Federal Judge Partially Dismisses Claims in ByteDance Data Privacy Suit
A federal judge dismissed several claims against Chinese technology company ByteDance, including that it violated the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA) and the California Invasion of Privacy Act (CIPA). But in the Friday ruling, U.S. District Court for Northern Illinois Judge Georgia Alexakis allowed a claim ByteDance violated the Biometric Information Privacy Act (BIPA), as well as the restitution and unjust enrichment claim against the company, to continue in the privacy case.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
In their 2023 class-action lawsuit, plaintiffs alleged ByteDance unlawfully collected a wide range of users' private information -- including biometric data -- and profited off it.
With the ECPA claims, "plaintiffs are asking the Court to make an unreasonable inferential leap," because "although the predicate facts alleged describe how an interception could occur, plaintiffs do not credibly allege that defendants in fact intercepted their communications," the judge said. "The complaint does not allege, for example, how the interception occurred, whose communications were intercepted, or what was contained in those communications."
And the CIPA "claim suffers the same flaw as the ECPA claim," Alexakis added. "Although plaintiffs plead user communications that could be the subject of eavesdropping, they do not plead facts to plausibly suggest that any eavesdropping in fact occurred."
To argue a violation of the CFAA, "a plaintiff must plead that a defendant’s 'actions caused loss of more than $5,000 during any one-year period,'” Alexakis said. The plaintiffs focus on the loss of "subscription fees for users who paid for" additional software services and "device battery drain resulting in unnecessary electricity costs," which fall short of a true violation. "Subscription fees do not represent 'harm to computer data, programs, systems, or information services,' which is what qualifies as loss under the CFAA," Alexakis said, and the "battery drainage theory fares no better."
Though she dismissed the above claims and several others, the judge allowed the BIPA claims to stand, as the "plaintiffs adequately allege that defendants did not comply with at least some of" the eight different industry standards of care related to the handling of biometric data.
For example, "plaintiffs allege that defendants provided no 'notice and description of how they store and use biometric data and information,' which plausibly bears on how defendants 'transmit' that data," Alexaskis said. Additionally, "plaintiffs allege defendants go beyond using biometric data for video-making purposes and use it for other purposes," which is a violation of BIPA.
Alexakis gave ByteDance until Sept. 26 to answer the second amended complaint with the remaining claims, and asked for a joint status report by Oct. 10.
The class action against ByteDance, case 1:23-cv-04953 (see 2307300001), included an amended complaint filed in 2024 (see Ref:2401120043]) as well as additional claims (see 2402050043).