Photo of Alexis Collins

Alexis Collins’ practice focuses on litigation, including criminal and regulatory enforcement matters and complex civil and antitrust litigation.

In late July 2019, U.S. federal and state regulators announced three headline‑grabbing data privacy and cybersecurity enforcement actions against Equifax and Facebook.  Although coverage of these cases has focused largely on their striking financial penalties, as important are the terms the settlements imposed on the companies’ operations as well as their officers, directors, and compliance professionals—and what they signal about potential future enforcement activity to come.
Continue Reading

On June 24th, Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced a bill that would require large technology companies to regularly disclose to their users and the Securities and Exchange Commission (SEC) the value of the user data they collect and monetize.  The bipartisan bill, cited as the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, is intended to capture major online platforms such as Amazon, Facebook, Google and Twitter that offer “free” services to users while monetizing user data through targeted advertising.

Continue Reading

Potentially signaling an expansion of the scope of constitutional standing in data breach cases, a district court in the Northern District of California recently held that the exposure of users’ non-sensitive, publicly available personal information may be sufficient to establish an injury-in-fact.[1]
Continue Reading

In the past year, members of the U.S. Congress and Senate on both sides of the aisle have proposed data privacy bills that would impose nationwide standards on companies who collect and/or share consumers’ personal information. Currently, all 50 states have separate, but often overlapping, data privacy regimes—each subjecting companies to various combinations of recordkeeping standards, data sharing restrictions, and data breach reporting requirements—creating a patchwork of state laws that can generate substantial uncertainty for corporations.
Continue Reading

On May 8, 2019, Commissioners from Federal Trade Commission repeated their calls for federal data privacy legislation enforceable by the FTC at a hearing by the House Committee on Energy & Commerce titled “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.”
Continue Reading

On April 9, 2019, an appellate court in Illinois held in Liu v. Four Seasons Hotel, Ltd.[1] that an employee’s allegations of violations of the state’s Biometric Information Privacy Act (“BIPA” or the “Act”) do not constitute allegations of “a wage or hour violation,” even where collection of biometric data is being used to monitor hours worked.  Coming on the heels of the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corporation,[2] which held that plaintiffs are not required to allege harm beyond a “technical” violation of the Act in order to bring an action under BIPA, Liu demonstrates a developing pattern of recognition of broad privacy rights in Illinois courts.
Continue Reading

On April 10, 2019, the Department of Justice (“DOJ”) released a white paper titled Promoting Public Safety, Privacy, and the Rule of Law Around the World:  The Purpose and Impact of the CLOUD Act.  This white paper is the first official DOJ statement about the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) and reflects the DOJ’s current perspective on its scope and implications.  Below we summarize the CLOUD Act and discuss the DOJ’s key observations.
Continue Reading

On March 20, 2019, in Frank v. Gaos, the Supreme Court remanded a case challenging Google’s practice of disclosing users’ search terms to third parties, directing the lower courts to address whether class plaintiffs had Article III standing to bring the privacy action in light of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).[1]  Frank v. Gaos was originally notable because it had been resolved by a cy pres-only class action settlement, which had been appealed by objecting class members as inconsistent with Federal Rule of Civil Procedure 23.  As part of the remand, the Court vacated the settlement without opining on its validity.
Continue Reading

On Friday, March 15, 2019, the U.S. Federal Trade Commission (“FTC”) issued its 2018 Privacy & Data Security Update (the “Update”) detailing its activities last year in seven “zones” of privacy and data security: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance, and international engagement. 
Continue Reading

On January 25, 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corporation that plaintiffs are not required to allege actual harm in order to seek damages against private entities under the state’s Biometric Information Privacy Act (BIPA).  BIPA regulates companies’ collection, retention, and disclosure of biometric identifiers.  It further provides a private right of action for persons “aggrieved” by a violation of the Act for recovery of liquidated damages, injunctive relief, attorneys’ fees, and costs.  By allowing suits for technical violations of BIPA’s notice and consent provision to go forward, the Rosenbach decision will likely encourage the filing of new cases under the Act and may influence the interpretation of data privacy laws in other states.
Continue Reading