Tag: BIPA

First BIPA Trial Results in $228M Judgment for Plaintiffs

Businesses defending class actions under the Illinois Biometric Information Privacy Act (BIPA) have struggled to defeat claims in recent years, as courts have rejected a succession of defenses.

We have been following this issue and have previously reported on this trend, which continued last week in the first BIPA class action to go to trial. The Illinois federal jury found that BNSF Railway Co. violated BIPA, resulting in a $228 million award to a class of more than 45,000 truck drivers.

Named plaintiff Richard Rogers filed suit in Illinois state court in April 2019, and BNSF removed the case to the US District Court for the Northern District of Illinois. Plaintiff alleged on behalf of a putative class of BNSF truck drivers that BNSF required the drivers to provide biometric identifiers in the form of fingerprints and hand geometry to access BNSF’s facilities. The lawsuit alleged BNSF violated BIPA by (i) failing to inform class members their biometric identifiers or information were being collected or stored prior to collection, (ii) failing to inform class members of the specific purpose and length of term for which the biometric identifiers or information were being collected, and (iii) failing to obtain informed written consent from class members prior to collection.

In October 2019, the court rejected BNSF’s legal defenses that the class’s BIPA claims were preempted by three federal statutes governing interstate commerce and transportation: the Federal Railroad Safety Act, the Interstate Commerce Commission Termination Act, and the Federal Aviation Administration Authorization Act. The court held that BIPA’s regulation of how BNSF obtained biometric identifiers or information did not unreasonably interfere with federal regulation of rail transportation, motor carrier prices, routes, or services, or safety and security of railroads.

Throughout the case, including at trial, BNSF also argued it should not be held liable where the biometric data was collected by its third-party contractor, Remprex LLC, which BNSF hired to process drivers at the gates of BNSF’s facilities. In March 2022, the court denied BNSF’s motion for summary judgment, pointing to evidence that BNSF employees were also involved in registering drivers in the biometric systems and that BNSF gave direction to Remprex regarding the management and use of the systems. The court concluded (correctly, as it turned out) that a jury could find that BNSF, not just Remprex, had violated BIPA.

The case proceeded to trial in October 2022 before US District Judge Matthew Kennelly. At trial, BNSF continued to argue it should not be held responsible for Remprex’s collection of drivers’ fingerprints. Plaintiff’s counsel argued BNSF could not avoid liability by pleading ignorance and pointing to a third-party contractor that BNSF controlled. Following a five-day trial and roughly one hour of deliberations, the jury returned a verdict in favor of the class, finding that BNSF recklessly or intentionally violated BIPA 45,600 times. The jury did not calculate damages. Rather, because BIPA provides for $5,000 in liquidated damages for every willful or reckless violation (and $1,000 for every negligent violation), Judge Kennelly applied BIPA’s damages provision, which resulted in a judgment of $228 million in damages. The judgment does not include attorneys’ fees, which plaintiff is entitled to and will inevitably seek under BIPA.

While an appeal will almost certainly follow, the BNSF case serves as a stark reminder of the potential exposure companies face under BIPA. Businesses that collect biometric data must ensure they do so in compliance with BIPA and other biometric privacy regulations. Where BIPA claims have been asserted, companies should promptly seek outside counsel to develop a legal strategy for a successful resolution.

For more Privacy and Cybersecurity Legal News, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

Judge Approves $92 Million TikTok Settlement

On July 28, 2022, a federal judge approved TikTok’s $92 million class action settlement of various privacy claims made under state and federal law. The agreement will resolve litigation that began in 2019 and involved claims that TikTok, owned by the Chinese company ByteDance, violated the Illinois Biometric Information Privacy Act (“BIPA”) and the federal Video Privacy Protection Act (“VPPA”) by improperly harvesting users’ personal data. U.S. District Court Judge John Lee of the Northern District of Illinois also awarded approximately $29 million in fees to class counsel.

The class action claimants alleged that TikTok violated BIPA by collecting users’ faceprints without their consent and violated the VPPA by disclosing personally identifiable information about the videos people watched. The settlement agreement also provides for several forms of injunctive relief, including:

  • Refraining from collecting and storing biometric information, collecting geolocation data and collecting information from users’ clipboards, unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • Not transmitting or storing U.S. user data outside of the U.S., unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • No longer pre-uploading U.S. user generated content, unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • Deleting all pre-uploaded user generated content from users who did not save or post the content; and
  • Training all employees and contractors on compliance with data privacy laws and company procedures.

Article By the Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

BREAKING: Seventh Circuit Certifies BIPA Accrual Question to Illinois Supreme Court in White Castle

Yesterday the Seventh Circuit issued a much awaited ruling in the Cothron v. White Castle litigation, punting to the Illinois Supreme Court on the pivotal question of when a claim under the Illinois Biometric Privacy Act (“BIPA”) accrues.  No. 20-3202 (7th Cir.).  Read on to learn more and what it may mean for other biometric and data privacy litigations.

First, a brief recap of the facts of the dispute.  After Plaintiff started working at a White Castle in Illinois in 2004, White Castle began using an optional, consent-based finger-scan system for employees to sign documents and access their paystubs and computers.  Plaintiff consented in 2007 to the collection of her biometric data and then 11 years later—in 2018—filed suit against White Castle for purported violation of BIPA.

Plaintiff alleged that White Castle did not obtain consent to collect or disclose her fingerprints at the first instance the collection occurred under BIPA because BIPA did not exist in 2007.  Plaintiff asserted that she was “required” to scan her finger each time she accessed her work computer and weekly paystubs with White Castle and that her prior consent to the collection of biometric data did not satisfy BIPA’s requirements.  According to Plaintiff, White Castle violated BIPA Sections 15(b) and 15(d) by collecting, then “systematically and automatically” disclosing her biometric information without adhering to BIPA’s requirements (she claimed she did not consent under BIPA to the collection of her information until 2018). She sought statutory damages for “each” violation on behalf of herself and a putative class.

White Castle before the district court had moved to dismiss the Complaint and for judgment on the pleadings—both of which motions were denied.  The district court sided with Plaintiff, holding that “[o]n the facts set forth in the pleadings, White Castle violated Section 15(b) when it first scanned [Plaintiff’s] fingerprint and violated Section 15(d) when it first disclosed her biometric information to a third party.”  The district court also held that under Section 20 of BIPA, Plaintiff could recover for “each violation.”  The court rejected White Castle’s argument that this was an absurd interpretation of the statute not in keeping with legislative intent, commenting that “[i]f the Illinois legislature agrees that this reading of BIPA is absurd, it is of course free to modify the statue” but “it is not the role of a court—particularly a federal court—to rewrite a state statute to avoid a construction that may penalize violations severely.”

White Castle filed an appeal of the district court’s ruling with the Seventh Circuit.  As presented by White Castle, the issue before the Seventh Circuit was “[w]hether, when conduct that allegedly violates BIPA is repeated, that conduct gives rise to a single claim under Sections 15(b) and 15(d) of BIPA, or multiple claims.”

In ruling yesterday this issue was appropriate for the Illinois Supreme Court, the Seventh Circuit held that “[w]hether a claim accrues only once or repeatedly is an important and recurring question of Illinois law implicating state accrual principles as applied to this novel state statute.  It requires authoritative guidance that only the state’s highest court can provide.”  Here, the accrual issue is dispositive for purposes of Plaintiffs’ BIPA claim.  As the Seventh Circuit recognized, “[t]he timeliness of the suit depends on whether a claim under the Act accrued each time [Plaintiff] scanned her fingerprint to access a work computer or just the first time.”

Interestingly, the Seventh Circuit drew a comparison to data privacy litigations outside the context of BIPA, stating that the parties’ “disagreement, framed differently, is whether the Act should be treated like a junk-fax statute for which a claim accrues for each unsolicited fax, [], or instead like certain privacy and reputational torts that accrue only at the initial publication of defamatory material.”

Several BIPA litigations have been stayed pending a ruling from the Seventh Circuit in White Castle and these cases will remain on pause going into 2022 pending a ruling from the Illinois Supreme Court.  While some had hoped for clarity on this area of BIPA jurisprudence by the end of the year, the Seventh Circuit’s ruling means that this litigation will remain a must-watch privacy case going forward.

Article By Kristin L. Bryan of Squire Patton Boggs (US) LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

© Copyright 2021 Squire Patton Boggs (US) LLP

Temperature Checks: Three Things to Know Before Screening Employees and Customers

As businesses begin the calculated process of re-opening their doors to employees and customers, many are considering implementing temperature checks to monitor for at least one known COVID-19 symptom – the fever.

Beyond nailing down the logistics of temperature checks (e.g., who will perform them, has that person been trained, do employees need to be paid while waiting in line, how will social distancing be maintained, etc.) there are several significant legal considerations that should be evaluated before implementation.

The Illinois Biometric Privacy Act

Some temperature screening devices utilize facial-recognition technology to quickly identify those with fever so that they can be promptly tracked down and removed from the facility. While these systems provide logistical advantages, especially to large employers and retailers, they likely implicate provisions of the Illinois Biometric Privacy Act (BIPA) which can lead to costly litigation and result in stiff penalties for anyone who violates the statute, even unwittingly.

According to BIPA, businesses utilizing this type of facial-recognition technology must obtain advance, written consent from the individuals to be scanned, and must also maintain a publicly available policy that specifies information regarding the collection, use, storage, and destruction of individuals’ biometric information. And, again, these policies and consents must be executed and implemented before temperature screenings begin. It is, therefore, critical to determine whether your temperature screening devices perform facial recognition scans or capture other biometric information.

Confidentiality of Employee Information

Employers screening employee temperatures must also remember they are conducting a “medical examination,” as defined by the Equal Employment Opportunity Commission (EEOC) and would be wise to adhere to the EEOC’s guidance on the issue. This means information collected about employees’ temperature, such as the temperature readings themselves, or the fact that an employee had or has a fever, must be treated as confidential medication information and maintained in a confidential file separate from an employee’s personnel file. Employers should also take care to not divulge the identity of any employee sent home with fever, absent consent from the employee to share that information with other personnel, or a strict need-to-know among involved supervisor(s) or members of human resources.

The California Consumer Privacy Act

California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), contains broad protection of consumers’ “personal information,” and requires businesses subject to the statute to, among other things, notify consumers when their personal information is being collected. Though body temperature is not explicitly mentioned in the statute, the definition of “personal information” is broad, and includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer …” It includes biometric information. Whether an individual’s temperature constitutes personal information is up for some debate, but debates often lead to costly litigation, and it is easy enough to amend CCPA notices to include temperature until that debate is resolved in an effort to avoid litigation altogether.

So, if a business is subject to the CCPA and intends to collect employee or customer temperatures (whether or not with the use of biometric technology), it should consider updating its CCPA notices to include “temperature” (and, if applicable, scans of face geometry) to the list of personal information collected.

© 2020 Much Shelist, P.C.

For more employer COVID-19 guidance, see the National Law Review Coronavirus News section.

Good News for Companies: Seventh Circuit Holds Removal of Plaintiffs’ Biometrics Privacy Claims to Federal Court OK

In a widely watched case, the Seventh Circuit decided last week that companies that collect individuals’ biometric data may be able to defend their cases in federal court when plaintiffs allege a procedural violation of Illinois’ Biometric Information Privacy Act (BIPA).

In Bryant v. Compass Group USA, Inc., the Seventh Circuit held that certain procedural violations of Illinois’ BIPA constituted actual injuries and therefore satisfied the requirements for federal court standing. Relying on Spokeo, the seminal U.S. Supreme Court case addressing what constitutes an actual injury for standing purposes, the court held that the plaintiff’s allegations, if proven, would demonstrate that she suffered an actual injury based on the fact that Compass did not obtain her consent before obtaining her private information. Therefore, the case could remain in federal court.

The decision now gives defendants that want to defend BIPA claims in federal court a roadmap for their arguments, including access to a larger jury pool, the Federal Rules of Procedure, and other federal court-related advantages. It is also notable because BIPA defendants have attempted to remove BIPA cases to federal court and then file motions to dismiss them for lack of standing. However, the federal courts have typically remanded these cases, forcing defendants back into state court and sometimes even requiring them to pay just costs and any actual expenses, including attorney fees, incurred as a result of the removal.[1]

What Happened in Bryant v. Compass Group USA

In Compass Group USA, a customer sued a vending machine manufacturer after she scanned her fingerprint into a vending machine to set up an account during her employer’s orientation. She then used her fingerprint to buy items from the vending machine.

The plaintiff filed a putative class action lawsuit on behalf of herself and all other persons similarly situated in state court alleging that Compass violated her statutory rights under BIPA by 1) obtaining her fingerprint without her written consent and 2) not establishing a publicly available data retention schedule or destruction guidelines for possession of biometric data as required by the statute.

Shortly after the plaintiff filed suit in Cook County Circuit Court, Compass filed a notice to remove the case to the Northern District of Illinois. Opposing the motion, the plaintiff argued that she did not have federal standing for her BIPA claims because she had not alleged an injury-in-fact as required by Article III.

Compass argued that the plaintiff had alleged an injury-in-fact under Article III, pointing to the recent Illinois Supreme Court case, Rosenbach v. Six Flags Ent. Corp., which held that plaintiffs can bring BIPA claims based on procedural violations, even if they have suffered no actual injury. Rosenbach held that, if a company, for example, fails to comply with BIPA’s requirement of establishing destruction guidelines for possession of biometric data, that violation alone – without any actual pecuniary or other injury – creates an actual injury.

The district court sided with the plaintiff and concluded that Rosenbach merely established “the policy of the Illinois courts” to allow plaintiffs to bring BIPA claims without alleging an actual injury. Rosenbach did not interpret procedural BIPA violations to be actual injuries.

Because the plaintiff’s claims did not establish Article III standing, the district court granted the plaintiff’s motion to remand the case back to state court.

The Seventh Circuit reversed, relying on Spokeo. It interpreted Spokeo as holding that injuries may still be particularized and concrete – i.e., actual – even if they are intangible or hard to prove. The court also cited Justice Thomas’ concurrence in Spokeo that distinguished between private rights (which courts have historically presumed to cause actual injuries) and public rights (which require a further showing of injury).

The court held that the plaintiff had alleged that she suffered an actual injury when Compass collected her biometric data without obtaining her informed consent because this was a private right. The court also relied on Fed. Election Comm’n v. Atkins, 525 U.S. 11 (1998).  In Atkins, the Supreme Court held that nondisclosure can be an actual injury if plaintiffs can show an impairment of their ability to use information in a way intended by the statute. The court in Compass similarly held that the defendant had denied the plaintiff the opportunity — and statutory right — to consider whether the terms of the defendant’s data collection and usage were acceptable. As a result, the court held that the plaintiff alleged an actual injury.

By contrast, the court determined that the plaintiff’s other claim – that the defendant violated BIPA by failing to make publicly available a data retention schedule and destruction guidelines for possession of biometric data – implicated a public right and did not cause the plaintiff an actual injury.

[1] See, e.g. Mocek v. Allsaints USA Ltd., 220 F. Supp. 3d 910, 914 (N.D. Ill. 2016) (“Defendant’s professed strategy of removing the case on the basis of federal jurisdiction, only to turn around and seek dismissal with prejudice—a remedy not supported by any of defendant’s cases—on the ground that federal jurisdiction was lacking, unnecessarily prolonged the proceedings. . . . For the foregoing reasons, I grant plaintiff’s motion for remand and attorneys’ fees and deny as moot defendant’s motion to dismiss. Because defendant has not objected to the specific fee amount plaintiff claims, which she supports with evidence in the form of affidavits and billing records, I find that plaintiff is entitled to payment in the amount of $58,112.50 pursuant to § 1447(c).”)

© 2020 Schiff Hardin LLP
For more on BIPA, see the National Law Review Communications, Internet, and Media Law section.

Vimeo Hit with Class Action for Alleged Violations of Biometric Law

Vimeo, Inc. was sued last week in a class action case alleging that it violated the Illinois Biometric Information Privacy Act by “collecting, storing and using Plaintiff’s and other similarly situated individuals’ biometric identifiers and biometric information…without informed written consent.”

According to the Complaint, Vimeo “has created, collected and stored, in conjunction with its cloud-based Magisto service, thousands of “face templates” (or “face prints”)—highly detailed geometric maps of the face—from thousands of Magisto users.” The suit alleges that Vimeo creates these templates using facial recognition technology and “[E]ach face template that Vimeo extracts is unique to a particular individual, in the same way that a fingerprint or voiceprint uniquely identifies one and only one person.” The plaintiffs are trying to liken an image captured by facial recognition technology to a fingerprint by calling it a “faceprint.” Very creative in the wake of mixed reactions to the use of facial recognition technology in the Facebook and Shutterfly cases.

The suit alleges “users of Magisto upload millions of videos and/or photos per day, making videos and photographs a vital part of the Magisto experience….Users can download and connect any mobile device to Magistoto upload and access videos and photos to produce and edit their own videos….Unbeknownst to the average consumer, and in direct violation of…BIPA, Plaintiff…believes that Magisto’s facial recognition technology scans each and every video and photo uploaded to Magisto for faces, extracts geometric data relating to the unique points and contours (i.e., biometric identifiers) of each face, and then uses that data to create and store a template of each face—all without ever informing anyone of this practice.”

The suit further alleges that when a user uploads a photo, the Magisto service creates a template for each face depicted in the photo, and compares that face with others in its face database to see if there is a match. According to the Complaint, the templates are also able to recognize gender, age and location and are able to collect biometric information from non-users. All of this is done without consent of the individuals, and in alleged violation of BIPA.

Although we previously have seen some facial recognition cases alleging violation of BIPA, and there are numerous cases alleging violation of BIPA for collection of fingerprints in the employment setting, this case is a little different from those, and it will be interesting to watch.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.
For more on biometrics & privacy see the National Law Review Communications, Media & Internet law page.

Six Flags Raises Red Flags: Illinois Supreme Court Weighs In On BIPA

On January 25, the Illinois Supreme Court held that a person can seek liquidated damages based on a technical violation of the Illinois Biometric Information Privacy Act (BIPA), even if that person has suffered no actual injury as a result of the violation. Rosenbach v. Six Flags Entertainment Corp. No. 123186 (Ill. Jan. 25, 2019) presents operational and legal issues for companies that collect fingerprints, facial scans, or other images that may be considered biometric information.

As we have previously addressed, BIPA requires Illinois businesses that collect biometric information from employees and consumers to, among other things, adopt written policies, notify individuals, and obtain written releases. A handful of other states impose similar requirements, but the Illinois BIPA is unique because it provides individuals whose data has been collected with a private right of action for violations of the statute.

Now, the Illinois Supreme Court has held that even technical violations may be actionable.  BIPA requires that businesses use a “reasonable standard of care” when storing, transmitting, or protecting biometric data, so as to protect the privacy of the person who provides the data. The rules are detailed. Among other things, BIPA requires businesses collecting or storing biometric data to do the following:

  • establish a written policy with a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information;
  • notify individuals in writing that the information is being collected or stored and the purpose and length of time for which the biometric identifier will be collected, stored, and used;
  • obtain a written release from the individual; and
  • not disclose biometric information to a third party without the individual’s consent.

The Illinois Supreme Court has now held that a plaintiff may be entitled to up to $5,000 in liquidated damages if a company violates any of these requirements, even without proof of actual damages.

In Rosenbach, the plaintiff’s son’s fingerprint was scanned so that he could use his fingerprint to enter the Six Flags theme park under his season pass. Neither the plaintiff nor her son signed a written release or were given written notice as required by BIPA. The plaintiff did not allege that she or her son suffered a specific injury but claimed that if she had known that Six Flags collected biometric data, she would not have purchased a pass for her son. The plaintiff brought a class action on behalf of all similarly situated theme park customers and sued for maximum damages ($5,000 per violation) under BIPA. The Illinois appellate court held that plaintiff could not maintain a BIPA action because technical violations did not render a party “aggrieved,” a key element of a BIPA claim.

In a unanimous decision, the Illinois Supreme Court disagreed. The court held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” Even more pointedly, the court held that when a private entity fails to comply with BIPA’s requirements regarding the collection, retention, disclosure, and destruction of a person’s biometric identifiers or biometric information, that violation alone – in the absence of any actual pecuniary or other injury—constitutes an invasion, impairment, or denial of the person’s statutory rights.

This decision – along with the 200 class actions already filed – shows how important it is for vendors and companies using fingerprint timeclocks or other technologies that may collect biometric information to be aware of BIPA’s requirements.

 

© 2019 Schiff Hardin LLP

Scan Your Practices: Illinois Supreme Court to Resolve Biometric Privacy Standard

Fingerprinting, retina scans, and voiceprints – practices once reserved for FBI agents, criminals, and Jason Bourne – are now widely used by companies of all sizes. These “biometric identifiers” are collected, often by employers, to provide for workplace efficiencies such as clocking time and ensuring secure access to sensitive locations. Or they may be used by businesses looking to track and identify customers. Whatever the case may be, collection and use of biometric identifiers are landing companies in legal hot water.

There has been a frenzy of class action lawsuits filed under the Illinois Biometric Information Privacy Act (BIPA) in recent weeks, in anticipation of a pending decision from the Illinois Supreme Court regarding the statute’s scope. BIPA provides a roadmap for how to lawfully gather, store, and destroy biometric data. When companies flout these requirements, they expose themselves to legal liability.

Compliance with BIPA is not terribly difficult. A private entity must: 1) develop a written policy, available to the public, that establishes a retention schedule and guidelines for permanently destroying biometric data; 2) provide information to the subject in writing, and obtain a written release before collecting and using biometric information; 3) safely store and prevent disclosure or dissemination of the biometric data to unauthorized third parties; and 4) destroy the biometric data when there is no longer a reason for keeping it, or within three years of the individual’s last interaction with the entity, whichever comes first.

The statute provides that “any person aggrieved by a violation” of these rules can bring suit. The tricky question, which the Illinois Supreme Court will soon answer, is who is a person aggrieved? Is someone aggrieved if a private entity technically violates the statute, but does not otherwise cause harm to the individual through unauthorized dissemination or disclosure of his or her biometric data? If a company forgets to obtain written authorization, but otherwise posts appropriate notices and protects the security of the data, are its employees or customers aggrieved persons?

The answer once appeared favorable to companies. In Rosenbach v. Six Flags Entertainment Corporation, the Second District Appellate Court held that “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person” under BIPA. In other words, technical violations of the statute, without any accompanying harm, did not pave the way for litigation.

At the end of 2018, however, the First District Appellate Court, in Sekura v. Krishna Schaumburg Tan, Inc., signaled a more relaxed, plaintiff-friendly standard by agreeing that an injury to a privacy right may be enough to maintain a lawsuit. Though that case also involved allegations of actual harm (unauthorized disclosure of the data to third parties), it created a fissure and undermined whatever comfort came from knowing that technical violations alone would not produce viable lawsuits. And, while the federal courts sitting in Illinois continue to dismiss these cases for lack of constitutional standing, the majority of BIPA cases are filed and remain in state court, where state precedent controls. Companies will seldom find themselves in the more favorable federal venue.

Meanwhile, the plaintiffs in Rosenbach appealed to the Illinois Supreme Court, which heard oral arguments on this issue at the end of November 2018. The central question the court will soon answer is what type of harm must be alleged in order for a plaintiff to maintain suit under BIPA: Are allegations of mere technical violations enough, or must a plaintiff allege a more particular harm? BIPA aficionados across the state are waiting with bated breath to learn the answer.

In the meantime, companies would be wise to review their biometric data notification, collection, storage, and destruction practices. In many ways, regardless of Rosenbach’s outcome, companies need to be extremely vigilant in deciding whether to collect biometric data in the first place and, if so, in developing and implementing careful practices to ensure full compliance with BIPA. Even if the Illinois Supreme Court ultimately concludes that technical violations alone are not actionable, shrewd plaintiffs and their attorneys will not hesitate to articulate allegations of harm beyond mere technicalities. Now is the time to scan your practices.

 

© 2019 Much Shelist, P.C.
This post was written by Laura A. Elkayam and James L. Wideikis of Much Shelist, P.C.
Read more on emerging employment law issues at the National Law Review’s Employment Law Resources Page.

BIPA Claims Against United Airlines Must be Arbitrated Due to Collective Bargaining Agreement

Last month a federal district court dismissed a putative class action lawsuit against United Airlines challenging its use of fingerprint scanning timeclocks. The lawsuit brought by United employee David Johnson alleged that the company’s collection and use of employees’ fingerprints violated the Illinois Biometric Information Privacy Act (BIPA) because the company failed to get the requisite consent from its employees for fingerprint collection and use.

In dismissing the lawsuit, the court found it lacked federal jurisdiction to resolve the dispute on two grounds. In the first instance, the court observed that the federal Railway Labor Act (RLA) creates a mandatory and exclusive arbitration process for resolving labor disputes that require interpretation of a collective bargaining agreement (CBA). The CBA between United and its employees gave United the “sole and exclusive right to manage, operate, and maintain the efficiency” of the workplace. Therefore, any resolution of Plaintiff’s challenge under BIPA of United’s collection and use of fingerprints as part of its timekeeping technology necessarily requires interpretation of the scope of the CBA. And, thus, “[b]ecause there is no way for the Plaintiff to pursue a BIPA claim without interpreting the existing CBA,” the court concluded that its resolution of Plaintiff’s BIPA claim was preempted by the RLA’s mandatory arbitration requirement, and that the court lacked jurisdiction to decide the claim.

In the second instance, echoing two other recent federal BIPA cases, the court concluded that violation of BIPA’s notice and consent requirement alone is not adequate injury to establish standing to sue in federal court under Article III of the U.S. Constitution. The court found that a lack of consent, while a technical violation of the statute, does not itself alone increase the risk of disclosure that could result in injury or harm to the individual. Absent any actual compromise of the biometric information, or an increased risk of such compromise, there was no injury-in-fact, and thus no federal jurisdiction. While the court’s ruling in this regard continues the trend of other federal courts, it’s worth noting that standing to sue in Illinois state court is unaffected by these decisions. Whether a plaintiff or class action may succeed in state court based upon a mere technical violation of BIPA’s requirements—without more—remains an open question the Illinois Supreme Court is expected to answer in its next session.

Putting it Into Practice: Companies negotiating collective bargaining agreements should be aware that the right language may allow for resolution of many labor disputes, including disputes arising under BIPA, through mandatory arbitration rather than through the courts. When collecting and using biometric information, companies should continue to pay attention to BIPA’s requirements regarding consent, notice, and disclosure because although federal courts have dismissed suits predicated only on mere technical violations of the statute, other avenues of recourse may still be available to plaintiffs in state court and via arbitration.

Copyright © 2018, Sheppard Mullin Richter & Hampton LLP.

The Law of Unintended Consequences: BIPA and the Effects of the Illinois Class Action Epidemic on Employers

Has your company recently beefed up its employee identification and access security and added biometric identifiers, such as fingerprints, facial recognition, or retina scans? Have you implemented new timekeeping technology utilizing biometric identifiers like fingerprints or palm prints in lieu of punch clocks? All of these developments provide an extra measure of security control beyond key cards which can be lost or stolen, and can help to control a time-keeping fraud practice known as “buddy punching.” If you have operations and employees in Illinois (or if you utilize biometrics such as voice scans to authenticate customers located in Illinois), your risk and liability could have increased with the adoption of such biometric technology, so read on ….

What’s the Issue in Illinois?

The collection of biometric identifiers is not generally regulated either by the federal government or the states. There are some exceptions, however. Back in 2008, Illinois passed the first biometric privacy law in the United States. The Biometric Information Privacy Act, known as “BIPA,” makes it unlawful for private entities to collect, store, or use biometric information, such as retina/iris scans, voice scans, face scans, or fingerprints, without first obtaining individual consent for such activities. BIPA also requires that covered entities take specific precautions to secure the information. BIPA also carries statutory penalties for every individual violation that can multiply quickly … and the lawsuits against employers have been coming by the dozens over the past few months.

The Requirements of BIPA

Among other requirements, under BIPA, any “private entity” — including employers — collecting, storing, or using the biometric information of any individual in Illinois – no matter how it is collected, stored or used, or for what reason – must:

  1. Provide each individual with written notice that his/her biometric information will be collected and stored, including an explanation of the purpose for collecting the information as well as the length of time it will be stored and/or used.
  2. Obtain the subject’s express written authorization to collect and store his/her biometric information, prior to that information being collected.
  3. Develop and make available to the public a written policy establishing a retention schedule and guidelines for destroying the biometric information, which shall include destruction of the information when the reason for collection has been satisfied or three years after the company’s last interaction with the individual, whichever occurs first.

Also, any such information collected may not be disclosed to or shared with third parties without the prior consent of the individual.The Money Issue

Under the law, plaintiffs may recover statutory damages of $1,000 for eachnegligent violation and $5,000 per intentional or reckless violation, plus attorneys’ fees and other relief deemed appropriate by the court. Moreover, if actual damages exceed liquidated damages, then a plaintiff is entitled under the Act to pursue actual damages in lieu of liquidated damages.

These damage calculations are made and awarded under BIPA on an individual basis. Do the math: If an employer has 100 employees in Illinois and has allegedly been negligent in obtaining required BIPA consent from employees, this can be a potential exposure of an employer to $500,000 in penalties, before you add in the ability to recover attorneys’ fees.

Who is Getting Sued?

The list of companies sued under BIPA spans industries. The initial groups of defendants included companies such as Facebook, Shutterfly, Google, Six Flags, and Snapchat. Also, a chain of tanning salons and a chain of fitness centers were each sued for using biometric technology to identify members. Between July and October, nearly 26 class-action lawsuits were filed in Illinois state court by current and former employees alleging their employers had violated the BIPA. Companies range from supermarket chains, a gas station and convenience store chain, a chain of senior living facilities, several restaurant groups, and a chain of daycare facilities.

Facts vary from case to case, but nearly all of the recent employee BIPA cases implicate fingerprint or palm-print time-keeping technologies that collect biometric data to to clock employees’ work hours. The plaintiffs allege their employers failed to inform employees about the companies’ policies for use, storage and ultimate destruction of the fingerprint data or obtain the employees’ written consent before collecting, using or storing the individual biometric information.

In at least one case, the employee has also alleged fingerprint data was improperly shared with the supplier of the time-tracking machines, and has named that supplier as a defendant as well (Howe v. Speedway LLC, No. 2017-CH-11992 (Ill. Cir. Ct. filed Sept. 1, 2017)).

What Do I Do Now?

In order to avoid becoming the next target, employers with operations and employees in Illinois should ask some basic questions and review processes and procedures:

  1. First question to ask: are we collecting, storing or using individual biometric data for any purpose?
  2. If the answer is yes, has your company issued the required notice and received signed releases/consents from all affected individuals? This release/consent should be obtained at the commencement of employment before any collection of individual biometric data begins. Do you have a publicaly available written policy to cover the collection, storage, use and destruction of the data? The employee handbook is the most logical place for this policy.
  3. Review your processes: (a) make sure that any collected data is not being sold or disclosed to third parties, outside of the limited exceptions permitted by the Act, and this includes vendors and third party suppliers of biometric technology who process and store the information in a cloud-based service, and (b) make sure that you evaluate your internal data privacy protocols and processes for protecting this new data set, and be prepared to prove that you have “reasonably sufficient” security measures in place for the individual biometric data.
  4. Review your vendor processes: If a vendor has access to the individual biometric data (such as a software-as-a-service provider), make sure the vendor has sufficient data privacy protocols and processes in place and that you have representations regarding this protection from the vendor.
  5. Review insurance coverage for this type of exposure with your broker.
  6. Remember the data breach issues: Make sure your data breach policies recognize that individual biometric data is considered personal information under Illinois laws addressing data breach notification requirements.

This post was authored by Cynthia J. Larose of © Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. For more Labor & Employment legal analysis, go to The National Law Review