Auto DialerSCOTUS Narrows Scope of TCPA to Only Systems that Use Random Number Generators

SCOTUS Narrows Scope of TCPA to Only Systems that Use Random Number Generators

In a long-awaited decision, on April 1, 2021, the Supreme Court of the United States released its opinion in Facebook v. Duguid et al., and unanimously adopted a narrow interpretation of the term “automatic telephone dialing system” or ATDS under the Telephone Consumer Protection Act (“TCPA”).  Hundreds of TCPA class action complaints are filed every year against defendants in all industries leveraging text message or calling consumers.  One of the central legal questions addressed in these litigations is whether the text messaging systems used to contact consumers are ATDS such that TCPA liability can stand. Specifically, if these databases are used to store, but not generate, numbers, can they constitute an ATDS?  The Supreme Court’s opinion answers this question in the negative, and provides necessary clarity to the ATDS definition, and its narrow holding is expected to benefit TCPA defendants nationwide.  

The Allegations in Facebook v. Duguid et al.

In Duguid, Plaintiff Noah Duguid alleges he received several text messages from Facebook alerting him that someone had attempted to access a Facebook account associated with his number from an unknown browser.  Duguid alleged that he did not have a Facebook account and never provided Facebook his telephone number.  As a result, Duguid asserted that Facebook violated the TCPA by maintaining a database that stored phone numbers and programing its equipment to send out automated text messages to those numbers each time the associated account was accessed by an unrecognized device or web browser.

Facebook argued that the database in which it stored telephone numbers was not an ATDS such that TCPA liability could be established, and the Supreme Court agreed.  As defined by the TCPA, an “automatic telephone dialing system” is a piece of equipment with the capacity both “to store or produce telephone numbers to be called, using a random or sequential number generator,” and to dial those numbers.  Based on Duguid’s allegations, at issue was whether that definition encompassed equipment that can “store” and dial telephone numbers, even if the device does not “us[e] a random or sequential number generator.”  The Supreme Court of the United States held that because Facebook’s database system did not involve a random or sequential number generator but simply stored numbers, the text messages sent from the system did not violate the TCPA.

What Now?

The Supreme Court’s holding has the potential to greatly limit the number and scope of putative TCPA class actions in the future as it eliminates from the definition of ATDS those systems which do not use a random or sequential number generator, but simply store numbers. 

Despite this added clarity, TCPA litigation remains complex.  Being proactive and building robust and scalable policies into the foundation of your organization will help mitigate legal risk. The Beckage TCPA team has handled numerous class actions litigations in this space and can help your business navigate this complex area of the law.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

FingerprintBiometric Litigation Continues To Rise As Businesses Work To Minimize Risk

Biometric Litigation Continues To Rise As Businesses Work To Minimize Risk

In 2008, Illinois enacted the Illinois Biometric Information Privacy Act (“BIPA”) with the purpose of recognizing a person’s privacy right to their “biometric information” and “biometric identifiers”.  BIPA was enacted in response to the growing use of biometrics by businesses.   

In part because of its private right of action, by which plaintiffs may bring suit against businesses directly, BIPA litigation remains at the forefront of the data privacy litigation landscape as businesses continue to collect the biometric identifiers of their employees.  Recent BIPA class action settlements with major tech companies like Facebook and TikTok have been in the hundreds of millions of dollars, but the majority of BIPA litigation is brought against small and medium sized enterprises who collect biometric information in employee timekeeping or for access controls to physical spaces.   

To date, defendants have found courts to be generally unwilling to dismiss BIPA litigation at early motion practice.  Two recent cases, Thornley v. Clearview AI and Barton v. Swan Surfaces, demonstrate that there are some potential limits to BIPA litigation. 

Thornley  v. Clearview AI 

In Thornley, Melissa Thornley accused Clearview AI of scaping publicly available photos from her social media accounts for facial recognition purposes and selling her biometric information to third parties without her consent.  Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1242-1243 (7th Cir. 2021).  Thornley initially filed a complaint in Illinois state court, alleging as a class representative, that Clearview violated § 15(c) of BIPA, which requires in relevant part, that “[n]o private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.”  Id. at 1246.  Clearview removed the case to federal court on the basis that the allegation of a statutory violation gave rise to a concrete and particularized injury-in-fact that is necessary for Article III standing.  Id. at 1243.  Under the Constitution, a plaintiff must have Article III standing to sue in federal court, which requires that the plaintiff prove: (1) an injury in fact; (2) causation of the injury by the defendant; and (3) that the injury is likely to be redressed by the requested relief.  See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).  In Spokeo, the Supreme Court of the United States held that a statutory violation could be sufficient to constitute an injury in fact; however, it did not provide any analysis as to which types of statutory violations necessarily implicate concrete and particularized injuries in fact.  Id.   

The district court held that Clearview alleged violation of § 15(c) of BIPA was “only a bare statutory violation, not the kind of concrete and particularized harm that would support standing”, the case must be remanded to the state court.  Thornley., 984 F.3d at 1242.  Clearview then appealed to the Seventh Circuit, who concurred with the District Court and remanded the case back to the Illinois State Court for much the same lack of standing.  Id.  Clearview has now petitioned the Supreme Court of the United States to take its case.  See Porter Wells, Clearview AI Will Take BIPA Standing Challenge to Supreme Court. 

Barton v. Swan Surfaces, LLC 

In Barton, a unionized employee of Swan Surfaces, LLC (“Swan”) was required to clock in and out of her employer’s manufacturing plant using her fingerprints as part of company protocol.  Barton v. Swan Surfaces, LLC, No. No. 20-cv-499-SPM, 2021 WL 793983 at *1 (S.D. Ill March 2, 2021).  On May 29, 2020 Barton filed a complaint in the United States District Court for the Southern District of Illinois alleging that she represented a class of individuals who “while residing in the State of Illinois, had their fingerprints collected, captured, received, otherwise obtained and/or stored by Swan”.  Id. at *2.  Barton asserted Swan violated BIPA in: (1) failing to institute, maintain, and adhere to publicly available retention schedule in violation of 740 ILCS 14/15(a); and (2) failing to obtain informed written consent and release before collecting biometric of information.  Id.  On July 31, 2020, Swan filed a Motion to Dismiss, asserting in relevant part, that Barton’s BIPA claims were preempted by § 301 of the Labor Management Relations Act (“LMRA”).  Id.  

On March 2, 2021, the court held that as Barton was a unionized employee, her Collective Bargaining Agreement (“CBA”), which contained a management rights clause and grievance procedure, controlled and as such Barton’s BIPA claims were preempted by § 301 of the LMRA.  In coming to its conclusion, the court heavily relied on the courts holding in Miller v. Southwest Airlines, Inc., 926 F.3d 898 (7th Cir. 2019). Id. at *6. In Miller, the Seventh Circuit held an adjustment board had to resolve the employees’ dispute over the airline’s fingerprint collection practices because their unions may have bargained over the practice on their behalf.  Miller, 926 F.3d 898.  The court in Barton noted that the United States “Supreme Court has held that the RLA preemption standard is virtually identical to the pre-emption standard the Court employs in cases involving § 301 of the LMRA” and therefore the same outcome should apply.  Barton, 2021 WL 793983 at *4. 

Key Takeaway 

While these cases demonstrate the potential to circumvent or limit BIPA litigation, the increased volume of biometric information being used by companies and the push for biometric policies that govern the use of these technologies and promote safeguards for consumers will undoubtedly continue.  

With many states looking to implement biometric privacy laws similar to BIPA, it is important to have legal tech counsel to address compliance with these emerging laws. Beckage attorneys, who are also technologists and former tech business owners, have years of collective experience with new technologies, like artificial intelligence, biometric data, facial recognition technology. We have a team of highly skilled lawyers that stay up to date on all developments in case law on BIPA and who can help your company best defense given the current legal landscape. Our team can help assist your company in assessing and mitigating risks associated with emerging technologies. 

*Attorney Advertising: Prior results do not guarantee a similar outcome. 

Subscribe to our newsletter. 

Identity TheftEleventh Circuit Adds to Circuit Split on Whether Future Risk of ID Theft Can Support Data Breach Class Claims

Eleventh Circuit Adds to Circuit Split on Whether Future Risk of ID Theft Can Support Data Breach Class Claims

Courts across the United States continue to struggle with whether individuals impacted by a company’s data breach have suffered harm that is concrete enough to support their claims in court. 

After they are notified of a data breach involving their personal data, impacted individuals often join together to bring class action claims against the business for its alleged failure to safeguard their data, breach of privacy promises regarding that data, and under applicable state consumer laws.

Data Breach Class Actions & Standing Requirements

One area that courts have shown a willingness to scrutinize is the question of whether these individuals have alleged, or can show they have experienced, actual harm from the data incident, to satisfy the Constitutional Article III requirement known as standing. 

Plaintiffs continue to present novel theories of why access to their data by an unauthorized third party harmed them in a way that a court may remedy, especially in instances where no facts exist to show that their data has actually been misused.  Plaintiffs will often allege that they lost some value associated with their data, or associated with the use of their data.  By far the most prominent theory submitted by data breach plaintiffs is that these individuals are now at a higher risk of future identity theft and that future relief, such as credit monitoring, should be offered to them to prevent against this risk.

But how great is this risk of future identity theft, really? According to a recent Eleventh Circuit decision, not substantial enough to support Article III standing.

The I Tan Tsao Decision

In affirming the dismissal of a customer’s proposed class action against Florida-based fast-food chain, PDQ, over a data breach that allegedly exposed plaintiffs’ credit and debit card information, the Eleventh Circuit held that the plaintiff I Tan Tsao did not present a sufficient injury claim as a basis for bringing the suit.  There, Mr. Tsao alleged that he and members of his class were at an elevated risk of future identity theft due to the restaurant chain’s breach, and that he had to take certain mitigative steps to reduce this risk, such as cancelling his credit cards.  Plaintiff Tsao relied primarily on a 2007 GAO Report on Data Breaches in support of his theory.

The Eleventh Circuit did not find Mr. Tsao’s hypothetical future risk of identity theft compelling enough for Article III standing purposes.

“We hold that Tsao lacks Article III standing because he cannot demonstrate that there is a substantial risk of future identity theft — or that identity theft is certainly impending — and because he cannot manufacture standing by incurring costs in anticipation of non-imminent harm,” the three-judge panel said.

In relying on the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA, the Eleventh Circuit concluded that a plaintiff alleging a hypothetical harm does not have standing unless that harm is either “certainly impending” or represents a “substantial risk” of harm.  And if the alleged risk does not rise to those levels, a plaintiff cannot “conjure standing by inflicting some direct harm on itself to mitigate a perceived risk.”

The Eleventh Circuit also rejected Mr. Tsao’s use of the GAO Report, holding that the Report’s findings actually supported that the limited data potentially exposed here – credit and debit card numbers – alone, did not lead to a higher incidence of future identity theft.

Nor could Mr. Tsao’s mitigative steps – to cancel his credit card, which he alleged led to a period of restricted access to his account and lost reward points – manufacture a harm for standing purposes.  “It is well established that plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending” the Circuit court held, citing to Clapper.

The Court’s decision in I Tan Tsao v. Capitva MVP Restaurant Partners LLC aligns it with the Second, Third, Fourth and Eighth Circuit Courts of Appeal who have rejected the theory, while the Sixth, Seventh, Ninth and D.C. circuits have accepted it.

The Supreme Court has yet to hear an Article III standing case in the data breach context, leading legal spectators to wonder if the I Tan Tsao decision now presents the high Court with an opportunity to provide such guidance.

Beckage is monitoring developments in this case and other data breach class actions that may provide guidance for future litigation.  Our Litigation team has worked on some of the largest data breach and privacy class actions in the country and can help your business develop a litigation strategy that will result in a successful outcome and minimal disruption to your everyday work.  Learn more about our Litigation Practice Group here.

Subscribe to our newsletter.

*Attorney advertising. Prior results do not guarantee future outcomes.

Data Privacy DayBeckage Attorneys Make 2021 Data Security & Privacy Predictions in Observance of Data Privacy Day

Beckage Attorneys Make 2021 Data Security & Privacy Predictions in Observance of Data Privacy Day

Today is Data Privacy Day – an international event held annually on January 28th with the purpose of promoting privacy and data protection best practices for consumers and businesses. At Beckage, every day is Data Privacy Day – our team of lawyers and technologists works daily with clients on data security and privacy measures, from developing policies and procedures to comply with international and domestic privacy regimes to responding to headline-making data incidents and defending clients in data security and privacy class actions.

The legal landscape surrounding data security and privacy is constantly evolving to adapt to technological advancements and global privacy trends. In observance of this holiday, we asked some of our experienced team members what they expect to see in this space in 2021.


Litigation – Myriah V. Jaworski, Esq. CIPP/US, CIPP/E

My data privacy prediction for 2021 is also related to biometrics. This year we will see the continued rise of regulation over and litigation concerning the use of biometric information.

A few years after the Illinois State Legislature passed BIPA, the Biometric Information Privacy Act, we started to see a slew of class action lawsuits filed against businesses alleged to have violated BIPA’s written release requirement. BIPA class actions have ranged from headline-making cases against major tech companies, such has Facebook, to small and medium-sized businesses across numerous industries.

While biometric lawsuits were once viewed as a risk associated only with doing business in Illinois, other states, like Washington and Texas, have followed suit by passing their own laws mimicking BIPA and others are eyeing their own biometric privacy bills. Of note, a bill nearly identical to BIPA is pending in the New York State legislature, which, if passed, could have a much larger impact on businesses given that New York is one of the largest economies in the United States.

At the federal level, we have recently seen the Federal Trade Commission (FTC) enter the biometric conversation with its consent agreement with EverAlbum, Inc. This consent order may have set a nation-wide standard for businesses’ use and collection of biometric information, regardless of whether those businesses operate in states that have enacted or pending biometric privacy laws.

In short, in 2021 the risks and penalties associated with collecting and using biometric information are steep. Any business, regardless of location, that is engaging in biometric information collection should conduct a privacy audit, look at its written policies, and ensure that it has the requisite consents in mind. As a litigator, I always say “demonstrable compliance is the strongest legal defense,” and that is certainly true in the biometric privacy space.

Watch Myriah’s video prediction here.


Incident Response – Daniel P. Greene, Esq., CIPP/US, CIPP/E

At the heart of what we do as incident response privacy practitioners is data breach prevention.  My 2021 prediction for the privacy landscape is an expansion in the use of multi-factor authentication. This is great news for incident response because, often, multi-factor authentication is an important step in helping to avoid a data incident and protect the privacy of data.

Multi-factor authentication is when a user identifies themself through biometrics, like a facial or fingerprint scan, or though entering a code on a device to confirm access to sensitive spaces, like a bank account or work network. It helps in avoiding unauthorized access and we expect to see this technology used in new spaces in 2021, such as when using an ATM or checking out at a grocery store.

We also anticipate an expansion in the use of biometrics over device authentication. There have been numerous documented incidents where device authentication has backfired. A famous example occurred in 2019 when attackers were able to gain access to Twitter CEO Jeff Dorsey’s account using a SIM card swap scheme. Because biometric identifiers are much more difficult to change or duplicate, using a facial scan or fingerprint is a much more secure method of confirming a user’s identity. And while this brings up a host of other issues about safeguarding biometric information, I think we can expect to see it used a lot more soon.

Watch Dan’s video prediction here.


Government Investigations – Michael L. McCabe, Esq., CCEP

In 2021, I expect to see increased enforcement of privacy and data security laws and regulations at both the federal and state level. Considering new leadership in Washington D.C. and the looming impact of the COVID-19 pandemic, I predict not just an uptick in enforcement, but also a more muscular approach by regulators.  More enforcement actions are expected, a further reminder for companies to work with experienced tech privacy and security legal counsel to minimize legal and technical risk.

At the federal level, look for enhanced enforcement by the Federal Trade Commission (FTC), Federal Communications Commission (FCC), and Securities and Exchange Commission (SEC). On the state level, I anticipate a similar response by state attorneys general outside of Washington.   

In 2020, we saw a major uptick in cyber-attacks, due in part to companies having to quickly adopt policies for a distributed workforce.  There were also numerous COVID-related phishing attempts. These developments have resulted in a record number of data security incidents. Therefore, I expect the focus of these enforcement actions to be not just on privacy compliance, but also on effective data security and incident response.  

Watch Mike’s video prediction here.


Privacy Compliance – Kara L. Hilburger, Esq., CIPP-US

My prediction for the privacy compliance area in 2021 is the increased focus on consumer privacy rights. With California’s comprehensive privacy law, the California Consumer Privacy Act (CCPA), now one year old, there is increase awareness and attention to data subject rights.  With a myriad of other states entertaining statutes similar to the CCPA, I anticipate a host of plaintiff related lawsuits filed under these statutes’ privacy right of action provisions. The result is that business operating in this highly global, multi-jurisdictional environment will need to continue to work towards building out robust and scalable data security and privacy infrastructures that take into account not only the GDPR and CCPA but other emerging laws. For example, updating forward-facing website disclosure policies and user agreements will be paramount here to be sure they comply with the required disclosures.

Relatedly, my second prediction as that we will continue to see an uptick in litigation filed under the Americans with Disabilities Act and frankly no end is in sight.  Businesses are continuing to educate themselves on the legal standards necessary for building and maintaining an accessible website.  We also anticipate much in the way of legislation or increase DOJ involvement in this area under the new administration.

Watch Kara’s video prediction here.


Health Law – Allison K. Prout, Esq., Cert. AWS Cloud Practitioner

With so much of our everyday lives moving online in the wake of the COVID-19 pandemic, we have seen a large uptick in data breaches caused by third-party vendors and service providers. And when it comes to the healthcare industry, I anticipate a continued increase in incidents that originate with business associates and other vendors providing services to covered entities. 

 In fact, about 40% of HIPAA breaches involve or are caused by business associates. With a new administration that’s likely to favor regulatory action, we expect to see regulatory authorities continue to enforce actions against covered entities whose business associates or service providers experience breaches. 

So what does this mean for the industry?  We expect to see covered entities taking a much closer look at who they are working with—and whether those parties have robust security and privacy protocols. For this reason, business associates may need to prepare accordingly. Whether you are a covered entity or a business associate, now is the time to dust off vendor due diligence and monitoring policies and procedures. It’s also a good idea to take a closer look at those service agreements and business associate agreements to make sure your service providers are making the right security commitments—and assuming responsibility—when there’s a breach.

Watch Allie’s video prediction here.


Global Data Privacy – Jordan L. Fischer, Esq. CIPP/US, CIPP/E, CIPM

My first prediction for the global data privacy space in 2021 is the creation and evolution of additional data privacy regulations across the globe. The so-called “GDPR Effect” has been pushing data privacy trends across the globe, and we expect to this to continue as more regions and countries adopt legislation mimicking parts of the GDPR, putting their own unique twist on data privacy, or modernizing their existing data privacy regulations to make them more compatible with the GDPR and other global privacy regimes.

My second prediction is a major emphasis on cross-border data transfers. The 2020 Schrems II decision invalidated the EU-US Privacy Shield for sending data from Europe to the United States. This decision was focused on data transfers between the United States and the European Union, but it also highlights a challenge we are continuing to see in international law – while these privacy regulations see borders, the digital realm does not.  Thus, it is increasingly hard to segment data and maintain it within a specific region. This year, I anticipate a lot of tension between regions that approach privacy and security from various perspectives that don’t always align. This presents a challenge for businesses to continue to operate efficiently while minimizing risk and dealing with multiple global privacy and security regulations.

Regardless of the specific trends we expect to see this year, one thing is certain – the global data privacy landscape will continue to change rapidly, creating a fascinating environment for data privacy and security lawyers to practice in.  I am very excited to be a part of such a dynamic team that will continue to provide services to our clients in this space.

Watch Jordan’s video prediction here.


Key Takeaways

Today, as well as every other day of the year, we hope you take some time to reflect on data privacy and security and the ways you can better protect your personal or business’ private information. The Beckage team is passionate about to educating the masses on the importance of data security, the consumer privacy rights and the impact on businesses, and the steps you can take safeguard your information. We are committed to providing updates on relevant legislation, current threats, and proactive data security steps. Be sure to follow us on LinkedIn, read our blog, and subscribe to our newsletter to stay up to date on the latest in this ever-changing space. Happy Data Privacy Day!

*Attorney advertising – prior results do not guarantee future outcomes.