Photo of David Poell

David Poell is an associate in the Business Trial Practice Group in the firm’s Chicago office, particularly focusing on the areas of consumer privacy and class action litigation.

The Supreme Court’s recent decision in Van Buren addressed the meaning of the term “exceeds authorized access” under the Computer Fraud and Abuse Act (CFAA). The Court held, in a criminal case that alleged that the person used information for an improper purpose, that the law’s definition of this term does not include situations when people have improper motives for obtaining computerized information they are otherwise authorized to access.
Continue Reading The Impact of the Narrowed Scope of CFAA Liability in the Privacy and Security Realm

The Illinois Biometric Information Privacy Act (BIPA) has spawned hundreds of class action lawsuits and a raft of unresolved issues.  A core issue from a litigation perspective—as well as for companies bracing for potential lawsuits—is one of “standing,” and in particular, what BIPA claims can be brought by plaintiffs in what venues.

Continue Reading Beware BIPA Bifurcation: Plaintiffs’ New Gambit to Split BIPA Claims Between State and Federal Courts 

The Federal Trade Commission recently entered the biometric fray. It settled with a now-defunct photo-storage app over its use of facial recognition technology. According to the FTC, the company engaged in a variety of deceptive and unfair acts, in violation of Section 5 of the FTC Act.
Continue Reading Defunct Photo App Agrees to Erase Biometric Data in FTC Settlement

The FCC recently adopted new rules that will limit the volume of calls that can be made to residential phones under certain TCPA consent exceptions. The new rules affect non-telemarketing calls that use an artificial or prerecorded voice. For years, companies have been able to make unlimited numbers of these calls to residential lines without the need for prior express consent if the exceptions applied. Beginning later in 2021, companies will need to follow volume limits for the following types of exempted calls, unless they have obtained prior express consent to make more calls. The new limits will apply to calls that fall into one of these consent exceptions:
Continue Reading FCC Sets Volume Limits For Some Prerecorded Calls to Home Phones

The Supreme Court’s recent decision in Barr v. American Association of Political Consultants held the government-debt exception of the TCPA unconstitutional under the First Amendment’s Free Speech Clause.  This means that going forward, companies that make “debt-collection” calls on behalf of the federal government can only do so with the prior express written consent of the called individuals.
Continue Reading TCPA’s 2015 Government-Debt Collection Exception Struck Down- Now What?

The Seventh Circuit has recently ruled that plaintiffs have standing to enforce the Illinois Biometric Information Privacy Act’s informed consent requirements in federal court. As we have written before, , BIPA regulates the collection, use, and retention of a person’s biometric information, e.g., fingerprints, face scans, etc. For years, federal trial courts have been split on whether a violation of BIPA’s informed consent provision is alone sufficient to confer Article III standing. . The decision in Bryant v. Compass Group USA, Inc., — F.3d —-, 2020 WL 2121463 (7th Cir. May 5, 2020) removes that uncertainty and will drastically change the landscape of BIPA litigation going forward.
Continue Reading Seventh Circuit Issues Landmark BIPA Decision

For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.
Continue Reading SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations

The FCC recently issued a declaratory ruling explaining what calls and text message alerts it viewed as “emergency” for purposes of the Telephone Consumer Protection Act. Under TCPA, requirements to obtain consent to make certain calls and texts to cell phone numbers do not apply when a message is an “emergency.” Under the FCC’s new ruling, certain calls and texts from government officials and healthcare providers about the COVID-19 pandemic will be viewed as emergency messages.
Continue Reading FCC Ruling Helps Clarify What COVID-19 Texts and Calls Are “Emergency” Under TCPA

The Securities and Exchange Commission recently published a set of observations designed to assist financial market participants. While not legally binding, the observations are guideposts for investment companies, securities issuers, and others. They outline steps to improve cyber preparedness and to protect against well-known and evolving cybersecurity threats faced by companies in the United States and worldwide.
Continue Reading Buyers (And Sellers) Beware!: SEC Observations on Cybersecurity and Resiliency

On Election Day 2018, in the State that boasts the official motto of “Live Free or Die,” over 80% of New Hampshire voters overwhelmingly approved an amendment to the State Constitution enshrining an explicit “right to privacy” to New Hampshire residents. Question 2 on New Hampshire ballots asked voters to approve (or reject) the following language to the New Hampshire Constitution: An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent. Having received the required approval of over two-thirds of voters, the language of Question 2 will be added as Article 2-b (“Right to Privacy”) to the New Hampshire Constitution.
Continue Reading Live Free or Die Trying—New Hampshire Voters Enshrine Right to Privacy in State’s Constitution

In the recent case of Marks v. Crunch San Diego, LLC, 904 F.3d 1041 (9th Cir. 2018) the Ninth Circuit broadly interpreted the TCPA’s definition of automatic telephone dialing system (often referred to as ATDS) to include devices with the capacity to dial stored numbers automatically. The device at issue in Marks is called the “Textmunication” system, which the Court described as “a web-based marketing platform designed to send promotional text messages to a list of stored telephone numbers.” The defendant, Crunch Fitness, had communicated with current and prospective gym members by sending them text messages via the Textmunication system. The plaintiff, Jordan Marks, had signed up for a gym membership and subsequently received three text messages over an 11-month period. Marks sued Crunch Fitness and alleged that the text messages violated the TCPA.  The district court granted summary judgment in favor of Crunch Fitness after concluding that the Textmunication system did not constitute an ATDS because it presently lacked a “random or sequential number generator” and did not have the potential to add this feature.
Continue Reading Ninth Circuit Opens Door for More Expansive Meaning of ATDS in TCPA Cases