Partner
We here at Revision Legal have written extensively about the need for businesses to protect consumer privacy with respect to data. Businesses are required to keep private consumer data secure from hacking and cybercriminal activity, and they must avoid collecting and misusing consumer data in violation of privacy laws and regulations. Some recent news with respect to settlements of class action lawsuits illustrates the point.
First, as reported here, Facebook — now called Meta — has agreed to pay $90 million to settle a class action lawsuit filed nearly 10 years ago alleging that Facebook marketed a browser plug-in that allowed Facebook to track consumers online even after consumers logged off from the Facebook website. As reported, Facebook properly obtained user consent to track users’ visits to third-party sites while logged into Facebook. However, Facebook’s Terms of Service indicated that tracking would cease when a user logged off. But, as alleged in the lawsuit, Facebook continued to collect user online usage data even after log-out.
Facebook was also charged with violating the federal Wiretap Act which prohibits individuals and businesses from intercepting communications between others without consent. Federal courts had previously ruled that Facebook was not a party to the communications and, thus, was required to have consent from its users to track internet use data.
As part of the settlement, Facebook has also agreed to segregate and delete the data that was unlawfully collected.
Second, as reported here, last year, Facebook agreed to pay $650 million to settle a class action case involving Facebook’s use of biometric data in violation of the Illinois Biometric Information Privacy Act (“BIPA”). The class action alleged that Facebook used facial recognition and other software to collect and harvest consumer biometric data — such as facial geometry and fingerprints — without consent and without disclosing the use of the data. Facebook also allegedly used similar technology to scan uploaded photos to harvest facial prints of non-users in violation of the BIPA.
As can be seen, Facebook’s violation of consumer privacy and unlawful data collection practices have been very expensive. It should be noted that Facebook continues to face lawsuits and actions from State governments with respect to these and other privacy violations.
In other news, as reported here, the Illinois Supreme Court has held that violations of the BIPA are NOT covered by Illinois workers compensation laws. Many employers have been sued under the BIPA for collecting biometric data like fingerprints without proper consents and disclosures. The employers argued that workers could not sue directly because such claims were preempted by the Illinois workers compensation regime. The Illinois Supreme Court rejected the argument. The court held that an invasion of a worker’s privacy was a distinct and different kind of injury than the physical and psychological injuries that are covered by workers’ compensation. If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.
The Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., has become one of the most potent and extensively litigated privacy statutes in the United States. BIPA requires private entities that collect biometric data—defined to include retina scans, fingerprints, voiceprints, scans of hand or face geometry, and other unique biological identifiers—to obtain written informed consent, disclose the purpose and duration of collection, establish a retention and destruction schedule, and refrain from selling or profiting from biometric data.
The statute’s private right of action, combined with its per-violation liquidated damages structure—$1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorney’s fees—has generated an enormous volume of class action litigation. In February 2023, the Illinois Supreme Court ruled in Cothron v. White Castle System, Inc., 2023 IL 128004, that a separate claim accrues under BIPA each time a covered entity scans or transmits an individual’s biometric data without compliant authorization, rather than once per plaintiff. This ruling substantially expands potential damages exposure, particularly for employers who scan employee fingerprints or facial geometry repeatedly.
Unlike the European Union’s GDPR—a comprehensive federal privacy law—the United States lacks a general federal consumer privacy statute. Multiple federal privacy bills have been introduced in Congress, including the American Data Privacy and Protection Act (ADPPA), which passed the House Commerce Committee in 2022 with significant bipartisan support but has not yet reached a floor vote. The absence of a comprehensive federal privacy law means that U.S. privacy compliance is primarily governed by a patchwork of federal sector-specific laws and increasingly aggressive state privacy statutes.
Sector-specific federal privacy laws include: HIPAA and the HITECH Act (health information); the Gramm-Leach-Bliley Act (financial information); the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506 (children’s online data); the Video Privacy Protection Act, 18 U.S.C. § 2710 (video viewing history); and the Cable Communications Policy Act, 47 U.S.C. § 551 (cable subscriber data). The FTC has also exercised broad authority under Section 5 of the FTC Act, 15 U.S.C. § 45, to pursue unfair or deceptive privacy practices.
In the absence of comprehensive federal privacy legislation, states have stepped into the gap. California led the way with the CCPA (2018) and CPRA (2020). As of 2024, comprehensive state privacy laws are in effect in approximately 20 states, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), and Texas (TDPSA), among others. Each of these statutes grants consumers rights to access, correct, delete, and opt out of the sale or targeted advertising use of their personal data.
For businesses operating nationally, the proliferation of state privacy laws creates substantial compliance complexity. The laws differ in their scope (whether they cover employees and B2B contacts in addition to consumers), their thresholds (how many consumers must be affected before the law applies), their opt-in vs. opt-out structures for sensitive data, their private right of action provisions (only California and a handful of others allow private suits), and their enforcement mechanisms. A multi-state privacy compliance program must be designed to satisfy the most stringent requirements in each state where the business operates.
The Federal Trade Commission has significantly expanded its use of Section 5 of the FTC Act to police privacy violations. In 2023, the FTC issued a proposed rule on commercial surveillance and data security that, if finalized, would impose comprehensive requirements on businesses that collect, use, or share consumer data. The agency has also pursued aggressive enforcement actions against technology companies under existing authority, imposing record fines: $5 billion against Facebook (2019), $500 million against Google (2019), and $150 million against Twitter (2022) for privacy violations.
The FTC’s Health Breach Notification Rule, 16 C.F.R. Part 318, was expanded in 2023 to cover a broader range of health apps and connected device services. Companies that collect health information through apps, wearables, or online services must assess their obligations under this rule, which requires notification to consumers, the FTC, and in some cases media when a breach of unsecured health information occurs.
The scale of privacy violation settlements—Facebook’s $650 million BIPA settlement, its $90 million browser tracking settlement, and the continued stream of class action filings—underscores the financial consequences of privacy non-compliance. A proactive privacy compliance program reduces exposure by: conducting a data inventory to identify what personal and sensitive data is collected; implementing data minimization practices to collect only what is necessary; obtaining compliant consents; establishing retention and deletion policies; training employees on privacy obligations; and conducting regular assessments of third-party data processors.
Revision Legal’s internet law attorneys assist businesses in assessing their privacy compliance obligations, drafting privacy policies and data processing agreements, responding to regulatory inquiries, and defending against privacy class actions. Contact us today to discuss your privacy compliance needs.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?