Articles Posted in Privacy Law

|

A clinic across town conducts pre-employment physicals for your company. The clinic’s intake form asks routine medical questions, including a section on family medical history. Two years later a class action arrives, naming your company under a statute most Illinois employers had not heard of three years ago. The complaint says you required disclosure of genetic information by asking, through the clinic, about heart disease, diabetes, and cancer in the applicant’s parents and siblings. The demand letter multiplies $15,000 per intentional violation by the number of applicants over the last several years and arrives at a number that looks like the cost of the lawsuit settling itself.

The statute is the Illinois Genetic Information Privacy Act, 410 ILCS 513, and the wave of cases under it is real. By industry counts, more than fifty putative class actions were filed in 2023 alone, and the filings have continued. The plaintiffs’ bar is treating GIPA as the new BIPA, with one important difference. The damages are higher. GIPA’s private right of action lets a court award $2,500 per negligent violation and $15,000 per intentional or reckless violation, plus attorney fees and costs, two and a half to three times BIPA’s $1,000 and $5,000 amounts. For an employer that screens dozens or hundreds of applicants each year, the math is exactly as alarming as it sounds.

It is also not the math the law has settled on. GIPA litigation is several years younger than BIPA litigation, and the doctrinal walls are still being built. But early defense decisions, statutory text the plaintiffs’ bar tends to underplay, and standard federal-court tools already give Illinois employers more leverage than the demand letter suggests.

Start with what GIPA actually prohibits. Section 25, 410 ILCS 513/25, bars an employer from directly or indirectly soliciting, requesting, requiring, purchasing, or otherwise obtaining genetic information of an individual or a family member as a condition of employment or for use in employment decisions. Section 10 defines genetic information, in language borrowed from federal law, to include the manifestation of a disease or disorder in family members of the individual, which is the legal phrase for family medical history. Section 30 restricts disclosure of genetic testing and information. Section 40 supplies the right of action and the liquidated damages.

The first defense is the one most employers miss. GIPA does not prohibit collection of the applicant’s own personal medical history. It prohibits collection of genetic information, which as a matter of statutory definition is information about the applicant’s genetic tests, the genetic tests of family members, or family medical history, the disease history of family members. An intake form that asks an applicant whether the applicant has had hypertension, diabetes, or back surgery is asking about the applicant. It is not asking about family. The same form that asks whether the applicant’s parents, siblings, or grandparents have had heart disease or cancer is asking about family medical history and is in GIPA’s territory. The distinction is not cosmetic. It can be the difference between liability and a routine occupational-health question.

The second defense comes from the leading appellate decision interpreting GIPA’s reach. In Bridges v. Blackstone, Inc., the Seventh Circuit affirmed the dismissal of a putative class action arising from Blackstone’s all-stock acquisition of the genealogy company Ancestry. The plaintiffs alleged that the acquisition itself was a disclosure of their genetic information in violation of Section 30. The Seventh Circuit disagreed, holding that a run-of-the-mill corporate acquisition, without more, does not result in a compulsory disclosure of genetic information under the statute. Bridges is the first appellate decision to push back on an aggressive reading of GIPA, and its reasoning is portable. It tells defense counsel that the statute’s words mean what they say, that the conduct the plaintiff is challenging must actually fit the statutory verb being invoked, and that the courts will not stretch GIPA into every transaction or every form that touches medical information in a tangential way. Continue reading ›

|

The complaint usually arrives with a number attached, and the number is designed to take your breath away. A former employee, now a class representative, says your company scanned her fingerprint every time she punched the clock. Multiply one finger scan by every shift, by every worker, across several years, and the demand letter floats an exposure figure that looks less like a lawsuit and more like a going-out-of-business sale. The message is not subtle. Settle now, settle big, and do not ask too many questions.

That message is a negotiating tactic. It is not a legal conclusion. The Illinois Biometric Information Privacy Act, 740 ILCS 14/1 and following, is a real statute with real teeth, and we do not pretend otherwise to our clients. But the law in this area has moved hard over the last three years, and a meaningful share of that movement has favored the defense. The Illinois business that understands the current landscape negotiates from a much stronger position than the business that reaches for the checkbook the day it is served.

Start with what the statute actually requires, because most demand letters blur it. BIPA regulates biometric identifiers and biometric information, which the Act defines to include fingerprints, retina and iris scans, voiceprints, and scans of hand or face geometry. Section 15(b) is the heart of most cases. Before a private entity collects that data, it must tell the person in writing that the data is being collected, state the specific purpose and the length of term for which it will be collected and stored, and obtain a written release. Section 15(a) requires the entity to publish a written retention and destruction policy and to destroy the data when the purpose is satisfied or within three years of the person’s last interaction, whichever comes first. Section 15(c) bars selling or profiting from the data. Section 15(d) restricts disclosure. Section 15(e) requires a reasonable standard of care in storage. Section 20 supplies the damages that make these cases attractive to the plaintiffs’ bar: liquidated damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, or actual damages if greater, plus attorney fees and an injunction.

For several years the Illinois Supreme Court read those provisions in ways that steadily raised the stakes. In Rosenbach v. Six Flags Entertainment Corp., the Court held that a person is aggrieved, and may sue, on the bare violation of the statute, with no need to plead an actual injury. In Tims v. Black Horse Carriers, Inc., the Court held that the generous five-year catch-all limitations period governs every BIPA claim. And in Cothron v. White Castle System, Inc., a divided Court held that a separate claim accrues with every scan and every transmission, not just the first one. Cothron is the decision that produces the eye-watering numbers, because it lets a plaintiff multiply a single fingerprint by years of daily punches.

Here is what the demand letters tend to leave out. The legislature answered Cothron. Effective August 2, 2024, Public Act 103-0769 amended Section 20 so that a private entity that collects or discloses the same biometric identifier from the same person using the same method commits a single violation, for which the aggrieved person is entitled to, at most, one recovery. The same amendment confirmed that an electronic signature satisfies BIPA’s written-release requirement. In plain terms, the per-scan multiplication that drove the catastrophic exposure figures was cut off at the knees for conduct going forward, and the recovery is now anchored to the person, not the punch.

The defense news did not stop there. In Clay v. Union Pacific Railroad Co., one of a set of consolidated appeals the United States Court of Appeals for the Seventh Circuit decided in April 2026, the court held that the 2024 damages amendment applies retroactively to cases that were already pending when it took effect. The court reasoned that the change was remedial rather than substantive, because it altered only the damages available and not the underlying standard of liability, and that Illinois courts apply remedial changes retroactively. For Illinois businesses defending claims premised on years of historical scans, that holding can transform the math the plaintiff has been counting on.

The amendment limits the size of the case. Several established defenses can dispose of it altogether or push it out of the forum the plaintiff wants. Three are worth understanding.

The first is the health care exemption. Section 10 excludes information collected, used, or stored for health care treatment, payment, or operations under HIPAA. In Mosby v. Ingalls Memorial Hospital, the Illinois Supreme Court read that exemption in the disjunctive and applied it to the fingerprints health care workers used to access medication dispensing systems for patient care. A hospital, clinic, or other provider sued over biometrics tied to patient care should look hard at Section 10 before conceding the statute even applies.

The second is federal labor preemption. In Walton v. Roosevelt University, the Illinois Supreme Court held that Section 301 of the Labor Management Relations Act preempts BIPA claims brought by union employees when the collective bargaining agreement contains a broad management-rights clause, because the dispute belongs in the grievance and arbitration process, not in court. For employers with a unionized workforce, and a management-rights clause is common, Walton can move the entire fight to a different arena. Continue reading ›

|

Every data incident in 2026 produces the same playbook. A plaintiffs’ firm files a class action. The complaint pleads breach of contract. It pleads invasion of privacy. It pleads a federal statutory claim. And, almost always, it pleads negligence.

The negligence count usually says some version of the same thing. The defendant owed a duty to safeguard the plaintiff’s personal information, the defendant breached that duty by allowing the data to be exposed or transmitted, and the plaintiff suffered damages including diminished data value, anxiety, lost time, and lost benefit of the bargain.

Illinois law has a problem with this count. Two problems, actually.

The first problem is that there is no freestanding common law duty in Illinois to safeguard another person’s data. The second problem is that even if there were such a duty, Illinois’s economic loss doctrine, known as the Moorman doctrine, would bar recovery for the kinds of damages plaintiffs typically plead.

Both problems are dispositive at the motion to dismiss stage when the defense is built carefully.

The duty problem is settled by the Seventh Circuit. In Community Bank of Trenton v. Schnuck Markets, Inc., the court held that the Illinois Supreme Court has not recognized an independent common law duty to safeguard personal information. The court applied that holding to a data breach class action and dismissed the negligence claim. The Illinois Appellate Court reached the same conclusion in Cooney v. Chicago Public Schools, where the court rejected an attempt to use HIPAA, the federal medical privacy statute, as the source of a state law duty to safeguard data.

These holdings are not technicalities. They are reflections of how the duty element works in Illinois negligence law. A duty does not arise from a vague feeling that information should be protected. A duty arises from a relationship recognized by law, a statute that creates a private cause of action, or a common law rule the Illinois Supreme Court has actually adopted. When none of those exists, there is no duty, and there is no negligence.

Plaintiffs sometimes argue that the physician patient relationship, the merchant customer relationship, or the employer employee relationship is enough. Federal courts in Illinois have rejected those arguments in the data context. In Doe v. Genesis Health System, decided in 2025, the Central District of Illinois applied Community Bank and Cooney directly to a healthcare website tracking case and dismissed the negligence count. The court explained that the relationship based theory does not change the rule. If the Illinois Supreme Court has not recognized the duty, a federal court sitting in diversity will not invent it.

The second problem is the Moorman doctrine.

Moorman Manufacturing Co. v. National Tank Co. is one of the most cited cases in Illinois law. The Illinois Supreme Court held in 1982 that a plaintiff cannot recover in negligence for purely economic loss. Economic loss means losses that are not personal injury and are not damage to other property. Diminished data value is economic loss. Lost benefit of the bargain is economic loss. Lost time is economic loss. Anxiety and emotional distress are not personal injuries in this context. Each of those theories runs into the Moorman bar.

The reason this matters is that data class action complaints almost always allege economic loss as the principal damage theory. Without economic loss damages, the negligence count loses most of its monetary value. Without an actual breach of contract or a separate statutory cause of action, the case shrinks dramatically.

Three points are worth highlighting for any Illinois business defending a data related lawsuit. Continue reading ›

|

A new wave of class action lawsuits is sweeping into the Northern District of Illinois. The defendants are not telecom companies. They are healthcare practices, retailers, fintech companies, telehealth platforms, employers running candidate portals, and any business with a website that uses analytics or advertising tools.

The legal theory is the same in almost every case. The plaintiff alleges that a tracking pixel, often the Meta pixel, the TikTok pixel, or the Google tag, captured information the user typed into the defendant’s website and quietly transmitted that information to a third party advertising platform. The plaintiff then alleges that this transmission violated the federal Electronic Communications Privacy Act, also known as the Wiretap Act, 18 U.S.C. section 2511.

The financial pressure of these cases is enormous. The Wiretap Act allows statutory damages of the greater of $100 per day or $10,000 per plaintiff, plus attorney fees. Multiplied across a putative class of website visitors, the demand letter is designed to force a settlement. That math is the plaintiffs’ bar’s business model.

There is a powerful defense to most of these cases. It is called the party exception, and Illinois federal courts are increasingly willing to enforce it.

The party exception is not buried in a regulatory annex. It is in the statute itself. 18 U.S.C. section 2511(2)(d) provides that the prohibition on intercepting electronic communications does not apply where one of the parties to the communication has consented, or where the defendant is itself a party to the communication. When a customer or patient fills out a form on your website, the customer’s communication is being directed at you. You are not eavesdropping on someone else. You are the recipient.

That sounds obvious. It is also dispositive in most pixel cases when the defense is properly pleaded.

The Northern District of Illinois has issued a series of decisions applying this exact logic. In Kurowski v. Rush System for Health, the court held that Rush, not Facebook or Google or a downstream ad platform, was the intended recipient of the patient communications submitted through Rush’s website and patient portal. Sloan v. Anker Innovations Ltd. went further, holding that even where a defendant later uploads information to a third party server, the defendant remains a party to the original communication, not a non party interceptor. The Zak v. Bose Corp. line of cases rejected the plaintiffs’ bar’s relabeling tactic of recasting the website operator as a redirector of someone else’s data flow. And in Doe v. Genesis Health System, the court explained the principle in plain language. The communications could not have occurred without the plaintiff communicating with the defendant as the intended recipient and party.

What this means in practice is that when a plaintiff sues your business for embedding analytics on your own website that collected information the plaintiff voluntarily submitted to your business, you have a real defense at the motion to dismiss stage. The defense does not require discovery. It does not require expert testimony. It requires careful pleading and an early motion that frames the issue correctly. Continue reading ›

|

If you operate a healthcare practice, a telehealth platform, a behavioral health clinic, a fertility center, an addiction treatment facility, a dental or optometry chain, or any consumer facing business that handles sensitive information online, you have probably heard about the new generation of class action lawsuits over tracking pixels.

The lawsuits target businesses that embed third party tools like the Meta pixel, the TikTok pixel, or Google Analytics on their websites. The complaints allege that the tools captured information about a user’s interactions and transmitted that information to advertising platforms without consent.

In most of these cases, the defendant has a strong defense built into the federal Wiretap Act itself. When a user submits information to your website, you are a party to the communication, and 18 U.S.C. section 2511(2)(d) excludes parties from liability under the statute.

Plaintiffs know about that defense, so they have a workaround. They invoke the same subsection’s other clause, the so called crime tort exception. It provides that the party exception does not apply if the communication was intercepted for the purpose of committing any criminal or tortious act. Plaintiffs typically plead a HIPAA violation, an invasion of privacy claim, or both, as the predicate.

The question is whether this workaround survives.

That question is now actively splitting the federal courts in Illinois. The split is real, current, and important enough that one judge has already certified it for interlocutory appeal.

In the defense friendly camp, Doe v. Genesis Health System, decided by the United States District Court for the Central District of Illinois in 2025, held the answer is no. The court read the statute carefully and concluded that the defendant must have intercepted the communication for the purpose of committing a crime or a tort. Marketing and advertising purposes, the court held, do not satisfy that standard, because lawful commercial activity, even when it ultimately runs afoul of HIPAA’s regulatory scheme, is not the same as acting in order to commit a crime or tort. The Seventh Circuit articulated a similar principle years earlier in Thomas v. Pearl and again in Desnick v. American Broadcasting Cos. The recorder must intend to break the law or commit a tort. That intent is the heart of the carve out.

Doe 1 v. Chestnut Health Systems, Inc., decided in 2025, took the same path and dismissed a complaint that recited criminal or tortious purpose in conclusory terms. The court held that a conclusory recital will not do.

In the plaintiff friendly camp, Stein v. Edward-Elmhurst Health, decided in 2025, went the other way. The court held that a HIPAA violating disclosure can satisfy the carve out even when the defendant’s overall purpose was lawful commercial advertising. The same court later denied reconsideration but explicitly certified the question for interlocutory appeal, finding substantial ground for difference of opinion. That certification is itself a tell. When a federal trial court is comfortable enough with the strength of the opposing view to permit an immediate appeal, the law is genuinely unsettled.

What does this mean for Illinois businesses? Three things. Continue reading ›

|

Efforts by an alleged perpetrator and his legal team to unmask a Jane Doe plaintiff (by revealing her name) were held dead on arrival by the Illinois Appellate Court today. Our firm assisted lead counsel Tamara Holder with the appellate briefs. In these types of matters, our firm concentrates on defending alleged sexual assault victims who are allegedly revictimized by being subject to what we advocate, on our client’s behalf, in court papers, are strike suits for defamation or libel. This practice of suing the alleged victim for libel or defamation is, unfortunately, becoming an all too common tactic to, we contend, try to bully them into silence or to retract their claims.

The forceful and well-reasoned concurring opinion by Justice Hyman explains why efforts to expose the names of alleged victims of sexual misconduct or assault is a pernicious practice. The opinion provides guide posts for courts in Illinois and across the country to encourage alleged sexual misconduct or assault victims to seek justice, without having to suffer more trauma due to their names being spread all over the internet. It also notes that the alleged perpetrator should have similar privacy rights prior to a judgment on guilt or innocence.

The concurring opinion states:

In a world where the Internet already has created privacy, confidentiality, and security issues, we now enter the age of artificial intelligence, exacerbating these issues and making secrecy vital. No longer, in famous observation of Justice Brandeis almost 100 years ago, is “right to be let alone” enough. Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting). In the 21st century, the right to be left unknown will join the right to be let alone as a vexing subject of intense legal debate. Indeed, the question of anonymity has taken on increased significance as court records have become readily available to the general public through even casual Internet searches. As the appellant notes in his brief, a Google search of a litigant’s name can produce an untold number of articles describing the lawsuit. Those articles may be available online for a lifetime, unless kept confidential. Although Illinois case law offers slight guidance on petitions to proceed anonymously, an alleged victim deserves anonymity whether or not their identity has been divulged elsewhere, including in a case not brought by them. …

Although no reported Illinois cases address whether a claim of sexual violence constitutes an “exceptional” situation warranting the use of a pseudonym, federal courts in Illinois have recognized that allegations of sexual assault are “highly sensitive, personal matters that involve the disclosure of information of the utmost intimacy.” Doe v. Cook County, Illinois, 542 F. Supp. 3d 779, 786 (N.D. Ill. 2021); accord Doe No. 2 v. Kolko, 242 F.R.D. 193, 195 (E.D.N.Y. 2006) (while the Seventh Circuit disfavors fictitious names, it has “recognized that sexual assault victims are a paradigmatic example of those entitled to a grant of anonymity” (citing Doe, 112 F.3d at 872)). Even so, a sexual violence allegation alone has been considered not dispositive. See Cook County, Illinois, 542 F. Supp. 3d at 786 (“allegation of sexual assault alone does not end the inquiry”); Doe v. Skyline Automobiles, Inc., 375 F. Supp. 3d 401, 405-06 (S.D.N.Y. 2019) (“other factors must be taken into consideration and analyzed in comparison to the public’s interest and the interests of the opposing parties”).

Illinois has taken steps to protect individuals’ private information. Examples include the Personal Information Protection Act (815 ILCS 530/1 et seq. (West 2022)), and the Biometric Information Privacy Act (740 ILCS 14/1 et seq. (West 2022)), and two laws regulating data obtained by artificial intelligence, the Artificial Intelligence Video Interview Act (820 ILCS 42/5 (West 2022)) and the Illinois Health Statistics Act (410 ILCS 520/1 et seq. (West 2022)). Nonetheless, the law cannot keep pace with the speed of innovations, compromising privacy. Corinne Moini, Protecting Privacy in the Era of Smart Toys: Does Hello Barbie Have A Duty to Report?, 25 Cath. U.J.L. & Tech. 281, 299 (2017) (asserting that privacy torts do not provide adequate protection for privacy implications of artificial intelligence and data collection). When methods of intruding into private lives and stripping anonymity outpace lawmakers’ ability to address them, courts have a duty under existing rules of procedure to protect sexual assault and abuse victims.

Plaintiff, a minor when the alleged sexual assault occurred, undeniably constitutes an “exceptional” situation. The lawsuit involves matters of a highly personal nature warranting anonymity. Indeed, Illinois Supreme Court rules acknowledge the need for anonymity in cases involving minors. For instance, the Illinois Supreme Court rules provide that minors shall be identified by first name and last initial or by initials in adoption cases (Ill. S. Ct. R. 663 (eff. Oct. 1, 2001) and appeals involving the Juvenile Court Act of 1987 (705 ILCS 405/1 et seq. (West 2022)). Ill. S. Ct. R. 660(c) (eff. Oct. 1, 2001). Moreover, the Style Manual for the Supreme and Appellate Courts of Illinois (5th ed. rev. 2017) provides for using the minor’s initials in cases involving the Department of Children and Family Services. These rules reflect the need to protect the identity of a minor in matters of a personal nature that involve potentially stigmatizing issues such as termination of parental rights or juvenile criminal conduct.  An alleged victim of sexual violence has similar reasons for protecting their identity when filing a lawsuit under the Gender Act. The alleged conduct involves highly personal conduct likely to embarrass and stigmatize, regardless of its availability on the Internet. Thus, I would find that an alleged victim has a compelling reason to proceed anonymously when filing a complaint. Similarly, an accused perpetrator should be able to seek anonymity on petition….

The appellant contends that Doe waived her right to proceed anonymously because she filed an affidavit supporting a motion to dismiss the defamation lawsuit the appellant filed against his other accusers. (The appellant added Doe as a defendant in the defamation litigation after she filed her complaint.) I must disagree that she waived her right. When Doe filed the affidavit in the defamation case, she had yet to file her complaint against defendant. The decision to help another litigant should not bar an individual from proceeding anonymously in their own lawsuit, regardless of an affidavit in another proceeding. Filing suit creates a different level of exposure than filing an affidavit in support of others.

You can read the entire opinion here. Continue reading ›

|

Apple recently sued the NSO Group, an Israeli surveillance company that allegedly uses Apple products to spy on targets for its government clients. While the NSO Group has tried to portray itself as a company that helps bring criminals to justice and save lives, a closer look at their clients (and the targets of those clients) tells a more insidious story.

According to internal documents from the NSO Group that were leaked to the press, the surveillance company’s clients include the United Arab Emirates and Mexico, and the targets of those clients have included dissidents, activists, and journalists. The documents also revealed that the teenaged children of those targets (some of whom were living in the U.S.) were also surveilled.

The NSO Group’s legal troubles started back in 2019 when Facebook sued the surveillance company for targeting its WhatsApp users. The surveillance company tried to claim foreign sovereign immunity to have the lawsuit dismissed, but the United States Court of Appeals for the Ninth Circuit rejected that argument, thereby paving the way for the case to proceed through the courts.

The unanimous decision also paved the way for Apple to file its own lawsuit against the NSO Group. When Apple discovered that the NSO Group had created spyware that allowed it to access data on a target’s Apple product and transmit it back to the government servers without the target knowing about it, Apple took steps to both prevent future attacks, and to bring the NSO Group to justice for this invasion of privacy.

When it turned out that NSO’s engineers had created more than 100 fake Apple IDs to carry out the attack, Apple was able to sue the surveillance company for violating Apple’s Terms and Conditions, to which every user must agree in order to set up their account. One section of Apple’s Terms and Conditions specifies that users’ engagement with Apple and its products and services are to be governed by California state law. That’s the clause that allowed the Silicon Valley company to sue an Israeli surveillance company in U.S. federal court. Continue reading ›

|

Recently, the Illinois Appellate Court for the First District issued a significant decision on the question of which statute of limitations govern claims for violations of the Illinois Biometric Information Privacy Act (“BIPA”). In its opinion, the Court ruled that claims for unlawful profiting from or disclosure of biometric data, those brought under sections section 15(c) and (d) of the BIPA, are subject to a one year limitations period while claims involving violations of the notice, consent and retention requirements, those brought under sections 15(a), (b), and (e) of the BIPA, are subject to a limitations period of five years. This decision should bring much needed clarity to class-action plaintiffs and defendants alike.

The BIPA, one of the most robust privacy statutes in the country, imposes various obligations on anyone that collects, stores or uses biometric identifiers such as fingerprints, retina or iris scans, voiceprints, or face geometry from Illinois residents. Failure to comply with the BIPA’s requirements can be costly as violations of the statute entitle successful plaintiffs to statutory damages ranging from $1,000 to $5,000 for each violation (plus attorney fees). This can add up quickly as claims for violations of the BIPA are frequently brought as a class action as we have seen in recent years.

The underlying case was brought by two former drivers for Black Horse Carriers, a trucking and logistics company. The plaintiffs filed the case as a class action. In their lawsuit, the former drivers alleged that Black Horse failed to obtain consent to use drivers’ fingerprints or to institute a retention schedule. They also accused the company of unlawfully disseminating their biometric data by sharing fingerprints with a third-party vendor that processed timekeeping records for the company. Continue reading ›

|

In a putative class-action lawsuit filed against Apple concerning alleged violations of the Illinois Biometric Information Privacy Act (BIPA), the parties disputed the scope of discovery to which the plaintiffs were entitled. The plaintiffs sought to compel Apple to produce certain identifying information for Illinois residents with Apple devices containing the Photos App. The plaintiffs also issued document subpoenas to major resellers of Apple products for the personal data of individual customers. The district court ultimately denied the request to compel and quashed the subpoenas, citing concerns about how personal information would be protected given the increase in cyber attacks and hacking incidents.

The suit centers on the Photo App contained on Apple devices that displays photos stored on the devices. According to the plaintiffs, the Photo App collects biometric identifiers and biometric information, including scans of facial geometry and related biometric information, of the individuals in the photos. Apple collects these biometric identifiers, the plaintiffs allege, without first notifying the individuals in writing and obtaining their informed consent. The plaintiffs further allege Apple possessed biometric identifiers and biometric information without creating and following a written, publicly available policy with retention schedules and destruction guidelines. According to the plaintiffs’ complaint, these actions violate the BIPA. Continue reading ›

|

The Supreme Court recently issued its first ever opinion interpreting the Computer Fraud and Abuse Act, 18 U.S.C. §1030. In issuing its opinion, the Court limited the scope of the Computer Fraud and Abuse Act and resolved a circuit split on the meaning of “exceeds authorized access” found in the statute. In a 6-3 opinion, Justice Amy Coney Barrett, in her first signed majority opinion, said the Court would not turn “millions of otherwise law-abiding citizens” into criminals if they violated their employer’s computer-use policies at work by using their computers to send personal e-mails, do online shopping, or plan a vacation.

At issue, the Court said, were so-called “inside hackers” who have legal access to a computer but exceed their authorized authority by using the information for unauthorized purposes. Adopting the government’s “breathtaking” interpretation of the phrase “exceeds authorized access,” the Court explained, would turn every violation of a computer-use policy into a criminal act.

The immediate beneficiary of the Court’s ruling was a former Georgia police sergeant, Nathan Van Buren. Van Buren was authorized to use the Georgia Crime Information Center database to check license plates as part of his job. He unwittingly found himself caught up in an FBI sting when he took a $5,000 payment from a man who claimed that he wanted to learn about a stripper he had just met. After using his official computer to perform the requested search, Van Buren was charged and convicted of violating the Computer Fraud and Abuse Act for exceeding his “authorized access.”

The Computer Fraud and Abuse Act was enacted in 1986, during the early stages of the internet. The statute imposes criminal or civil liability on any person who “intentionally accesses a computer without authorization” or “exceeds authorized access” and, in doing so, obtains information from a “protected computer.” The statute does not define the term “without authorization” but does define the term “exceeds authorized access” in a rather opaque way. Pleading a claim under the statute requires a plaintiff to allege that the defendant (i) intentionally accessed a computer, (ii) lacked authority to access the computer or exceeded authorized access to the computer, (iii) obtained data from the computer, and (iv) caused a loss of $5,000 or more during a one-year period. Continue reading ›

Contact Information
Chicago Office
19 S LaSalle St #702
Chicago, IL 60603
Phone: 630-333-0333
Mailing Address
17W220 22nd St #410
Oakbrook Terrace, IL 60181
Phone: 630-333-0333 Please direct all mail correspondence to our Oakbrook Terrace address office.
Highland Park Office
189 Whistler Rd
Highland Park, IL 60035
Phone: 630-710-4990
We accept the following credit cards
Credit Cards Accepted
We accept payment via Venmo at: @L-A-LAW
Phone: 603-333-0333
Visit our site: chicagobusinesslawfirm.com

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2026, DiTommaso Lubin, PC
JUSTIA Law Firm Blog Design