The Privacy Patchwork: Beyond US State “Comprehensive” Laws

We’ve cautioned before about the danger of thinking only about US state “comprehensive” laws when looking to legal privacy and data security obligations in the United States. We’ve also mentioned that the US has a patchwork of privacy laws. That patchwork is found to a certain extent outside of the US as well. What laws exist in the patchwork that relate to a company’s activities?

There are laws that apply when companies host websites, including the most well-known, the California Privacy Protection Act (CalOPPA). It has been in effect since July 2004, thus predating COPPA by 14 years. Then there are laws the apply if a company is collecting and using biometric identifiers, like Illinois’ Biometric Information Privacy Act.

Companies are subject to specific laws both in the US and elsewhere when engaging in digital communications. These laws include the US federal laws TCPA and TCFAPA, as well as CAN-SPAM. Digital communication laws exist in countries as wide ranging as Australia, Canada, Morocco, and many others. Then we have laws that apply when collecting information during a credit card transaction, like the Song Beverly Credit Card Act (California).

Putting It Into Practice: When assessing your company’s obligations under privacy and data security laws, keep activity specific privacy laws in mind. Depending on what you are doing, and in what jurisdictions, you may have more obligations to address than simply those found in comprehensive privacy laws.

First BIPA Trial Results in $228M Judgment for Plaintiffs

Businesses defending class actions under the Illinois Biometric Information Privacy Act (BIPA) have struggled to defeat claims in recent years, as courts have rejected a succession of defenses.

We have been following this issue and have previously reported on this trend, which continued last week in the first BIPA class action to go to trial. The Illinois federal jury found that BNSF Railway Co. violated BIPA, resulting in a $228 million award to a class of more than 45,000 truck drivers.

Named plaintiff Richard Rogers filed suit in Illinois state court in April 2019, and BNSF removed the case to the US District Court for the Northern District of Illinois. Plaintiff alleged on behalf of a putative class of BNSF truck drivers that BNSF required the drivers to provide biometric identifiers in the form of fingerprints and hand geometry to access BNSF’s facilities. The lawsuit alleged BNSF violated BIPA by (i) failing to inform class members their biometric identifiers or information were being collected or stored prior to collection, (ii) failing to inform class members of the specific purpose and length of term for which the biometric identifiers or information were being collected, and (iii) failing to obtain informed written consent from class members prior to collection.

In October 2019, the court rejected BNSF’s legal defenses that the class’s BIPA claims were preempted by three federal statutes governing interstate commerce and transportation: the Federal Railroad Safety Act, the Interstate Commerce Commission Termination Act, and the Federal Aviation Administration Authorization Act. The court held that BIPA’s regulation of how BNSF obtained biometric identifiers or information did not unreasonably interfere with federal regulation of rail transportation, motor carrier prices, routes, or services, or safety and security of railroads.

Throughout the case, including at trial, BNSF also argued it should not be held liable where the biometric data was collected by its third-party contractor, Remprex LLC, which BNSF hired to process drivers at the gates of BNSF’s facilities. In March 2022, the court denied BNSF’s motion for summary judgment, pointing to evidence that BNSF employees were also involved in registering drivers in the biometric systems and that BNSF gave direction to Remprex regarding the management and use of the systems. The court concluded (correctly, as it turned out) that a jury could find that BNSF, not just Remprex, had violated BIPA.

The case proceeded to trial in October 2022 before US District Judge Matthew Kennelly. At trial, BNSF continued to argue it should not be held responsible for Remprex’s collection of drivers’ fingerprints. Plaintiff’s counsel argued BNSF could not avoid liability by pleading ignorance and pointing to a third-party contractor that BNSF controlled. Following a five-day trial and roughly one hour of deliberations, the jury returned a verdict in favor of the class, finding that BNSF recklessly or intentionally violated BIPA 45,600 times. The jury did not calculate damages. Rather, because BIPA provides for $5,000 in liquidated damages for every willful or reckless violation (and $1,000 for every negligent violation), Judge Kennelly applied BIPA’s damages provision, which resulted in a judgment of $228 million in damages. The judgment does not include attorneys’ fees, which plaintiff is entitled to and will inevitably seek under BIPA.

While an appeal will almost certainly follow, the BNSF case serves as a stark reminder of the potential exposure companies face under BIPA. Businesses that collect biometric data must ensure they do so in compliance with BIPA and other biometric privacy regulations. Where BIPA claims have been asserted, companies should promptly seek outside counsel to develop a legal strategy for a successful resolution.

For more Privacy and Cybersecurity Legal News, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

Illinois Employers Face A Recent Rash of Class Action Lawsuits Filed Under State Biometric Information Privacy Law

Illinois enacted its Biometric Information Privacy Act (“BIPA”) in 2008 to regulate, among other things, employer collection and use of employee biometric information.  Biometrics is defined as the measurement and analysis of physical and behavioral characteristics.  This analysis produces biometric identifiers that include things like fingerprints, iris or face scans, and voiceprints, all of which can be used in a variety of ways, including for security, timekeeping, and employer wellness programs.

Illinois is not the only state with a biometrics privacy law on its books, however, its version is considered the nation’s most stringent.  BIPA requires a business that collects and uses biometric data to protect the data in the same manner it protects other sensitive or confidential information; to establish data retention and destruction procedures, including temporal limitations of three years; to publish policies outlining its biometric data collection and use procedures; and to obtain prior, informed consent from any individuals from whom it plans to obtain and use biometric data.   The statute also requires  businesses to notify employees in the event of a data breach.

Protection of biometric data is viewed as critical because, unlike passwords comprised of letters, numbers, or typographical characters, biometric data is unique and cannot be replaced or updated in the event of a breach.  Technology now allows biometric data to be captured surreptitiously, such as recording a voice over the phone, or face mapping individuals in a crowd or through photographs, increasing the risk for its theft or unauthorized or at least, unknown, use.  In fact, these more furtive methods of collecting and using biometric data is what led to the filing of five BIPA class action lawsuits in 2015 – four against Facebook, and one against online photo website Shutterfly – that alleged these companies used facial recognition software to analyze online posts, but did not comply with BIPA’s consent or other procedural requirements.  These first lawsuits brought attention to the private right of action authorized under BIPA, which provides that any “aggrieved” person may sue and recover $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, or, in both circumstances, actual damages if greater than the statutory damages.  Prevailing parties may also recover their attorneys’ fees and costs.

The plaintiffs’ employment bar recently has gotten seriously into the BIPA class action game; since August 2017, approximately 30 lawsuits have been filed in Cook County, Illinois (where Chicago is), alone.  These putative class actions have been filed against employers in many industries including gas stations, restaurants, and retail, and typically involve the employer’s use of fingerprint operated time clocks.  The cases allege that the defendant employers failed to obtain proper informed consent or fail to maintain and inform employees about policies on the company’s use, storage, and destruction of biometric data.  Many of these lawsuits also allege the employer companies have improperly shared employee biometric data with third-party time clock vendors, and some even name the vendor as a defendant.

In addition to the obvious cost of class action litigation, these suits present additional legal challenges because many aspects of BIPA remain untested.  For example, the statutory term “aggrieved” person leaves open the question whether a plaintiff must be able to prove actual harm in order to recover.  The U.S. District Court for the Northern District of Illinois and U.S. District Court for the Southern District of New York both have dismissed BIPA suits for lack of standing where the plaintiffs did not allege actual harm.  The latter case, Santana v. Take-Two Interactive Software, is currently before the United States Court of Appeals for the Second Circuit, which heard oral argument in October 2017, but has not yet issued its ruling.   Other aspects of BIPA also remain in flux – such as whether facial recognition through photography is biometric data, as defined under the statute, and what forms of consent are compliant.  On the other side, defendants are challenging the constitutionality of the damages provisions, arguing that their potentially disproportionate nature to any actual harm violates due process.  As these issues are flushed out under BIPA, they are certain to affect other states who have already enacted, or may seek to enact, laws regarding use of biometric data.

This post was written by Daniel B. Pasternak of Squire Patton Boggs (US) LLP., © Copyright 2017
For more Labor & Employment legal analysis go to The National Law Review 

The Law of Unintended Consequences: BIPA and the Effects of the Illinois Class Action Epidemic on Employers

Has your company recently beefed up its employee identification and access security and added biometric identifiers, such as fingerprints, facial recognition, or retina scans? Have you implemented new timekeeping technology utilizing biometric identifiers like fingerprints or palm prints in lieu of punch clocks? All of these developments provide an extra measure of security control beyond key cards which can be lost or stolen, and can help to control a time-keeping fraud practice known as “buddy punching.” If you have operations and employees in Illinois (or if you utilize biometrics such as voice scans to authenticate customers located in Illinois), your risk and liability could have increased with the adoption of such biometric technology, so read on ….

What’s the Issue in Illinois?

The collection of biometric identifiers is not generally regulated either by the federal government or the states. There are some exceptions, however. Back in 2008, Illinois passed the first biometric privacy law in the United States. The Biometric Information Privacy Act, known as “BIPA,” makes it unlawful for private entities to collect, store, or use biometric information, such as retina/iris scans, voice scans, face scans, or fingerprints, without first obtaining individual consent for such activities. BIPA also requires that covered entities take specific precautions to secure the information. BIPA also carries statutory penalties for every individual violation that can multiply quickly … and the lawsuits against employers have been coming by the dozens over the past few months.

The Requirements of BIPA

Among other requirements, under BIPA, any “private entity” — including employers — collecting, storing, or using the biometric information of any individual in Illinois – no matter how it is collected, stored or used, or for what reason – must:

  1. Provide each individual with written notice that his/her biometric information will be collected and stored, including an explanation of the purpose for collecting the information as well as the length of time it will be stored and/or used.
  2. Obtain the subject’s express written authorization to collect and store his/her biometric information, prior to that information being collected.
  3. Develop and make available to the public a written policy establishing a retention schedule and guidelines for destroying the biometric information, which shall include destruction of the information when the reason for collection has been satisfied or three years after the company’s last interaction with the individual, whichever occurs first.

Also, any such information collected may not be disclosed to or shared with third parties without the prior consent of the individual.The Money Issue

Under the law, plaintiffs may recover statutory damages of $1,000 for eachnegligent violation and $5,000 per intentional or reckless violation, plus attorneys’ fees and other relief deemed appropriate by the court. Moreover, if actual damages exceed liquidated damages, then a plaintiff is entitled under the Act to pursue actual damages in lieu of liquidated damages.

These damage calculations are made and awarded under BIPA on an individual basis. Do the math: If an employer has 100 employees in Illinois and has allegedly been negligent in obtaining required BIPA consent from employees, this can be a potential exposure of an employer to $500,000 in penalties, before you add in the ability to recover attorneys’ fees.

Who is Getting Sued?

The list of companies sued under BIPA spans industries. The initial groups of defendants included companies such as Facebook, Shutterfly, Google, Six Flags, and Snapchat. Also, a chain of tanning salons and a chain of fitness centers were each sued for using biometric technology to identify members. Between July and October, nearly 26 class-action lawsuits were filed in Illinois state court by current and former employees alleging their employers had violated the BIPA. Companies range from supermarket chains, a gas station and convenience store chain, a chain of senior living facilities, several restaurant groups, and a chain of daycare facilities.

Facts vary from case to case, but nearly all of the recent employee BIPA cases implicate fingerprint or palm-print time-keeping technologies that collect biometric data to to clock employees’ work hours. The plaintiffs allege their employers failed to inform employees about the companies’ policies for use, storage and ultimate destruction of the fingerprint data or obtain the employees’ written consent before collecting, using or storing the individual biometric information.

In at least one case, the employee has also alleged fingerprint data was improperly shared with the supplier of the time-tracking machines, and has named that supplier as a defendant as well (Howe v. Speedway LLC, No. 2017-CH-11992 (Ill. Cir. Ct. filed Sept. 1, 2017)).

What Do I Do Now?

In order to avoid becoming the next target, employers with operations and employees in Illinois should ask some basic questions and review processes and procedures:

  1. First question to ask: are we collecting, storing or using individual biometric data for any purpose?
  2. If the answer is yes, has your company issued the required notice and received signed releases/consents from all affected individuals? This release/consent should be obtained at the commencement of employment before any collection of individual biometric data begins. Do you have a publicaly available written policy to cover the collection, storage, use and destruction of the data? The employee handbook is the most logical place for this policy.
  3. Review your processes: (a) make sure that any collected data is not being sold or disclosed to third parties, outside of the limited exceptions permitted by the Act, and this includes vendors and third party suppliers of biometric technology who process and store the information in a cloud-based service, and (b) make sure that you evaluate your internal data privacy protocols and processes for protecting this new data set, and be prepared to prove that you have “reasonably sufficient” security measures in place for the individual biometric data.
  4. Review your vendor processes: If a vendor has access to the individual biometric data (such as a software-as-a-service provider), make sure the vendor has sufficient data privacy protocols and processes in place and that you have representations regarding this protection from the vendor.
  5. Review insurance coverage for this type of exposure with your broker.
  6. Remember the data breach issues: Make sure your data breach policies recognize that individual biometric data is considered personal information under Illinois laws addressing data breach notification requirements.

This post was authored by Cynthia J. Larose of © Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. For more Labor & Employment legal analysis, go to The National Law Review