The protection of a business's most critical data-its "crown jewels"-has never been more important. The increase in attack sophistication, tempo, and success rate, has made cybersecurity an "up at night" issue for the entire C-Suite. In response, innovators have stepped in with new security systems and innovations. Now, however, businesses must also (and simultaneously) address novel data privacy concerns arising from new law, like the California Consumer Privacy Act. For example, businesses must evaluate whether they are "selling" data, or whether they have a requisite basis for processing personal data. Frequently, these concerns are mitigated or eliminated by obtaining an "opt-in" or consent to the processing in question. Of course, obtaining such consent can be challenging. The good news is that some of the same innovators that have addressed cybersecurity now are attacking these issues with technological solutions as well. The bad news is that such innovation may not always be patentable, as Veripath, Inc. found out when its patent on a data privacy system was held invalid by the United States Court of Appeals for the Federal Circuit.1

On February 8, 2021, the Federal Circuit affirmed a district court's holding that the claims of U.S. Patent No. 10,075,451 (the "'451 patent") were invalid under 35 U.S.C. § 101 for claiming unpatentable subject matter. Generally, the '451 patent claims were directed to a data privacy system where users operate mobile device apps to "socialize, bank, shop, and navigate."2 Through use of the apps, information about users' activities or status was collected automatically.3 The '451 patent purported to address the drawbacks "of current data collection privacy schemes by providing an improved, more transparent opt-in process."4 Notably, the '451 patent describes an "arrangement [that] allows a component of an application (e.g., a mobile app), in conjunction with other components of a distributed system, to determine what information is to be collected from a user, how that information will be used, and what permissions are required from that user for that user."5

Representative claim 1 recites6:

A method for controlling access to a user's personal information comprising:

providing a software component for inclusion in an application, the software component having an application programming interface (API);

obtaining, from the application executing on a device of a user of the application, personal information about the user of the application, the personal information obtained via the API by the software component executing on the device;

identifying the type of the obtained personal information;

determining, based on at least the type of obtained personal information, a required permission from the user for at least one proposed use of the obtained personal information;

presenting, to the user, a first offer to provide access to at least one enhanced function of the application in exchange for the required permission; and

responsive to the user providing the required permission, providing the user with access to at least one enhanced function of the application.

Veripath alleged that Didomi infringed at least claim 1 of the '451 patent through implementation of Didomi's Consent Management Platform and Privacy Center.7 Didomi, in response, filed a motion to dismiss under Fed. R. Civ. P. 12(b)(6) asserting invalidity of the claims of the '451 patent under 35 U.S.C. § 101. The district court, using the two-part test set forth by the United States Supreme Court in Alice Corp. v. CLS Bank Int'l 8, held that the claims of the '451 patent were directed to patent-ineligible subject matter and were, therefore, invalid. Veripath appealed.

On appeal, the Federal Circuit undertook its own analysis of the claims under the Alice two-part test9:

Part I: are the claims directed to a law of nature, natural phenomenon, or abstract idea? If not, then the subject matter is patent-eligible. If yes, part II must be examined.

Part II: do the claims include an "inventive concept" sufficient to transform the nature of the claim into a patent-eligible application? That is, do the claims do more than recite an abstract idea while adding the words "apply it"? If yes, then the subject matter is patent-eligible. If no, then the subject matter is not patent-eligible.

Concerning Part I of the Alice test, Veripath argued that claim 1 of the '451 patent was not directed to an abstract idea, but rather it was directed to "a patent-eligible improvement to computer functionality."10 The Federal Circuit disagreed, holding that "at most, claim 1 is direct to no more than an improvement to the abstract notion of exchanging privacy for functionality that utilizes an API [application programming interface] to achieve a desired result."11 The court further confirmed that "it is not enough, however, to merely improve a fundamental practice or abstract process by invoking a computer merely as a tool."12 Thus, the Veripath court held that claim 1 of the '451 patent was directed to an abstract idea and proceeded to Part II of the Alice test.

With respect to Part II of the Alice test, Veripath argued that claim 1 of the '451 patent was directed to a "distributed data privacy system" that allows for the generation of a user-specific privacy disclosure based on a user's personal information before (1) presenting the user-specific privacy disclosure, (2) receiving the user's opt-in consent, (3) collecting the user's personal information, and (4) providing the user with enhanced functionality of the application.13 The Veripath court held that none of the recited steps transformed the nature of the claim into patent-eligible subject matter.14 Rather, "claim 1 comprises implementing the above-identified abstract idea using conventional steps, specified at a high level of generality."15 The court further stated that Veripath failed to explain how generating a disclosure before it is presented to a user "is anything but routine and conventional" and therefore, did not add an "inventive concept" to the claimed abstract idea.

The Veripath decision underscores the criticality in developing patent-eligible data privacy systems that do, in fact, contain more than an abstract idea. Companies should not be deterred from innovating data privacy systems and seeking patent protection. In that process, however, they need to be mindful of what the actual inventive concept is in their new and/or improved data privacy system. Before seeking a patent, Companies should examine what the invention does beyond conventional steps that require implementation by a computer (as seen in Veripath). For example, are there novel physical components that add more to the claimed invention? Is there a specific algorithm that may be patentable? Asking such questions can determine whether pursuit of patent (or its defense) is worthwhile and cost-effective.


1. See Veripath, Inc. v. Didomi, 842 Fed. Appx. 640 (Fed. Cir. 2021).

2. Id. at 641.

3. See id.

4. Id.; '451 patent at col. 2, ll. 29-31.

5. Id.; '451 patent at col. 2, ll. 29-36.

6. '451 patent at col. 16, ll. 7-28.

7. Veripath, 842 Fed. Appx. at 642; Veripath, Inc. v. Didomi, C.A. No. 19-cv-1702 (S.D.N.Y.), D.I. 1 (Complaint) at ¶¶ 26-42.

8. Alice Corp. v. CLS Bank Int'l, 573 U.S. 208 (2014).

9. See id. at 217-221.

10. Veripath, 742 Fed. Appx. at 643.

11. Id. 

12. Id. (quoting Customedia Techs., LLC v. Dish Network Corp., 951 F.3d 1359, 1364 (Fed. Cir. 2020)).

13. See id. at 643.

14. See id.

15. Id. (internal quotations omitted).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.