InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court enters $228 million judgment in BIPA class action
On October 12, the U.S. District Court for the Northern District of Illinois entered a judgment for $228 million after a jury found that a defendant railway company committed 45,600 reckless or intentional violations of the Illinois Biometric Information Privacy Act (BIPA). The jury’s judgment, which does not include pre-judgment interest, was entered against the defendant in the amount of $228 million (BIPA provides for statutory damages of $5,000 for every willful or reckless violation and $1,000 for every negligent violation). Class members consisting of more than 44,000 truck drivers alleged in their second amended complaint that the defendant violated BIPA when it collected, captured, and stored their biometric identifiers and biometric information without obtaining their informed written consent or providing written disclosures explaining the purpose and duration of such use. The defendant countered that it should not be held liable for biometric data collection conducted on its behalf by a third-party contractor because BIPA does not impose liability for the acts of a third party. The court disagreed, ruling, among other things, that BIPA’s language “makes clear that [the defendant] need not have ‘collected’ the data itself to be liable,” and that there is evidence that the defendant “ultimately called the shots on whether and how biometric information is collected.”
District Court denies defendant summary judgment in data breach suit
On September 8, the U.S. District Court for the District of Maryland denied a defendant hotel corporation’s summary judgment motion, concluding that an economic expert’s opinion that the City of Chicago (plaintiff) experienced a loss in tax revenue due to a security breach of the defendant’s guest information database—and that the breach caused that loss—should be admissible. As previously covered by InfoBytes, a consolidated class action suit was filed by consumers after they allegedly learned that the defendant took more than four years to discover the data breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted to provide data security services reported an anomaly pertaining to the defendant’s guest information database. In total, the breach impacted approximately 133.7 million guest records.
Last May, the court granted in part and denied in part certification of eight class actions against the defendant, noting that the plaintiffs did not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendant’s argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”
According to the recent opinion, the City of Chicago alleged that the defendant violated the city’s consumer protection ordinance by failing to safeguard the personal information of city residents and misrepresented that it had reasonable security safeguards in place. The defendant argued that the City of Chicago’s claims exceeded the limit of the city’s authority under the Illinois Constitution, because it attempted to apply its ordinance to a specific data-security incident. The court found that the Illinois Constitution permits the City of Chicago, a “home-rule unit,” to enforce its consumer protection ordinance against the defendant for harm and injuries arising from the data security incident. Additionally, the court found “in order to respect ’the constitutional design’ granting broad home rule authority and permitting concurrent local and state authority, ‘the courts should step in to compensate for legislative inaction or oversight only in the clearest cases of oppression, injustice, or interference by local ordinances with vital state policies.’” The court also found that the City of Chicago has standing to bring claims for monetary fines, citing that “expert opinions establish, by a preponderance of the evidence, that Chicago suffered an injury-in-fact—the loss of tax revenue—that was traceable to the data breach, and that can be redressed by monetary fines paid by [the defendant].”
District Court grants final approval in BIPA class action
On September 1, the U.S. District Court for the Northern District of Illinois granted final approval of a $6.8 million class action settlement in a biometric privacy data suit. According to the plaintiff’s memorandum of law in support of her unopposed motion for final approval of the settlement, the plaintiff alleged that the defendant violated Illinois law by collecting fingerprint scan data from Illinois users of vending machine systems without written notice and consent. According to the settlement, class members include all individuals who scanned their finger(s) in one or more of defendants’ vending systems in Illinois between August 23, 2014 and November 2021, which totals approximately 63,450 individuals. Each class member will receive approximately $413, and the settlement includes roughly $2.2 million in attorney fees for class counsel.
Illinois amends Collection Agency Act provisions
On May 27, the Illinois governor signed HB 5220, which makes various amendments to provisions related to the state’s Collection Agency Act. Among other things, the amendments strike language repealing specified provisions and add, amend, and strike certain definitions, including amending “financial institution” to include “consumer installment lenders, payday lenders, sales finance agencies, and any other industry or business that offers services or products that are regulated under any Act administered by the [Director of the Division of Financial Institutions].” The amendments further provide that an adjudicated finding by the FTC or other federal or state agency that shows a licensee violated the FDCPA or its rules is grounds for disciplinary action. Also, at the discretion of the Secretary (after having first received the recommendation of the Collection Agency Licensing and Disciplinary Board), an “accused person’s license may be suspended or revoked, if the evidence constitutes sufficient grounds for such action.” Moreover, the amendments restore language providing that the Department of Financial and Professional Regulation may obtain written recommendations from the Collection Agency Licensing and Disciplinary Board “regarding standards of professional conduct, formal disciplinary actions, and the formulation of rules affecting these matters.” The Act takes effect January 1, 2023.
Illinois amendments address confidentiality of customer financial records
On May 13, the Illinois governor signed SB 3971, which makes various amendments to Illinois Banking Act and Savings Bank Act provisions concerning the confidentiality of customer financial records. Among other things, the Act provides that a bank must disclose financial records “only after the bank sends a copy of the subpoena, summons, warrant, citation to discover assets, or court order,” to the person establishing the relationship with the bank if living (or the person’s representative otherwise), at the person’s last known address. Further, such requests must be sent through a third-party commercial carrier or courier, with delivery charge fully prepaid, by hand or by electronic delivery at an email address on file with the bank (provided the person has consented to electronic delivery).
The Act also stipulates that a bank retain customer financial records “in a manner consistent with prudent business practices and in accordance with this Act and applicable State or Federal laws, rules, and regulations.” A bank may also destroy records (with reasonable precautions taken to ensure the confidentiality of the information contained in the records) except where a retention period is required by law. The Act is effective immediately.
Illinois adopts rules implementing Predatory Loan Prevention Act
On April 22, the Illinois Department of Financial and Professional Regulation (IDFPR) published in the Illinois Register a notice of adopted rules to implement the Predatory Loan Prevention Act (PLPA or the Act). As previously covered by InfoBytes, the Act was signed into law in March 2021 to prohibit lenders from charging more than 36 percent APR on all non-commercial consumer loans under $40,000, including closed-end and open-end credit, retail installment sales contracts, and motor vehicle retail installment sales contracts. Violations of the Act constitute a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act and carry a potential fine up to $10,000. Additionally, any loan with an APR exceeding 36 percent will be considered null and void.
In general, the adopted rules require lenders to provide a disclosure to consumers about the 36 percent APR rate cap established by the PLPA, incorporate the APR calculation method required by the PLPA, and amend the rules for reporting of payday loans to the state database. The rules specify that words in the definitions are not defined to have the same meaning as in Regulation Z, including any interpretation by the CFPB. For purposes of calculating the PLPA ARP, the rules specify that the calculation excludes only certain specified bona fide fees, but includes finance charges, loan application fees, and fees imposed for participation in any plan or arrangement for a loan, “even if that charge would be excluded from the finance charge under Regulation Z.”
The IDFPR made several amendments related to rate cap disclosure notices. These specify that all loan applications must include a separate rate cap disclosure signed by the consumer (disclosures must be provided in English and in the language in which the loan was negotiated) that clearly and conspicuously states: “A lender shall not contract for or receive charges exceeding a 36% annual percentage rate on the unpaid balance of the amount financed for a loan, as calculated under the Illinois Predatory Loan Prevention Act (PLPA APR). Any loan with a PLPA APR over 36% is null and void, such that no person or entity shall have any right to collect, attempt to collect, receive, or retain any principal, fee, interest, or charges related to the loan. The annual percentage rate disclosed in any loan contract may be lower than the PLPA APR.”
The rules take effect August 1.
Illinois adopts amendments to Consumer Installment Loan Act
On April 22, the Office of the Illinois Secretary of State published in the Illinois Register a notice by the Department of Financial and Professional Regulation of adopted amendments to certain parts of its Consumer Installment Loan Act (CILA). Under the amendments, a licensee may obtain a license under the CILA for the exclusive purpose and use of making title secured loans. The amendments also require consumer installment lenders to provide a disclosure to consumers regarding the 36 percent annual percentage rate (APR) rate cap established by the Predatory Loan Prevention Act Annual Percentage Rate. These amendments eliminate small consumer loans and implement rules for reporting, to the state database, consumer installment loans. Additionally, the amendments include the implementation of a new definition and new rules for title-secured loans. The amendments are effective August 1.
District Court refuses to enforce choice-of-law provision, allows individual state data privacy claims to proceed
On March 30, the U.S. District Court for the Northern District of Illinois denied a global tech company’s bid to dismiss class action Illinois Biometric Information Privacy Act (BIPA) claims. Plaintiffs (Illinois residents) sued the company alleging it violated BIPA by applying image recognition technology to photos uploaded to subscribers’ account without receiving informed written consent. Plaintiffs also claimed the company failed to establish a file retention schedule and deletion guidelines as required by state law. The company argued that the terms of use agreed to by the subscribers contain a choice-of-law provision stating that the laws of Washington State govern the conditions of use and any disputes. The court disagreed, stating that Washington’s biometric protection statute does not provide for a private cause of action and is therefore contrary to Illinois’ fundamental public policy. “The fact that BIPA creates a private cause of action underscores the importance Illinois places on an individual’s right to control their biometric information,” the court said. “Applying Washington law would rob plaintiffs of control over their individual biometric information, instead leaving it to Washington’s attorney general to bring suit.” The court also held that Illinois has a greater material interest in the dispute than Washington. The court allowed the plaintiffs’ claims regarding consent to proceed in federal court but remanded the other claims to the Cook County Circuit Court.
FTC imposes “record-setting” fine on auto dealer alleging discriminatory junk fees
On April 1, the FTC and the Illinois Attorney General announced a proposed settlement with an Illinois-based multistate auto dealer group for allegedly adding junk fees for unwanted “add-on” products to consumers’ bills and discriminating against Black consumers. Under the terms of the proposed settlement, the defendants are ordered to pay a $10 million penalty, of which $9.95 million will be used to provide monetary relief to consumers. According to the FTC, this is the highest penalty ever obtained against an auto dealer. The remaining balance of the penalty will be paid to the Illinois Attorney General Court Ordered and Voluntary Compliance Payment Projects Fund.
According to the complaint, which brings claims under the FTC Act, TILA, ECOA, and comparable Illinois laws, eight of the defendant’s dealerships, along with the general manager of two of the Illinois dealerships, allegedly tacked on junk fees for unwanted “add-on” products such as service contracts, GAP insurance, and paint protection to consumers’ purchase contracts at the end of the negotiation process, often without consumers’ consent. In other instances, consumers were told that the add-ons were free or were required to purchase or finance their vehicle. The complaint further alleges that defendants discriminated against Black consumers by charging them higher interest rates or more for add-on products than similarly situated non-Latino white consumers. As result, Black consumers allegedly paid, on average, $190 more in interest and $99 more for add-on products.
FTC Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter issued a joint statement noting that they “would have also supported a count alleging a violation of the FTC Act’s prohibition on unfair acts or practices.” Khan and Slaughter elaborated on reasons why the FTC “should evaluate under its unfairness authority any discrimination that is found to be based on disparate treatment or have a disparate impact,” pointing out that (i) discrimination based on protected status can cause substantial injury to consumers; (ii) “injuries stemming from disparate treatment or impact are unavoidable because affected consumers cannot change their status or otherwise influence the unfair practices”; and (iii) “injuries stemming from disparate treatment or impact are not outweighed by countervailing benefits to consumers or competition.”
Social networking apps settle minors' data claims for $1.1 million
On March 25, the U.S. District Court for the Northern District of Illinois granted final approval to a $1.1 million class action settlement resolving claims that the operators of two video social networking apps (defendants) “‘surreptitiously tracked, collected, and disclosed the personally identifiable information and/or viewing data of children under the age of 13,’ ‘without parental consent’” in violation of federal and California privacy law. Specifically, plaintiffs asserted violations of the Video Privacy Protection Act (VPPA), the California constitutional right to privacy, the California Consumers Legal Remedies Act (CLRA), and the Illinois Consumer Fraud and Deceptive Businesses Practices Act. Defendants countered that plaintiffs’ state-law claims were preempted by the Children’s Online Privacy Protection Act, and that, furthermore, the “alleged conduct is not within the scope of VPPA or the cited state consumer protection laws” and “does not amount to a common law invasion of privacy or a violation of Plaintiffs’ rights under the California Constitution.” Moreover, defendants argued that plaintiffs could not recover actual damages. According to plaintiffs’ supplemental motion for final approval, following months-long negotiations, the parties agreed to settle the action on a class-wide basis.
The settlement requires defendants to pay $1.1 million into a non-reversionary settlement fund, to be dispersed pro rata to class members (anyone in the U.S. who, prior to the settlement’s effective date and while under the age of 13, registered for or used the apps) who submit a valid claim after the payment of settlement administration expenses, taxes, fees, and service awards. The court’s order, however, declined to award an objector’s counsel any attorneys’ fees for his efforts to negotiate modified relief because the agreement was negotiated in a separate proceeding in related multidistrict litigation. The court also denied plaintiffs’ motion for sanctions against the objector’s law firm.