News & Insights


November 14, 2017

Data, Privacy & Security Practice Report – November 7, 2017

Ad Groups Ask FTC To Focus On Concrete Injuries, Not Subjective Emotional Distress – Several advertising groups recently filed comments with the Federal Trade Commission (“FTC”) urging the organization to pursue enforcement actions only against security and privacy practices that cause “concrete injuries” to consumers. The comments were solicited by the FTC in advance of a planned “Informational Injury” workshop, which is to be held on December 12, 2017. The purpose of the workshop is to examine consumer injury in the context of privacy and data security.

In their comments, the advertising groups argue that a concrete harm standard for informational injuries creates predictability for businesses. The advertising trade associations collectively represent thousands of companies that collect data about consumers. They note that any expansion in the definition of informational injury would limit the collection and use of data, which would harm the consumers who benefit from ad-supported content. The associations also note that self-regulatory programs, such as Digital Advertising Alliance, are flexible, effective in bringing companies into compliance, and retain the option of referring unresolved enforcement actions to the FTC.

The Center for Democracy & Technology (“CDT”), a privacy advocate, also filed comments, arguing that the risks arising from the processing of personal information include “not just economic loss but also diminished capacity for autonomy and self-determination, discrimination (legal or otherwise), and a generalized loss of trust.” The CDT argues that, due to a lack of control over their information, users experience subjective privacy harms consisting of “pervasive fears, discomforts, and other chilling effects,” but also admits that such privacy violations are difficult to quantify.

The FTC may find the advertising associations’ argument more persuasive, given that acting FTC Chair Maureen Ohlhausen has said previously that the agency should focus on cases with “objective, concrete harms such as monetary injury and unwarranted health and safety risks,” rather than “speculative injury, or on subjective types of harm.”

As the FTC seeks consensus on how to characterize and evaluate privacy injuries, federal courts of appeal remain split after the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins on what constitutes a sufficiently “concrete” harm for the purposes of Article III standing. In a petition for writ of certiorari filed on Monday, October 30, health insurer CareFirst urged the Supreme Court to resolve the circuit split and hold that an increased risk of future identity theft is not an “imminent” injury and does not confer standing. As data breaches become increasingly prevalent—even inevitable—the case presents an opportunity for the Supreme Court to stem the growing tide of class action lawsuits filed by plaintiffs who suffer subjective and emotional, but not concrete or imminent, harms.

Reporter, Anush Emelianova, Atlanta, GA, +1 404 572 4616,

Biometrics Class Action Suits Proliferate In Illinois – Over the past few months, businesses have seen a significant uptick in putative class action lawsuits filed in Illinois state court, alleging claims under Illinois’ 2008 privacy law, the Biometric Information Privacy Act (“BIPA”). 740 ILCS 14/1 et seq.

At least 27 employment class actions alleging violations of the Illinois BIPA have been filed in Illinois state court since July 2017. Many of these suits contain similar allegations, including that employers are violating BIPA by collecting employees’ fingerprints, retina scans, or other biometric data for use in timekeeping systems but are failing to provide written notice or to obtain the required written consent of their employees. The cases also allege violations of BIPA by defendants for failing to promulgate a policy on usage and destruction of the biometric data.

Plaintiffs in these suits seek to recover statutory liquidated damages of $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation. Plaintiffs additionally seek injunctive relief and attorney’s fees and costs.

Illinois’ BIPA law generally requires that a business collecting biometric data, including fingerprints and retina scans, obtain written consent before using such data. As this privacy area becomes more litigated, and as timekeeping technology continues to become more advanced, businesses must remain diligent in complying with state privacy laws, including BIPA.

Reporter, Brittany N. Clark, Washington, D.C., +1 202 626 5528,


10th Annual King & Spalding Pharmaceutical University – On Thursday, November 9, 2017, King & Spalding will host its 10th Annual Pharmaceutical University, a full day of presentations on subjects critical to drug and biologics manufacturers, their in-house counsel, managers, and executives. For almost a decade, King & Spalding’s Pharmaceutical University has provided timely, in-depth, practical insight into almost every area of law affecting the development, manufacture, and sale of pharmaceuticals and biologics. At our tenth annual event this November, Pharma U will again provide the sophisticated variety of presentations that hundreds of industry attendees have come to rely upon year after year. We hope you will join us in Philadelphia on November 9 at our three-track symposium addressing regulatory, enforcement, intellectual property, commercial, corporate, litigation, international trade, and political issues, among many other topics that will demand your attention in 2018. You can register here.