersey residents’ data privacy and cybersecurity by bringing affirmative civil actions against violators.
  • According to AG Grewal, the new “unit will be tasked with making sure that we’re looking out for the interests of New Jersey’s residents whenever there’s a major data breach or improper use of customers’ online information.”
  • Although it did not involve the new DPC section, AG Grewal’s office already has been active in data privacy matters, most recently settling with Chinese app developer Meitu Inc. and its U.S. subsidiary Xiamen Meitu Technology Co. Ltd. for failing to notify parents and obtain their consent before collecting personal information from children under the age of 13 who downloaded its apps.
  • The app developer agreed to pay the AG’s office $100,000 and to change its business practices, including obtaining parental consent and providing notice of what information it collects from children, how it uses such information, and its disclosure practices surrounding that information.