Hollywood movie star Reese Witherspoon and her clothing line, Draper James, LLC, have found themselves the subjects of a public relations debacle, and now, a class action after running a promotion for teachers gone horribly wrong.

In April, Draper James ran an Instagram promotion to recognize and thank teachers for their work during the COVID-19 pandemic. The April 2, 2020 promotion post stated: “Dear Teachers: We want to say thank you. During quarantine we see you working harder than ever to educate our children. To show our gratitude, Draper James would like to give teachers a free dress.”

The Instagram post went on to provide further details of the promotion, including that to “apply”, teachers needed to fill out a form  with their name and work email addresses, a photo of their school IDs, the grade level and subjects they teach, as well as their school name and state. In exchange for providing what the teachers alleged to be “sensitive personal, employment information,” teachers thought they would receive a free dress from the brand. While the Instagram post did caveat in a parenthetical that the offer was “valid while supplies last – winners will be notified on Tuesday April 7th” the post did not disclose that only 250 teachers would receive a free dress. The lawsuit claims that the “vague illusory comment” was insufficient to place a reasonable consumer on notice that that this was a sweepstakes or that the brand would “only be making an unreasonably limited number of products available under this offer.”
Continue Reading Legally blown: Reese Witherspoon and her fashion line face breach of contract and privacy class action over ‘free dress’ giveaway

Although the California Consumer Privacy Act (CCPA) specifically precludes private lawsuits except for those resulting from certain data breaches, that has not stopped at least one plaintiff from bringing a putative class action based on an alleged CCPA violation.

A proposed class action was filed on February 27, 2020, in the Southern District of California against Clearview AI (Burke v. Clearview AI, Inc., S.D. Cal., No. 3:20-cv-00370-BAS-MSB). The complaint alleges that Clearview’s facial recognition technology – which scrapes, without notice or consent, social media websites for images of consumers’ faces – violates, among other laws, both the CCPA and the Illinois Biometric Information Privacy Act (BIPA). According to the complaint, Clearview’s facial recognition software uses the billions of scraped images in its database to generate a type of biometric information, known as a “faceprint,” to match a face to other personally identifiable information; it then sells access to the faceprint database to law enforcement agencies and private companies. The complaint charges that Clearview improperly collected personal information without properly notifying consumers.Continue Reading CCPA litigation is here: putative class action filed for alleged notice and collection violations

In the wake of the U.S. Supreme Court’s decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016), there has been a plethora of litigation in privacy class actions over whether federal courts can exercise subject-matter jurisdiction over the asserted statutory or common law claims. However, in addition to considering whether a court has subject-matter jurisdiction, entities hit with a putative privacy class action should also consider whether the court can exercise personal jurisdiction over the parties and claims.

There are two types of personal jurisdiction: general and specific. Over the course of the last decade, the U.S. Supreme Court has limited the forums in which a court can exercise general – or all purpose – jurisdiction over a defendant. In most cases, those forums will be only an entity’s state of incorporation and principal place of business. The result has been an increased focus on whether courts have specific – or case-linked – jurisdiction. Now, entities – even those that conduct business in all 50 states – may be able to successfully bring a motion to dismiss for lack of personal jurisdiction where the entity’s contacts with the forum did not give rise to the claims against it.

In addition, the Supreme Court’s decision in Bristol-Myers Squibb Co. v. Superior Court of California, San Francisco Cty., 137 S. Ct. 1773 (2017) (Bristol-Myers) opened the door to an additional use of the lack of personal jurisdiction defense in nationwide privacy class actions. Relying on Bristol-Myers, several district courts have permitted entities hit with nationwide class actions to limit the putative class where the absent class members’ claims did not arise from the entity’s contacts with the forum state.Continue Reading Asserting the defense of lack of personal jurisdiction in privacy class actions

Michaels escaped a potential class action alleging Fair Credit Reporting Act (“FCRA”) violations late last month when a federal judge found the United States Supreme Court’s recent decision in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016) foreclosed the plaintiffs’ claim for a bare statutory violation not resulting in concrete damages.  The recent ruling in In re: Michaels Stores, Inc., Fair Credit Reporting Act (FCRA) Litigation confirms the significance of the Spokeo decision and also provides FCRA defendants with additional ammunition to use in fighting statutory violation claims where damages are lacking.

The Michaels suit was based upon the consolidation of three proposed class actions alleging the store failed to clearly and conspicuously announce its intent to obtain background checks in a separate document containing only that disclosure, which was in violation of the FCRA. Instead of providing a standalone document, Michaels did disclose that it would be obtaining such checks as part of its online employment application. The complaints in the class pointed to 15 U.S.C. § 1681b(b)(2)(A), which directs that an employer may not procure a consumer report for employment purposes without providing a “clear and conspicuous disclosure…in a document that consists solely of the disclosure….”
Continue Reading Bare Statutory Violation of FCRA Fails to Satisfy Standing Requirements Post-Spokeo, Says District of New Jersey in Suit Over Michaels Employment Disclosures

Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had no duty of care to protect the compromised information was based upon a thorough analysis of factors the Pennsylvania Supreme Court has established for determining the existence of a duty.  The dissent analyzed the same factors but argued that on balance, they weighed in favor of finding a duty.
Continue Reading Superior Court of Pennsylvania Affirms Rejection of Proposed Data Breach Class of UPMC Workers, Finding Hospital Owed No Duty to Protect Information

While the United States Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (2016), has garnered much attention after being cited by numerous courts as a means to dismiss data privacy class actions, defendants should never count out any potential avenues for exiting such a suit; in Pennsylvania (and in many other states following the same legal principle), the economic loss doctrine can also provide summary relief.  As demonstrated in Longenecker-Wells, et al. v. Benecard Services, Inc., et al., No. 15-3538, 2016 WL 4474701 (3d Cir. Aug. 25, 2016), even in data breach suits where actual harm exists and plaintiffs have standing, a quick dismissal is still possible.

The Benecard suit was initiated by former employees and customer members of Benecard Services Inc., which provides medical and vision supply services to public and private organizations.  Plaintiffs sued after unknown third parties breached Benecard’s computer system and accessed plaintiffs’ personal and confidential information.  The hackers then used that information to file fraudulent tax returns, which caused the IRS to issue tax refunds to the third parties rather than to the plaintiffs. 
Continue Reading Third Circuit Dismissal Affirmance Based on Economic Loss Doctrine Shows Spokeo Shouldn’t Be Your Only Data Breach Class Action Exit Strategy

In a sign of the continuing significance of the U.S. Supreme Court’s recent ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016), another federal court has cited that ruling in dismissing claims for lack of Article III standing. In Gubula v. Time Warner Cable, Inc., No. 15-cv-1078 (E.D. Wis. June

Just days after the Supreme Court’s ruling in Spokeo v. Robins, the highly anticipated decision is already impacting data breach class actions across the country. The defendant in the Spokeo case contended that the plaintiff had suffered no concrete injury, and that a mere statutory violation is not enough of an injury to

The federal judiciary derives its power from Article III of the United States Constitution. That power is limited to deciding “Cases” and “Controversies,” Art. III, section 2. In the case of Spokeo v. Robins, the United States Supreme Court considered whether a plaintiff presents such a “case” or “controversy” where he only alleged a violation of a consumer protection statute, but did not allege any additional harm. The statute in question was the Fair Credit Reporting Act (“FCRA”). The Court found that plaintiff “cannot satisfy the demands of Article III by alleging a bare procedural violation. A violation of one of the FCRA’s procedural requirements may result in no harm.” Slip op. at 10. Even though Congress enacted the FCRA to avoid dissemination of inaccurate information, for example, “It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.” Id. at 11. The Supreme Court remanded this case for the Ninth Circuit Court of Appeals to further consider whether this plaintiff presented a “concrete injury” justifying the assertion of Article III jurisdiction.
Continue Reading In Spokeo v. Robins, The United States Supreme Court Articulates a Need for ‘Concrete’ Injury To Sue in Federal Court

In an encouraging development for data breach defendants, the Superior Court of Pennsylvania recently affirmed a trial court decision rejecting class certification in a suit filed against two Medicare programs for losing a flash drive containing personal information of 286,000 subscribers. The appellate court found that since the Philadelphia Court of Common Pleas “carefully considered the numerosity, typicality, adequacy of representation, and fair and efficient method of adjudication requirements for class certification,” it had not abused its discretion by denying class certification in March 2015.  More broadly, the decision (Baum v. Keystone Mercy Health Plan, et al., No. 1250 EDA 2015 (Pa. Super. April 26, 2016)) indicates a resistance to permitting class claims to move forward where members have not suffered an ascertainable loss and where individual issues predominate, which may be the case in many data breach suits.
Continue Reading Superior Court of Pennsylvania Denies Data Breach Class Certification