On February 4, 2021, the Eleventh Circuit affirmed the dismissal of a customer’s proposed class action lawsuit against a Florida-based fast-food chain, PDQ, over a data breach. The three-judge panel rejected the argument that an increased risk of identity theft was a concrete injury sufficient to confer Article III standing, deepening a circuit split on this issue. … Continue Reading
As the D.C. District Court in Wengui v. Clark Hill recently commented, “[m]alicious cyberattacks have unfortunately become a routine part of our modern digital world. So have the lawsuits that follow them….” The court’s decision in that case has added another data point to developing jurisprudence of the cyberattack landscape, specifically concerning the discoverability of post-breach … Continue Reading
Qualifying businesses have another year to complying with certain, major provisions of the CCPA. The CCPA, or the California Consumer Privacy Act of 2018, is a California law that gives California consumers, defined broadly to encompass all California residents, certain rights with respect to their personal information. Namely, it gives consumers the right to know … Continue Reading
On June 1, 2020, the California Attorney General’s office released the third and final set of CCPA proposed regulations (available here). Below, we provide information about the final proposed regulations and enforcement actions.… Continue Reading
The CJEU (the European Union Court of Justice) has handed down a decision which makes clear that general and indiscriminate retention of electronic communications is unlawful. National legislation of each European Member State should ensure that mass surveillance only occurs where it is strictly necessary in order to combat serious crime as well as terrorism … Continue Reading
LabMD’s lack of data security measures resulted in the FTC Commission overturning an Administrative Law Judge (“ALJ”) decision that previously dismissed charges against the company in November. LabMD performed laboratory medical testing for over 750,000 patients since 2001, before going out of business in 2014, partly due to fighting this case. The FTC brought the … Continue Reading
On May 16, 2016, the Supreme Court decided Spokeo, Inc. v. Robins, ruling that a plaintiff must sufficiently allege an injury that is both concrete and particularized in order to have Article III standing, and further that a “bare procedural violation” of a plaintiff’s statutory right may not be sufficiently “concrete” under this analysis. This ruling … Continue Reading
Co-authored by Geoffrey Roche On March 10, 2016, the French data protection agency (« CNIL ») pronounced a €100.000 ($111,715) fine against Google Inc. for failure to comply with its formal injunction of May, 2015 ordering the company to extend delisting to all the search engine’s extensions.… Continue Reading
In a move that may strike fear into the hearts of mobile phone owners everywhere, the Sixth Circuit recently ruled that a person’s “pocket dials” – those inadvertent calls made from a person’s mobile phone, generally when the phone is in its owner’s pocket, and alternatively referred to as “butt dials” – may not be … Continue Reading
Finding that the Plaintiffs lacked Article III standing to pursue their case, Google, Inc. (“Google”) won dismissal of the Android users’ putative class action lawsuit after more than three years of litigation. In re Google Inc. Privacy Policy Litigation, No. 12-01382 (N.D. CA July 15, 2015). The Android users had claimed that Google violated its … Continue Reading
In City of Los Angeles v. Patel, the Supreme Court invalidated a Los Angeles law that allowed law enforcement officials to inspect hotel and motel guest registries at any time, without a warrant or administrative subpoena. The Court ruled that the law violated hotel owners’ Fourth Amendment rights because it “penalizes them for declining to … Continue Reading
A few months after the European Court of Justice ruled on May 13, 2014 that search engines are considered personal data controllers under the EU Data Protection Directive of 1995 and, as such, should provide data subjects with a right to be forgotten, a French Tribunal enforced this principle in X & Y v. Google … Continue Reading
On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient … Continue Reading
After a decision denying class certification last week, claims by Hulu users that their personal information was improperly disclosed to Facebook are limited to the individual named plaintiffs (at least for now, as the decision was without prejudice). The plaintiffs alleged Hulu violated the federal Video Privacy Protection Act by configuring its website to include a … Continue Reading
On June 20, 2013, the California Court of Appeal affirmed the dismissal of a putative class action which alleged that Chevron violated California’s Song-Beverly Credit Card Act (“Song-Beverly”) by requiring California customers to enter ZIP codes in pay-at-the-pump gas station transactions in locations with a high risk of fraud. Flores v. Chevron U.S.A. Inc., No. … Continue Reading
In January 2011, David Cheng (Plaintiff) filed a lawsuit against his former co-worker and fellow radiologist, Laura Romo (Defendant), alleging a violation of the Stored Communications Act (SCA) and Massachusetts privacy law. After the U.S District Court of Massachusetts denied Defendant’s motion for summary judgment on both counts, the case went to trial and the … Continue Reading
The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).… Continue Reading
On January 17, 2013, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced the final omnibus rule that among other things (1) increases patient privacy protections; (2) provides individuals with new rights to receive a copy of their electronic medical record in an electronic form; and (3) provides individuals with the right to … Continue Reading
The U.S. Supreme Court heard arguments last month in Clapper v. Amnesty International, a case that asks the Court to determine whether a group of lawyers, journalists, and human rights workers have standing to challenge the federal government’s international electronic surveillance program under the Foreign Intelligence Surveillance Act. The plaintiffs alleged Fourth Amendment privacy violations among … Continue Reading
