New Year, New Privacy Shakedowns: Six Resolutions for Keeping Warm

Voiceprints

• In September 2022, five large financial institutions were sued in California federal court by plaintiffs asserting that prior express written consent was required under California Penal Code § 637.3 before the institutions could record phone calls to create voiceprints. Some institutions broke the icy grip with quick settlements, while others battled longer winters. The plaintiffs, however, suffered a major defeat in a recent motion to dismiss ruling that voiceprints used only for identity verification were not a violation of California Penal Code § 637.3. The decision, while a welcome relief, may not shelter users of other voice-based analytics, and plaintiffs may use their opportunity at an amended complaint to raise other bases to support their claims. The litigations are just one more example of the frosty risks associated with biometrics, even for an industry that has largely (though not entirely) avoided litigation under Illinois’s Biometric Information Privacy Act.

Website Technologies

• These cold fronts began outside the financial service industry, but the industry is now feeling their blusters. Hard-freeze areas include:
  • Session Replay Technology.
  • Plaintiffs are using a variety of theories (e.g., wiretapping statutes, unfair trade practices, invasion of privacy claims (both common law and statutory, such as pursuant to California’s Invasion of Privacy Act)) to allege insufficient notice and consent related to website technologies. When it comes to session replay technology, plaintiffs have claimed that they are owed:
    • Pre-recording website pop-up messages alerting them to the session recording; and
    • Specific disclosures in companies’ website privacy policies.
  • Website Video Viewing Data.
  • The latest winter bomb cyclone involves the Video Privacy Protection Act of 1988 (VPPA) and educational and marketing videos appearing on websites. The VPPA was intended to protect individuals’ video rental and sale history, but its chill has expanded over the years. The atmospheric pressure significantly dropped in September 2022, when one such claim survived a motion to dismiss, triggering a blizzard of putative class actions.
  • Plaintiffs allege that any sharing of information reflecting their viewing of a video on a website (e.g., sharing information that a particular user viewed a video so that that individual can be targeted for further advertising) requires informed, written consent. Although the VPPA has several exceptions (most obviously, sharing “for the exclusive use of marketing goods and services directly to the consumer,” which only requires opt-out consent, and “incident to the ordinary course of business”), these exceptions have not yet been applied in relation to current technologies. Shakedown communications are blanketing entities with websites that include videos. The communications commonly allege that the website has been sharing video viewing data with companies, such as through the use of Facebook pixels, and demand compensation.
• Such litigations frequently include substantial claims for statutory damages and attorneys’ fees and are based on allegations that the defendants have not: (1) provided the requisite notice; and (2) secured necessary consent. Below are six New Year resolutions to fight the frost.

1. Take an inventory of the technologies being employed on your websites, the data flows involved, and the optional settings available.
2. Sensitize your team to the associated requirements and risks involved in different technologies, settings, and data practices.
3. Review your existing privacy notices and processes for documenting consent, and if appropriate, bolster them, even if not legally required.
4. Negotiate vendor contracts to favorably allocate risk.
5. Revise website terms of use to maximize the enforceability of arbitration and class action waiver provisions.
6. If you receive a shakedown communication, be wary of the thin ice.

Bundle up; it’s going to be a long winter.