The TCPA litigation wave has sparked similar efforts to leverage the class action device and statutory damages framework under other consumer protection statutes that share common attributes, including the Biometric Information Privacy Act (BIPA), California Invasion of Privacy Act (CIPA), Federal Wiretap Act, Fair Credit Reporting Act (FCRA), Video Privacy Protection Act (VPPA), and the California Consumer Privacy Act (CCPA). Leveraging threats of class actions, attorneys have been blanketing companies with demand letters and mass filings under these statutes and others, including the Americans with Disabilities Act.
The TCPA Litigation Environment
The TCPA was enacted in 1991 and had an inauspicious start. Over several years, lawsuits were few and far between, with only 14 TCPA cases filed in 2007. See WebRecon LLC, Out Like a Lion . . . Debt Collection Litigation & CFPB Complaint Statistics, Dec 2015 & Year in Review (Jan. 18, 2016). With the widespread adoption of cellular phones and use of text messaging, combined with the TCPA’s uncapped damages and confusing regulations from the FCC, the number of TCPA cases skyrocketed over the next decade. Id. In the first half of 2020 alone, 2,106 cases were filed. See WebRecon LLC, WebRecon Stats for June 2020: An Interesting Dichotomy (July 20, 2020). These figures do not account for the pre-suit demand letters threatening class action litigation absent settlement.
At the heart of the explosion of TCPA filings is uncertainty surrounding what equipment constitutes an “automatic telephone dialing system” (ATDS) under the act. The TCPA prohibits certain calls to cellular phones made using an ATDS (or a prerecorded message or artificial voice) except if they are made with the requisite consent of the recipients or for an emergency purpose. 47 U.S.C. § 227(b)(1). The TCPA, in turn, defines an ATDS as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” Id. § 227(a)(1).
Some plaintiffs have found success persuading courts that this definition—notwithstanding the clear statutory text—broadly encompasses any equipment that dials numbers from stored lists of specific telephone numbers even if it does not use a random or sequential generator. This theoretically means that any equipment used to send mass text messages, including your smart phone, could constitute an ATDS. The Ninth Circuit first adopted this atextual, broad definition in Marks v. Crunch San Diego, LLC, 904 F.3d 1041 (9th Cir. 2018), and again in Duguid v. Facebook, Inc., 926 F.3d 1146 (9th Cir. 2019). And this past year, the Second and Sixth Circuits aligned with the Ninth Circuit’s view. Duran v. La Boom Disco, Inc., 955 F.3d 279 (2d Cir. 2020); Allan v. Pa. Higher Educ. Assistance Agency, 968 F.3d 567 (6th Cir. 2020).
This atextual view of the ATDS definitional issue, however, has been far from universal. The Third, Seventh, and Eleventh Circuits have remained true to the statutory text and concluded that to be deemed an ATDS requires random or sequential number generation. Dominguez v. Yahoo, Inc., 894 F.3d 116 (3d Cir. 2018); Gadelhak v. AT&T Servs., Inc., 950 F.3d 458 (7th Cir. 2020); Glasser v. Hilton Grand Vacations Co., 948 F.3d 1301 (11th Cir. 2020). This deep circuit split has, not surprisingly, prompted forum shopping by TCPA plaintiffs.
Notably, the Supreme Court granted certiorari in Facebook Inc. v. Duguid (Duguid), No. 19-511, on July 9, 2020, to address the proper interpretation of an ATDS. Specifically, the Supreme Court agreed to resolve the following question:
Whether the definition of ATDS in the TCPA encompasses any device that can “store” and “automatically dial” telephone numbers, even if the device does not “us[e] a random or sequential number generator.”
Question Presented, Duguid, No. 19-511.
On September 4, 2020, Facebook submitted its opening brief. On the same day, the United States submitted a brief in support of Facebook’s position. The Unites States, like Facebook, supported the interpretation of an ATDS based on a plain reading of the unambiguous statutory text: “a device is an [ATDS] only if it has the capacity to use a random or sequential number generator to store or produce telephone numbers.” Brief for the United States as Respondent Supporting Petitioner at 14, Duguid, No. 19-511. The United States further explained that that there is “no current FCC interpretation to which a court could potentially defer” and that any change to the statutory definition of ATDS to account for technological changes must come from Congress. Id. at 12, 31, 33. The importance of the Supreme Court’s forthcoming decision in Duguid has been reinforced by substantial amicus support with over 30 organizations filing briefs in support of Facebook, including the U.S. Chamber of Commerce, Retail Litigation Center, National Retail Federation, Restaurant Law Center, Mortgage Bankers Association, the Professional Association for Customer Engagement, and the Washington Legal Foundation. Argument in Duguid is set for December 8, 2020, with a decision expected in the first half of 2021.
While the Supreme Court considers the ATDS definitional issue, TCPA litigation continues in earnest, with plaintiffs focusing more heavily on alleged calls using prerecorded messages—situations not implicated by the issue in Duguid.
Biometric Information Privacy Act
Several lawyers who found success prosecuting TCPA claims have shifted their focus to BIPA—an Illinois statute passed in 2008—over the past two years. The statute imposes onerous written notice and consent requirements on businesses that “collect, capture, purchase, receive through trade, or otherwise obtain” or store an individual’s biometric identifier or biometric information (information derived from biometric identifiers). Such data include fingerprints, palm prints, retina scans, and facial geometry. Businesses in possession of biometric information and biometric identifiers are required to develop a written policy, available to the public upon request, that sets forth the retention schedule and guidelines for destroying biometric data. The statute further requires businesses to provide written notification to employees or customers that their biometric data are being collected or stored and the specific purpose and length of term for which is the data are being collected, stored, and used, and to obtain a written release executed by consumers or employees. For employees, this written release can be a condition of employment. BIPA also prohibits companies from profiting from the sale of biometric data and permits disclosure of biometric data to third parties in only limited circumstances. Finally, BIPA dictates that businesses must protect biometric data from disclosure “using the reasonable standard of care within the [business’s] industry” and to the same degree as the business protects its most sensitive information.
BIPA cases have become commonplace in federal and state courts in Illinois—including numerous actions against companies not based in Illinois but with consumers or employees (or both) in the state. These cases frequently challenge employee timekeeping practices (biometric time clocks) and facial recognition technology that can be used for enhanced asset protection, customer experience, security clearances and identity verification, and gaming, among other things. Recently, litigation has been filed under BIPA challenging employee COVID-19 temperature checks that allegedly applied facial recognition technology.
With the exception of certain cases involving facial recognition—including an action that prompted a $650 million settlement and recent cases centering on Clearview AI’s facial recognition database—the vast majority of these actions have focused on the use of biometric time clocks for employees. The availability of uncapped statutory damages ($1,000 up to $5,000 per violation) and attorney fees, coupled with the Illinois Supreme Court’s 2019 ruling in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (2019), that actual injury isn’t required to state a claim, has made this statute attractive to plaintiffs and their counsel. There remain open questions over the applicable statute of limitations, the calculation of statutory damages, and other key issues under BIPA. See Petition for Permission to Appeal, White Castle Sys., Inc. v. Cothron, No. 20-8029 (7th Cir. Oct. 13, 2020), ECF No. 1.
While biometric data are specifically addressed in the laws of certain other states (e.g., Washington and Texas), those states have no private rights of action. The CCPA specifically addresses biometric data, but as noted below, the private right of action is limited to incidents of breach.
California Consumer Privacy Act
Over the past few months, there have been threatened and filed putative class actions pursuant to the CCPA’s private right of action. The CCPA’s private right of action is narrow and limited to incidents of breach as a result of businesses’ failures to implement and maintain reasonable security procedures. Cal. Civ. Code § 1798.150. An attempt to expand the scope of the CCPA’s private right of action (SB 561) to cover violations of CCPA rights was unsuccessful in May 2019. Certain plaintiffs’ attorneys have been seeking to test the contours of the CCPA’s private right of action in court, and others have sent pre-litigation demand letters (sometimes with draft complaints) invoking the CCPA in the class action context. Notably, we have seen claims pertaining to the notice and opt-out requirements and using the CCPA as the basis for Unfair Competition Law (UCL) claims. Such claims should prove unsuccessful because they are outside the scope of the private right of action, and the CCPA expressly states that it should not be interpreted to serve as the basis for claims under other laws. Cal. Civ. Code § 1798.150(c). There have also been cases that are based on alleged activities that preceded the CCPA’s effective date that should not get traction.
Importantly, under the California Privacy Rights Act (CPRA or CCPA 2.0), which passed on the November 2020 ballot and is poised to take effect (amending the CCPA) on January 1, 2023, the private right of action would remain limited to data breach incidents and should not fundamentally alter the class action environment. It would, however, expand the private right of action for data breaches that resulted in the disclosure of email addresses combined with credentials (passwords or security questions). Compliance efforts under the CPRA will have to be examined as it provides California consumers with new rights of correction and further limits the use and disclosure of a new category of “sensitive personal information.” And enforcement of the CCPA will be dramatically altered by the creation of a new, dedicated agency that will have a $10 million budget and he ability to levy administrative fines ranging from $2,500 to $7,500 for each violation.
Conclusion
The TCPA has been the source of an unprecedented wave of litigation in courts across the country, as well as the basis for pre-litigation demand letters sent en masse. In our view, its use in this regard has served as a road map for the plaintiffs’ bar in seeking to enforce other federal and state privacy laws that have private rights of action. It is important for businesses and practitioners to be mindful of the evolving landscape and the ways in which new theories are being tested and new laws are taking shape. It is also crucial for legislatures to hear from both consumer groups and businesses to ensure that state privacy legislation intended to combat abusive practices does not instead become the basis for them.