Recent case applies VHS-era law to modern digital privacy

vhs

Plaintiff sued the NBA, accusing it of violating the Video Privacy Protection Act, 18 U.S.C. 2701 (VPPA). Plaintiff claimed that after signing up for the NBA’s online newsletter and watching videos on NBA.com, the NBA shared his viewing history with Meta without his permission. The district court dismissed the case and plaintiff sought review with the Second Circuit. On review, the court vacated and remanded the case for further proceedings.

What is the VPPA?

The VPPA, enacted in 1988, aims to protect consumers’ privacy by restricting video tape service providers from sharing personally identifiable information without consent. The historical circumstances around its enactment, particularly involving Robert Bork, is worth taking a few minutes to read up on.

Key issue – what’s a consumer here?

Plaintiff argued that he qualified as a “consumer” under the VPPA’s definition, which includes any “renter, purchaser, or subscriber of goods or services.” He contended that by providing his email and other personal data in exchange for the NBA’s newsletter, he became a “subscriber,” thus entitling him to privacy protections. According to plaintiff, the NBA’s practice of embedding a “Facebook Pixel” on its website allowed Meta to track users’ video-watching behavior, which constituted a violation of the VPPA’s restrictions.

The NBA, however, argued that plaintiff did not meet the VPPA’s criteria for a “consumer” because the newsletter subscription did not involve any audiovisual services, as required under the law. The NBA further asserted that plaintiff did not suffer a “concrete” injury, a requirement for Article III standing under the standards set out by SCOTUS in TransUnion LLC v. Ramirez. The NBA maintained that merely signing up for a free newsletter did not establish a sufficient relationship to qualify as a “subscriber.”

Lower court proceedings

The United States District Court for the Southern District of New York ruled in favor of the NBA. While it determined that plaintiff had standing to sue, the court dismissed the case on the grounds that plaintiff failed to establish that he was a “consumer” as defined by the VPPA. The court ruled that the VPPA’s scope was limited to audiovisual goods or services, and an online newsletter did not fit this definition. It concluded that merely signing up for a newsletter did not create a relationship that would extend VPPA protections to plaintiff’s video-watching data.

But the appellate court said…

Plaintiff appealed the decision, and the Second Circuit found that plaintiff sufficiently alleged that he was a “subscriber of goods or services” because he provided personal information in exchange for the NBA’s online newsletter. The court emphasized that the VPPA’s language did not strictly limit “goods or services” to audiovisual content, thus broadening the potential scope of who could be considered a “consumer.” This meant that the case would proceed to further legal proceedings to address the other issues in the dispute.

Three reasons why this case matters:

  • It clarifies modern VPPA applications: The case explores how the VPPA, with its origins in a VHS-centric era, applies to modern digital interactions, like email newsletters and online video streaming.
  • It expands consumer privacy definitions: The court’s interpretation suggests that a “subscriber” could include individuals who exchange personal information for non-monetary services, influencing other privacy claims.
  • It influences digital business practices: It affects how businesses should collect and share user data, potentially increasing scrutiny over partnerships involving data tracking and disclosure to third parties such Meta.

Salazar v. NBA, — F.4th —, 2024 WL 4487971 (2nd Cir., October 15, 2024)

See also: Casual website visitor who watched videos was not protected under the Video Privacy Protection Act

CCPA claim against Apple thrown out on Section 230 grounds

Plaintiffs sued Apple after downloading a malicious app from the App Store. The claims included violation of the Computer Fraud and Abuse Act (“CFAA”), the Electronic Communications Privacy Act (“ECPA”), and the California Consumer Privacy Act (“CCPA). (Alphabet soup, anyone?)

The lower court granted Apple’s motion to dismiss these claims. Plaintiffs sought review with the Ninth Circuit Court of Appeals. On appeal, the court held that the lower court properly applied Section 230 immunity to dismiss these claims.

What Section 230 does

Section 230 (47 U.S.C. § 230) instructs that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” A defendant is not liable if it can show that (1) it is a provider of “interactive computer services” as defined by the statute, (2) the claim relates to “information provided by another content provider,” and (3) the claim seeks to hold defendant liable as the “publisher or speaker” of that information.

Why the CFAA and ECPA claims were dismissed

In this case, concerning the CFAA and ECPA claims, the court looked to Barnes v. Yahoo!, Inc., 570 F.3d 1096 (9th Cir. 2009) and concluded that the lower court properly found Section 230 immunity to apply. The duty that plaintiffs alleged Apple violated derived from Apple’s status or conduct as a “publisher or speaker.” It found that the claims referred, as the basis for culpability, to Apple’s authorization, monitoring, or failure to remove the offending app from the App Store. “Because these are quintessential “publication decisions” under  Barnes, 570 F.3d at 1105, liability is barred by  section 230(c)(1).”

Section 230 knocked out CCPA claim too

The data privacy count included allegations that Apple violated duties to “implement reasonable security procedures and practices” to protect the personal information of App Store users, in violation of  Cal. Civ. Code § 1798.100(e). The court said that it need not decide whether violations of such duties can be boiled down to publication activities in every instance or whether implementation of reasonable security policies and practices would always necessarily require an internet company to monitor third-party content. Citing to Lemmon v. Snap, Inc., 995 F.3d 1085 (9th Cir. 2021) the court found that in this case, at least, plaintiffs failed to plead adequately a theory of injury under CCPA that was “fully independent of [Apple’s] role in monitoring or publishing third-party content.”

Diep v. Apple, Inc., 2024 WL 1299995 (9th Cir. March 27, 2024)

Months long video surveillance of house did not violate the Fourth Amendment

video surveillance fourth amendment

“As video cameras proliferate throughout society, regrettably, the reasonable expectation of privacy from filming is diminished.”

Defendant was convicted of stealing government funds and of wire fraud for receiving disability benefits provided to veterans when in fact defendant – though being a veteran – was not disabled. Part of the evidence the government used against defendant was video footage obtained from a pole camera the government had set up on the roof of a school across the street from defendant’s home. It surveilled his house for 15 hours a day for 68 days. After being convicted, defendant sought review with the Tenth Circuit Court of Appeals, arguing that the near-continual surveillance of his house was an unreasonable search under the Fourth Amendment. The court disagreed and affirmed the conviction.

The development of a reasonable expectation of privacy

The court observed the importance of the notion of a citizen’s “reasonable expectation of privacy,” a concept that has evolved over time from its original ties to common-law trespass to encompass a broader range of privacy expectations recognized by society as legitimate.

Historically, the Supreme Court has maintained that activities exposed to public view do not enjoy a reasonable expectation of privacy. For example, in California v. Ciraolo, 476 U.S. 207 (1986), the court held warrantless observation of a home’s exterior from public airspace was not a Fourth Amendment violation on the grounds that these observations did not penetrate private, concealed areas.

In Kyllo v. United States, 533 U.S. 27 (2001), the court held that the use of thermal imaging to discern details within a home, unobservable to the naked eye, was a search requiring a warrant. This marked a departure towards acknowledging privacy infringements facilitated by technology not widely available to the public.

In United States v. Jackson, 213 F. 3d 1269 (10th Cir. 2000) the Tenth Circuit held that video surveillance capturing activity visible without enhancement did not violate the Fourth Amendment. The court grounded its decision in the principle that what one knowingly exposes to public observation falls outside the Fourth Amendment’s protection. The surveillance in question, similar to the one in this case involved recording the exterior of a residence, capturing scenes observable from public vantage points, thus not constituting a search under the Fourth Amendment.

But in this case, the surveillance was constant

In this case, defendant relied heavily on the case of Carpenter v. United States, 138 S. Ct. 2206 (2018), where the Supreme Court ruled that accessing historical cell-site location information constituted a search under the Fourth Amendment. This decision underscored the intrusive potential of prolonged surveillance, highlighting the significant privacy concerns associated with compiling a comprehensive record of an individual’s movements over time. But the court in this case observed that the scope of the Carpenter case scope was explicitly narrow, not extending to conventional surveillance methods such as security cameras.

So the court distinguished the present situation from Carpenter, noting that the pole camera only captured what was visible from the street and did not provide a comprehensive record of defendant’s movements beyond the monitored location. Accordingly, in the court’s view, the surveillance did not infringe upon the reasonable expectation of privacy as articulated in Carpenter, which pertained to the aggregate of an individual’s movements over an extended period.

More technology = changing norms regarding privacy

Furthermore (in probably the most intriguing part of the opinion), the court noted the evolving societal norms around privacy, especially in the context of the widespread proliferation of cameras in public and private spheres. This ubiquity of video recording technology, coupled with the societal acclimatization to being recorded, has inevitably influenced expectations of privacy. As surveillance technologies become more integrated into everyday life, the threshold for what constitutes a “reasonable expectation of privacy” shifts, reflecting the dynamic interplay between technological advancements and societal norms.

So the court concluded that defendant did not have a reasonable expectation of privacy concerning the footage captured by the pole camera, as it only recorded what was visible to any passerby from the street.

United States v. Hay, — F.4th — 2024 WL 1163349 (10th Cir., March 19, 2024)

See also:

Website operator not liable under Wiretap Act for allowing Meta to intercept visitor communications

Plaintiffs asserted that defendant healthcare organization inadequately protected the personal and health information of visitors to defendant’s website. In particular, plaintiffs alleged that unauthorized third parties – including Meta – could intercept user interactions through the use of tracking technologies such as the Meta Pixel and Conversions API. According to plaintiffs, these tools collected sensitive health information and sent it to Meta. Despite defendant’s privacy policy claiming to protect user privacy and information, plaintiffs alleged that using defendant’s website caused plaintiffs to receive unsolicited advertisements on their Facebook accounts.

Plaintiffs sued, asserting a number of claims, including under the federal Electronic Communications Privacy Act (“ECPA”) and the California Invasion of Privacy Act (“CIPA”). Defendant moved to dismiss these claims. The court granted the motion.

To establish an ECPA claim, a plaintiff must demonstrate that defendant intentionally intercepted or attempted to intercept electronic communications using a device. CIPA similarly prohibits using electronic means to understand the contents of a communication without consent. Both laws have a “party exception” allowing a person who is a party to the communication to intercept it, provided the interception is not for a criminal or tortious purpose. In other words, there is an exception to the exception.

In this case, defendant argued it was a legitimate party to plaintiffs’ communications on a website, thus invoking the party exception. Plaintiffs countered that the exception should not apply due to defendant’s alleged tortious intent (making the information available to Facebook without disclosure to plaintiffs). But the court found that plaintiffs did not provide sufficient evidence that defendant’s actions were for an illegal or actionable purpose beyond the act of interception itself. Under the guidance of Pena v. GameStop, Inc., 2023 WL 3170047 (S.D. Cal. April 27, 2023), (a plaintiff must plead sufficient facts to support an inference that the offender intercepted the communication for the purpose of a tortious or criminal act that is independent of the intentional act of recording or interception itself), the court concluded there was no separate tortious conduct involved in the interception and dismissed the claims.

B.K. v. Eisenhower Medical Center, 2024 WL 878100 (February 29, 2024)

See also:

Website cookie banner was not enough for cruise line to sink federal wiretap lawsuit

cookie banner

Plaintiffs sued Carnival Cruise Line because they were upset about how much information carnival.com collected when they visited the site. “On carnival.com, no action goes unnoticed. Every click is counted, every keystroke is collected, and every cursor movement is catalogued.”

The claims centered around Carnival’s use of Clarity – a Microsoft session replay software that was deployed onto the user’s browser to collect a wide variety of information about the user’s system and browsing behavior. That collection was not limited to information from carnival.com. Clarity allegedly assigned each user a specific id that it used to associate and aggregate browsing behavior across all Clarity-enabled websites.

Plaintiffs asserted several claims, including one under the federal Electronic Communications Privacy Act (18 U.S.C. 2510 et seq.) (“ECPA”). They complained that Carnival intercepted Plaintiffs’ personal information, including their passport number, driver’s license number, date of birth, home address, phone number, email address and payment information, and used that information to trace users’ browsing history on other sites.

Carnival moved to dismiss for failure to state a claim under the ECPA. The court denied the motion.

No “party to the communication” exception

Carnival argued that the “party to the communication” exception of the ECPA absolved it of liability. 18 U.S.C. 2511(2)(d) provides that “[i]t shall not be unlawful … for a person … to intercept a[n] electronic communication where such person is a party to the communication.” But plaintiffs asserted that Microsoft, as the provider of the session replay code software, was a third party to the communication of the browsing information. Courts sometimes find third parties to be merely “extensions” of a website when such third parties’ services “merely function as a tape recorder.” But in this case, citing to Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023), the court declined to find that Clarity had such limited functionality. The main problem for Carnival was that Clarity did more than just serve as a “tape recorder” – it used data to generate analytics such as heatmaps of user engagement and profiles of browsing history on other sites.

No consent for third party interception

Carnival also argued that the ECPA claim should be dismissed because plaintiffs had consented to the interception of their information. The court rejected this argument.

Carnival’s first argued that by merely sending a communication over the internet, plaintiffs expressed their consent. It cited to a 2001 Pennsylvania decision called Commonwealth v. Proetto, a criminal case in which that court found that a defendant accused of improperly soliciting a 15-year-old girl online could not claim that the girl’s decision to print out the defendant’s chat communication violated defendant’s right of privacy. In other words, the Pretto case stands for the notion that when one sends something over the internet, he or she loses control, from a privacy standpoint, over what the recipient will do with that information. The court distinguished the Proetto case, however, noting that it did not cover third-party interception, focusing instead on direct communication between two parties, and emphasizing that consent is given specifically to the receiver, not any incidental third party. This distinction was crucial in the present case, as Carnival needed to demonstrate that plaintiffs consented not just to Carnival, but also to third-party session replay providers – such as Microsoft in providing Clarity – involved in data collection.

So Carnival cited to Farst v. AutoZone, Inc., 2023 WL 7179807 (M.D. Pa. 2023) wherein the court dismissed similar claims in the context of online shopping, deeming it a public activity with no expectation of privacy in browsing habits. The court distinguished the Farst case, however, by noting that it did not focus not on the collection of sensitive information like this case did. In the current case, plaintiffs had made concrete allegations regarding the interception of sensitive information (e.g., driver’s license number, date of birth, home address).

Carnival’s second argument for plaintiffs’ consent to its recording policy hinged on a “Cookie Policy” banner on its website, suggesting that continued use of the site provided consent to the policy. Plaintiffs countered this by asserting that the website did not adequately notify users of this recording, and interaction with the site was possible without reviewing or agreeing to any privacy policy. The court observed that in assessing the validity of such “browsewrap” agreements, it should consider whether a website provides sufficient notice to a reasonably prudent user about the terms of the contract. In this case, the Cookie Policy banner was less noticeable due to its smaller text, inconspicuous color scheme, and placement away from key user interaction points, like large “SHOP NOW” or “SEARCH CRUISES” buttons. There was also no evidence that the banner appeared immediately or remained visible throughout a user’s visit. Consequently, the court found that – based on the facts alleged – a reasonably prudent user would not be adequately informed of the terms, siding with plaintiffs’ claim that they did not consent to the interception of their communications.

Rejection of Carnival’s other ECPA arguments

In denying the motion to dismiss the ECPA claims, the court rejected Carnival’s remaining arguments as well.

The court found that based on the facts alleged in the complaint, it was plausible to believe that the transmission of the information was contemporaneous, thereby qualifying as an “interception” under the statute.

It found that the information transmitted was not merely “record information” but that information such as an intent to travel, dates and locations were actual “contents” of the alleged communications.

And it rejected Carnival’s argument that the offending session replay code comprising Clarity was not a “device” prohibited by the statute. Carnival contended that it did not meet the definition of a “device” in the context of wiretapping laws, arguing that a “device” should be a physical object. The court held that that the combination of software and hardware involved in this case fell under the ambit of “device” as contemplated by the statute.

Price v. Carnival Corporation, 2024 WL 221437 (S.D. Cal., January 19, 2024)

See also:

Beauty and the Biometrics: Federal court in Illinois tosses biometric data case brought against cosmetics giant

biometric privacy

A federal judge recently dismissed a class action lawsuit against The Estée Lauder Companies and one of its affiliates. This case involved allegations that these entities violated the Illinois Biometric Information Privacy Act (BIPA).

Background of the Case

Plaintiffs represented a proposed class and accused defendants of three distinct violations of BIPA. The dispute centered on the use of a virtual try-on tool that one of defendants had licensed to Estée Lauder which enabled customers to virtually test cosmetic products on brand websites. Plaintiffs claimed that they were not adequately informed about the capture and use of their biometric data, including facial mapping and facial geometry. They argued that there was a failure to provide clear consent and privacy policies regarding biometric data.

What BIPA Says

The law governs private entities’ collection, use, and storage of biometric identifiers and information. Plaintiffs contended that defendants did not comply with these requirements, specifically in failing to obtain written consent and establishing proper retention and destruction policies for biometric data.

What the Court Said

The court’s decision to dismiss the case hinged on plaintiffs’ inability to demonstrate that defendants used the biometric data in a manner that could identify individuals. The court referenced similar cases where allegations were dismissed due to the lack of plausible claims connecting biometric data collection with the capability to identify individuals.

The court found that plaintiffs did not provide sufficient factual allegations to establish that defendants could identify individuals using the facial scans. It compared other cases where claims were either dismissed or upheld based on the presence or absence of plausible allegations of identification capability. The case was dismissed without prejudice, meaning plaintiffs were given the opportunity to file an amended complaint by a specified date.

What It Means

This decision highlights the importance of clear legal standards for biometric data usage and the challenges plaintiffs face in proving violations under BIPA. It also underscores the need for companies to be transparent and compliant with privacy laws when implementing innovative technologies.

Castelaz v. The Estee Lauder Companies, Inc. et al., 2024 WL 136872 (N.D. Illinois, January 10, 2024)

See also:

Microsoft Edge privacy case dismissed for lack of standing

standing

A legal dispute involving Microsoft recently concluded with the dismissal of a class-action lawsuit. Plaintiffs had accused Microsoft of unauthorized data collection through its Edge browser, alleging violation of privacy laws. The court, however, ruled in favor of Microsoft, citing the plaintiffs’ lack of standing under Article III of the Constitution.

The Allegations Against Microsoft

The lawsuit centered on the claim that Microsoft Edge intercepted and sent private user data, including activities in “private” browsing mode, to Microsoft-controlled servers. This data, linked to unique user identifiers, allegedly allowed Microsoft to track users’ internet habits. Plaintiffs argued this was done without consent, breaching the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and various state laws, and claimed economic injury due to these practices.

Microsoft’s Challenge and the Court’s Decision

Microsoft moved to dismiss the lawsuit, arguing plaintiffs lacked the necessary standing under Article III of the U.S. Constitution. The court agreed, determining the plaintiffs did not meet the required standing criteria.

The core issue was whether the plaintiffs had standing, a fundamental requirement for a case to be heard in a federal court. The constitution requires an actual “case or controversy” for federal courts’ involvement. The court examined whether plaintiffs demonstrated (1) an injury in fact, (2) a direct causation, and (3) a potential remedy through court action.

The 2021 Supreme Court ruling in TransUnion LLC v. Ramirez was key to the outcome in this case. This ruling stressed that not every violation of a statutory right leads to a concrete harm that warrants a federal lawsuit. This court, agreeing with Microsoft, found that the data identified in the complaint was not traditionally considered private. It determined that the collection of browsing data did not closely relate to a harm traditionally actionable in court. The court pointed out that data like browsing history and keystrokes do not carry a reasonable expectation of privacy.

Final Outcome

So the court found that the plaintiffs failed to allege a concrete privacy injury that would fulfill the requirements for Article III standing. The dismissal of this lawsuit highlights the complex challenges in digital privacy litigation and the difficulty plaintiffs face in proving standing in privacy-related legal actions.

Saeedy v. Microsoft Corporation, 2023 WL 8828852 (W.D. Washington, December 21, 2023)

See also: Reading a non-friend’s comment on Facebook wall was not a privacy invasion

Can a company snoop on its employee’s personal email account?

email snoop

Plaintiff was an administrative assistant at defendant company. When her supervisor got word that plaintiff had been asked to join a competing company started by some other former company employees, the supervisor allegedly logged onto plaintiff’s work computer and without authorization accessed plaintiff’s Gmail account to get more information confirming plaintiff’s plans. Plaintiff was later terminated.

So she sued under the federal Stored Communications Act (“SCA”) and the Federal Wiretap Act (under a part of that act often called the Electronic Communications Privacy Act (“ECPA”)). Defendant moved to dismiss both the claims. The court denied the motion to dismiss the SCA claim but dismissed the ECPA claim.

The SCA prohibits, among other things, the intentional unauthorized access of a “facility through which an electronic communication service is provided”—thereby obtaining access to an electronic communication while in electronic storage. 18 U.S.C. § 2701(a). A court may award actual damages, statutory damages, and punitive damages for violation of the SCA. If a plaintiff seeks statutory damages under the SCA, it must prove actual damages. But one need not prove actual damages to recover punitive damages. The ECPA prohibits, among other things, the “interception” of electronic communication. 18 U.S.C. § 2511(a). Courts have generally held that such “interception” must be contemporaneous with transmission.

The court held plaintiff could move forward with her SCA claim even though she had not pled actual damages. She had sufficiently pled that she should be awarded punitive damages. And the court tossed the ECPA claim because the facts as alleged showed that the email messages the employer allegedly accessed had already been delivered and therefore were not intercepted as the statute requires for liability.

Benz v. PHB Realty Co., 2022 WL 3098579 (D. Kansas, August 4, 2022)

See also:

Biometric privacy statute does not violate First Amendment

biometric privacy First Amendment
Biometric identifiers extracted from a photo are not public in the same way the photo itself is

 

Plaintiffs filed a class action lawsuit against a facial recognition technology company and related individual defendants, asserting violations of the Illinois Biometric Information Privacy Act (“BIPA”). Plaintiffs alleged that defendants covertly scraped over three billion photographs of faces from the internet and then used artificial intelligence algorithms to scan the face geometry of each individual depicted to harvest the individuals’ unique biometric identifiers and corresponding biometric information. One of the defendants then created a searchable database containing this biometric information and data that enabled users of its proprietary platform to identify unknown individuals by uploading a photograph to the database. Accordingly, plaintiffs alleged that defendants collected, captured, or otherwise obtained their biometric data without notice and consent, and thereafter, sold or otherwise profited from their biometric information, all in violation of BIPA.

Unconstitutional restriction on public information?

Defendants moved to dismiss the BIPA claim on a number of grounds, including an argument that BIPA violated defendants’ First Amendment rights. More specifically, defendants maintained that the capture and analysis of faceprints from public images was protected speech, and thus, BIPA was unconstitutional because it inhibited the ability to collect and analyze public information. Plaintiffs, however, asserted that the capturing of faceprints and the action of extracting private biometric identifiers from the faceprints was unprotected conduct. The court sided with plaintiffs and rejected defendants’ argument.

The court held that defendants’ argument oversimplified plaintiffs’ allegations. Although defendants captured public photographs from the internet, they then harvested an individual’s unique biometric identifiers and information – which are not public information – without the individual’s consent. Put differently, plaintiffs asserted that the defendants’ business model was not based on the collection of public photographs from the internet, some source code, and republishing information via a search engine, but the additional conduct of harvesting nonpublic, personal biometric data. And, as plaintiffs further alleged, unlike fingerprints, facial biometrics are readily observable and present a grave and immediate danger to privacy, individual autonomy, and liberty.

An intermediate approach to biometric privacy

Accordingly, the court looked at defendants’ conduct as involving both speech and nonspeech elements. Looking to the test set out in the Supreme Court case of United States v. O’Brien, 391 U.S. 367 (1968), the court evaluated how when “elements are combined in the same course of conduct, a sufficiently important governmental interest in regulating the nonspeech element can justify incidental limitations on First Amendment freedoms.” The court applied the intermediate scrutiny standard set out in O’Brien, namely, a regulation does not violate the First Amendment if (1) it is within the power of the government to enact, (2) furthers an important government interest, (3) the governmental interest is unrelated to the suppression of free expression, and (4) any incidental restriction on speech is no greater than is necessary to further the government interest.

The first element was easy to dispense with because the parties did not argue that the Illinois General Assembly lacked the power to enact BIPA. On the second element, the court found that the General Assembly enacted BIPA to protect Illinois residents’ highly sensitive biometric information from unauthorized collection and disclosure. Regarding the third element, the court noted that BIPA, including its exceptions, does not restrict a particular viewpoint, nor does it target public discussion of an entire topic. And on the fourth O’Brien element, the court found BIPA to be narrowly tailored by legitimately protecting Illinois residents’ highly sensitive biometric information and data, yet allowing residents to share their biometric information through its consent provision. And BIPA is not overly-broad, in the court’s view, because it does not prohibit a substantial amount of protected speech.

In re Clearview AI, Inc., Consumer Privacy Litigation, 2022 WL 444135 (N.D. Illinois, February 14, 2022)

Court protects the privacy of bitcoin address and transaction information

Defendant asked the court to redact his bitcoin address and transaction information from exhibits used at trial, which ordinarily would become part of the public record. He argued that for each transaction recorded on the blockchain, one could reverse engineer the entire transaction if he or she knows the individual associated with one of a number of pieces of information, including transaction ID and public bitcoin address. “[O]nce a particular individual is associated [with] any of this information, it is essentially akin to providing that individual’s financial account number.”

The court allowed the redaction of the bitcoin address and bitcoin transactions. It found that defendant had demonstrated good cause to support the redactions. The court balanced the public’s right of access to court information against defendant’s interest in keeping the information confidential. It agreed with defendant’s assertion that the bitcoin information he sought to redact is akin to a financial account number or personally identifiable information.

Kleiman v. Wright, 2022 WL 390702 (S.D. Fla., February 9, 2022)

Scroll to top