Articles Posted in Privacy Law

Published on:

Vendors who share customers’ personal identifying information (name, email address, phone number, zip code, etc.) is a major issue in the world of consumer law today. Vendors (particularly online and mobile vendors) are often tempted to take a customer’s payment information and then sell it to a third party after the transaction has been completed. That third party can then use the customer’s information however they want.

Because of consumers’ numerous complaints about the flagrant mishandling of their personal information, many companies have begun either revealing in their Terms of Service contracts that they might distribute a customer’s personal information, or promising not to reveal their customers’ personal information to a third party, unless it’s required to complete a transaction, or for legal reasons. When given an option between a vendor that sells personal information and a similar vendor that maintains their customers’ privacy, most customers will choose the vendor that respects their privacy.

This issue is at the heart of a recent consumer class action lawsuit filed against Google in California. The company’s Wallet users, who can buy apps through Google Play, agreed to Google’s Terms of Service and privacy policy every time they purchased an app through Google’s Wallet feature. According to the consumer lawsuit, Google’s Terms of Service assure customers their private information will not be shared with any third-party vendors unless it is necessary to do so in order to complete the transaction, or for legal purposes. But the lawsuit alleges that, despite these promises, Google shared the personal information of its Wallet customers with third parties, even after having completed the purchase. Continue reading

Published on:

Violations of the Telephone Consumer Protection Act (TCPA) are subject to a judgment of anywhere from $400 per call to $1,200 per call, depending on whether the court deems the defendant to have been deliberately willful in its violation of consumers’ privacy.

The TCPA was enacted shortly after cell phones became prominent in the market and cell phone users were charged for the calls they received, as well as those they made. To protect consumers from having to pay for promotional calls they didn’t want to receive on their cell phones, legislators came up with the TCPA, which makes it illegal for companies to call consumers on their cell phone in a non-emergency situation, unless the company has received the consumers’ express permission to do so.

According to U.S. District Judge Catherine C. Eagles, Dish Network LLC earned the highest judgment for the promotional calls they had made to consumers using Satellite Systems Network and allegedly failing to properly regulate the calls that company made on Dish’s behalf.

The lawsuit was filed in 2014 by Thomas Krakauer, who claimed he received multiple calls from SSN on Dish’s behalf from 2009 to 2011, despite being on the National Do-Not-Call Registry. Since he filed is class action against those two companies, the North Carolina federal court has certified two more class actions with similar claims of having received telemarketing calls from Dish or SSN between 2010 and 2011.

In Krakauer’s case, the jury found that SSN had placed more than 51,000 promotional phone calls in violation of the TCPA in the relevant time period and awarded damages to the plaintiffs of $400 for each phone call, bringing the total to about $20.5 million.

But Judge Eagles found that treble damages were warranted, since Dish had willfully violated the TCPA by failing to oversee SSN’s telemarketing practices, despite having promised regulators it would do so. Judge Eagles therefore raised the damages to $1,200 per illegal phone call for a total of $61 million. Continue reading

Published on:

Many people have long given up the hope of having any privacy when we’re online. From cookies to tracking search results to targeted advertising, it’s pretty widely accepted that the internet is not a private place, although many users continue to insist internet companies stop tracking our every move.

Back in 2010, Facebook was storing digital cookies on consumers’ internet browsers and using those cookies to track the users’ visits to other sites that contained Facebook’s “like” button (which allows viewers to post a like of the article or website to their Facebook account without leaving the page). The tracking continued even after users had logged out of their Facebook accounts.

Facebook had promised consumers it would delete the cookies, but the company continued to access information on the cookies until 2011, when an independent researcher brought the issue to the attention of the public. At that point, a class of plaintiffs sued Facebook for allegedly violating federal and California state privacy laws by using the cookies. The time period for the lawsuit goes from April 2010, when the company said it had stopped using cookies, to September 2011, when the tech giant actually stopped using the cookies after it had been outed.

Although a lot can change in five years, the plaintiffs are still pursuing their claims against Facebook, having revised their allegations after the judge dismissed their original claims in the fall of 2015. Continue reading

Published on:

As more and more of our personal information ends up online (either through our own actions or someone else’s) we must all be increasingly vigilant about taking the necessary steps to insure our privacy from hackers. Businesses and website hosts need to be especially careful about protecting themselves from liability in the event of a data breach.

Class action lawsuits claiming damages against businesses that allegedly did not take the proper measures to protect against security breaches have been popping up with increasing frequency all over the country, but depending on the case, proving actual damages can be easier said than done.

Most, if not all, banks and credit card companies offer identity theft protection – for a fee. They’ll cover the costs of any unverified charges if your information gets stolen, but only if you pay them a monthly fee. The fee is usually around $5/month, but even that can be prohibitive for low-income consumers. As a result, most plaintiffs suing as a result of a data breach at least sue for the costs of purchasing identity theft protection. Continue reading

Published on:

A recent class action lawsuit filed against Facebook may end up having far-reaching implications for large companies that do business all over the country. The lawsuit has to do with the facial recognition technology the social media company utilizes to allow users to “tag” themselves and each other in photos that get posted on the site.

The named plaintiffs of the class action lawsuit sued Facebook in Illinois for allegedly violating the Illinois Biometric Information Privacy Act (BIPA). The law requires companies using facial-recognition software to inform their customers of the facial-geometry data that is being collected, how long the information is stored for, and how it gets used.

The law also requires companies to get a written release from consumers to authorize the company to collect the data. Negligent violations of BIPA come with statutory damages of $1,000 and $5,000 for violations that are considered to be intentional and reckless. Continue reading

Published on:

It is common for parties involved in a lawsuit, especially a large class action, to settle their legal claims outside of court, instead of pursuing the dispute all the way to a court ruling. But just because one party makes an offer, does not mean the other party is required to accept that offer. Each side will agree to or reject an offer to settle the dispute based on a number of factors, of which the amount of the settlement is just one.

In some cases involving statutory damages, such as allegations of violating the Telephone Consumer Protection Act (TCPA), if a defendant offers to pay the lead plaintiff all actual and statutory damages in full, the plaintiff’s claims are considered null and void, regardless of whether the plaintiff accepts the terms of the settlement. This allows defendants to avoid a large and costly class action lawsuit by paying off the claims of just one plaintiff. But that recently changed with a ruling by the Supreme Court. Continue reading

Published on:

The drastic advances in technology that have happened in recent years make many aspects of modern living much easier, but they have also put certain aspects of our lives at risk that were never at risk before. For example, as people use cash less and less and increasingly rely on their credit cards to pay for their everyday purchases, more and more people have had their credit cards compromised and used to pay for purchases they never authorized. It is now common for credit card companies to offer credit card protection, in which users won’t be made to pay for purchases they did not authorize, but credit card companies usually charge an extra fee for that protection.

Data security is doing its best to keep up with the hackers, but that’s not always possible. Many companies, especially large chains, have suffered data breaches in which hackers illegally gain access to customers’ credit card information. Since it is often very difficult, if not impossible, to locate and prosecute the hackers themselves, the company that suffered the data breach is often faced with a class action lawsuit from customers who had their credit card information exposed as a result of the company’s failure to have the proper protections in place. Continue reading

Published on:


The rulings made by appellate courts can affect many decisions to come in rulings made by lower courts all over the country. In a recent data breach lawsuit against Neiman Marcus, the retailer argued the ruling made by the Seventh Circuit Court could have long-term effects on data breach law if the court failed to change its ruling.

The court denied Neiman Marcus’s appeal and let its initial decision stand.

The consumer lawsuit consists of a proposed class of about 350,000 plaintiffs who allegedly suffered financial damages as a result of a security breach of Neiman Marcus’s systems in 2013. The plaintiffs allege the retailer did not take all necessary precautions in preventing or mitigating a security breach that exposed customers’ payment card details. The data breach lawsuit also alleges Neiman Marcus did not notify its customers of the data breach in a timely manner, once the security attack had happened. Continue reading

Published on:

Data Breach Cases

We are investigating various data breach cases and will bring class actions on behalf of victims of data breaches such as the Target, Ashley Madison, Sony and Home Depot data breaches.

Contact Us if You Are a Victim of the Ashley Madison Data Breach or of Another Data Breach

Published on:


It is widely accepted that the Internet is not a safe place for private or confidential information. Yet, when sensitive information gets leaked, people look for someone to blame. In some instances, they are correct and can bring a privacy claim especially when they can show direct injury due to the privacy breach. In other instances where they suffer no injury they have no claim.

In June of 2012, LinkedIn experienced a security breach and the passwords of 6.5 million users were posted online. A few days later, two premium LinkedIn users, Katie Szpyrka and Khalilah Wright, filed a class-action lawsuit against LinkedIn on behalf of all users.

The lawsuit alleged that LinkedIn had failed to store passwords in salted SHA1 hashed format. According to the lawsuit, this is basic industry standard security practice and, by failing to adhere to them, LinkedIn had failed to abide by its Privacy Policy.

What the Privacy Policy actually states is:
“In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit card information) is protected by SSL encryption when it is exchanged between your web browser and the LinkedIn website. To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tierone secured-access data center.

“However, since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

“It is your responsibility to protect the security of your login information. Please note that emails, instant messaging, and similar means of communication with other Users of LinkedIn are not encrypted, and we strongly advise you not to communicate any confidential information through these means.”

LinkedIn’s Privacy Policy does not promise industry standard security practices and, in fact, warns the user that, despite their efforts, breaches can occur. In court, the plaintiffs admitted that they had not even read the Privacy Policy, which no doubt weakened their argument.
The lawsuit also filed for damages based on the allegation that the premium users had paid LinkedIn in order to access the premium membership status of the social networking site. The plaintiffs expected this to include enhanced security measures but the premium membership offers no such thing. Rather, it merely offered more advanced tools and usage of LinkedIn’s services. Heightened security measures were never offered as part of the premium membership and, as such, the plaintiffs could not prove that they received any financial harm or injury.
The plaintiffs also failed to prove that the injuries they suffered as a result of the breach were “concrete and particularized” or “actual and imminent”. No one stole their identities or got into their accounts and, on these grounds, the judge dismissed the lawsuit.

Continue reading