Texas AG Sues Meta Over Collection and Use of Biometric Data

On February 14, 2022, Texas Attorney General Ken Paxton brought suit against Meta, the parent company of Facebook and Instagram, over the company’s collection and use of biometric data. The suit alleges that Meta collected and used Texans’ facial geometry data in violation of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) and the Texas Deceptive Trade Practices Act (“DTPA”). The lawsuit is significant because it represents the first time the Texas Attorney General’s Office has brought suit under CUBI.

The suit focuses on Meta’s “tag suggestions” feature, which the company has since retired. The feature scanned faces in users’ photos and videos to suggest “tagging” (i.e., identify by name) users who appeared in the photos and videos. In the complaint, Attorney General Ken Paxton alleged that Meta,  collected and analyzed individuals’ facial geometry data (which constitutes biometric data under CUBI) without their consent, shared the data with third parties, and failed to destroy the data in a timely matter, all in violation of CUBI and the DTPA. CUBI regulates the collection and use of biometric data for commercial purposes, and the DTPA prohibits false, misleading, or deceptive acts or practices in the conduct of any trade or commerce.

Among other forms of relief, the complaint seeks an injunction enjoining Meta from violating these laws, a $25,000 civil penalty for each violation of CUBI, and a $10,000 civil penalty for each violation of the DTPA. The suit follows Facebook’s $650 million class-action settlement over alleged violations of Illinois’ Biometric Privacy Act and the company’s discontinuance of the tag suggestions feature last year.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

BREAKING: Seventh Circuit Certifies BIPA Accrual Question to Illinois Supreme Court in White Castle

Yesterday the Seventh Circuit issued a much awaited ruling in the Cothron v. White Castle litigation, punting to the Illinois Supreme Court on the pivotal question of when a claim under the Illinois Biometric Privacy Act (“BIPA”) accrues.  No. 20-3202 (7th Cir.).  Read on to learn more and what it may mean for other biometric and data privacy litigations.

First, a brief recap of the facts of the dispute.  After Plaintiff started working at a White Castle in Illinois in 2004, White Castle began using an optional, consent-based finger-scan system for employees to sign documents and access their paystubs and computers.  Plaintiff consented in 2007 to the collection of her biometric data and then 11 years later—in 2018—filed suit against White Castle for purported violation of BIPA.

Plaintiff alleged that White Castle did not obtain consent to collect or disclose her fingerprints at the first instance the collection occurred under BIPA because BIPA did not exist in 2007.  Plaintiff asserted that she was “required” to scan her finger each time she accessed her work computer and weekly paystubs with White Castle and that her prior consent to the collection of biometric data did not satisfy BIPA’s requirements.  According to Plaintiff, White Castle violated BIPA Sections 15(b) and 15(d) by collecting, then “systematically and automatically” disclosing her biometric information without adhering to BIPA’s requirements (she claimed she did not consent under BIPA to the collection of her information until 2018). She sought statutory damages for “each” violation on behalf of herself and a putative class.

White Castle before the district court had moved to dismiss the Complaint and for judgment on the pleadings—both of which motions were denied.  The district court sided with Plaintiff, holding that “[o]n the facts set forth in the pleadings, White Castle violated Section 15(b) when it first scanned [Plaintiff’s] fingerprint and violated Section 15(d) when it first disclosed her biometric information to a third party.”  The district court also held that under Section 20 of BIPA, Plaintiff could recover for “each violation.”  The court rejected White Castle’s argument that this was an absurd interpretation of the statute not in keeping with legislative intent, commenting that “[i]f the Illinois legislature agrees that this reading of BIPA is absurd, it is of course free to modify the statue” but “it is not the role of a court—particularly a federal court—to rewrite a state statute to avoid a construction that may penalize violations severely.”

White Castle filed an appeal of the district court’s ruling with the Seventh Circuit.  As presented by White Castle, the issue before the Seventh Circuit was “[w]hether, when conduct that allegedly violates BIPA is repeated, that conduct gives rise to a single claim under Sections 15(b) and 15(d) of BIPA, or multiple claims.”

In ruling yesterday this issue was appropriate for the Illinois Supreme Court, the Seventh Circuit held that “[w]hether a claim accrues only once or repeatedly is an important and recurring question of Illinois law implicating state accrual principles as applied to this novel state statute.  It requires authoritative guidance that only the state’s highest court can provide.”  Here, the accrual issue is dispositive for purposes of Plaintiffs’ BIPA claim.  As the Seventh Circuit recognized, “[t]he timeliness of the suit depends on whether a claim under the Act accrued each time [Plaintiff] scanned her fingerprint to access a work computer or just the first time.”

Interestingly, the Seventh Circuit drew a comparison to data privacy litigations outside the context of BIPA, stating that the parties’ “disagreement, framed differently, is whether the Act should be treated like a junk-fax statute for which a claim accrues for each unsolicited fax, [], or instead like certain privacy and reputational torts that accrue only at the initial publication of defamatory material.”

Several BIPA litigations have been stayed pending a ruling from the Seventh Circuit in White Castle and these cases will remain on pause going into 2022 pending a ruling from the Illinois Supreme Court.  While some had hoped for clarity on this area of BIPA jurisprudence by the end of the year, the Seventh Circuit’s ruling means that this litigation will remain a must-watch privacy case going forward.

Article By Kristin L. Bryan of Squire Patton Boggs (US) LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

© Copyright 2021 Squire Patton Boggs (US) LLP

Good News for Companies: Seventh Circuit Holds Removal of Plaintiffs’ Biometrics Privacy Claims to Federal Court OK

In a widely watched case, the Seventh Circuit decided last week that companies that collect individuals’ biometric data may be able to defend their cases in federal court when plaintiffs allege a procedural violation of Illinois’ Biometric Information Privacy Act (BIPA).

In Bryant v. Compass Group USA, Inc., the Seventh Circuit held that certain procedural violations of Illinois’ BIPA constituted actual injuries and therefore satisfied the requirements for federal court standing. Relying on Spokeo, the seminal U.S. Supreme Court case addressing what constitutes an actual injury for standing purposes, the court held that the plaintiff’s allegations, if proven, would demonstrate that she suffered an actual injury based on the fact that Compass did not obtain her consent before obtaining her private information. Therefore, the case could remain in federal court.

The decision now gives defendants that want to defend BIPA claims in federal court a roadmap for their arguments, including access to a larger jury pool, the Federal Rules of Procedure, and other federal court-related advantages. It is also notable because BIPA defendants have attempted to remove BIPA cases to federal court and then file motions to dismiss them for lack of standing. However, the federal courts have typically remanded these cases, forcing defendants back into state court and sometimes even requiring them to pay just costs and any actual expenses, including attorney fees, incurred as a result of the removal.[1]

What Happened in Bryant v. Compass Group USA

In Compass Group USA, a customer sued a vending machine manufacturer after she scanned her fingerprint into a vending machine to set up an account during her employer’s orientation. She then used her fingerprint to buy items from the vending machine.

The plaintiff filed a putative class action lawsuit on behalf of herself and all other persons similarly situated in state court alleging that Compass violated her statutory rights under BIPA by 1) obtaining her fingerprint without her written consent and 2) not establishing a publicly available data retention schedule or destruction guidelines for possession of biometric data as required by the statute.

Shortly after the plaintiff filed suit in Cook County Circuit Court, Compass filed a notice to remove the case to the Northern District of Illinois. Opposing the motion, the plaintiff argued that she did not have federal standing for her BIPA claims because she had not alleged an injury-in-fact as required by Article III.

Compass argued that the plaintiff had alleged an injury-in-fact under Article III, pointing to the recent Illinois Supreme Court case, Rosenbach v. Six Flags Ent. Corp., which held that plaintiffs can bring BIPA claims based on procedural violations, even if they have suffered no actual injury. Rosenbach held that, if a company, for example, fails to comply with BIPA’s requirement of establishing destruction guidelines for possession of biometric data, that violation alone – without any actual pecuniary or other injury – creates an actual injury.

The district court sided with the plaintiff and concluded that Rosenbach merely established “the policy of the Illinois courts” to allow plaintiffs to bring BIPA claims without alleging an actual injury. Rosenbach did not interpret procedural BIPA violations to be actual injuries.

Because the plaintiff’s claims did not establish Article III standing, the district court granted the plaintiff’s motion to remand the case back to state court.

The Seventh Circuit reversed, relying on Spokeo. It interpreted Spokeo as holding that injuries may still be particularized and concrete – i.e., actual – even if they are intangible or hard to prove. The court also cited Justice Thomas’ concurrence in Spokeo that distinguished between private rights (which courts have historically presumed to cause actual injuries) and public rights (which require a further showing of injury).

The court held that the plaintiff had alleged that she suffered an actual injury when Compass collected her biometric data without obtaining her informed consent because this was a private right. The court also relied on Fed. Election Comm’n v. Atkins, 525 U.S. 11 (1998).  In Atkins, the Supreme Court held that nondisclosure can be an actual injury if plaintiffs can show an impairment of their ability to use information in a way intended by the statute. The court in Compass similarly held that the defendant had denied the plaintiff the opportunity — and statutory right — to consider whether the terms of the defendant’s data collection and usage were acceptable. As a result, the court held that the plaintiff alleged an actual injury.

By contrast, the court determined that the plaintiff’s other claim – that the defendant violated BIPA by failing to make publicly available a data retention schedule and destruction guidelines for possession of biometric data – implicated a public right and did not cause the plaintiff an actual injury.


[1] See, e.g. Mocek v. Allsaints USA Ltd., 220 F. Supp. 3d 910, 914 (N.D. Ill. 2016) (“Defendant’s professed strategy of removing the case on the basis of federal jurisdiction, only to turn around and seek dismissal with prejudice—a remedy not supported by any of defendant’s cases—on the ground that federal jurisdiction was lacking, unnecessarily prolonged the proceedings. . . . For the foregoing reasons, I grant plaintiff’s motion for remand and attorneys’ fees and deny as moot defendant’s motion to dismiss. Because defendant has not objected to the specific fee amount plaintiff claims, which she supports with evidence in the form of affidavits and billing records, I find that plaintiff is entitled to payment in the amount of $58,112.50 pursuant to § 1447(c).”)

© 2020 Schiff Hardin LLP
For more on BIPA, see the National Law Review Communications, Internet, and Media Law section.

Facing Facts: Do We Sacrifice Security Out of Fear?

Long before the dawn of time, humans displayed physical characteristics as identification tools. Animals do the same to distinguish each other. Crows use facial recognition on humans.  Even plants can tell their siblings from unrelated plants of the same species.

We present our physical forms to the world, and different traits identify us to anyone who is paying attention. So why, now that identity theft is rampant and security is challenged, do we place limits on the easiest and best ID system available? Are we sacrificing future security due to fear of an unlikely dystopia?

In one of the latest cases rolling out of Illinois’ private right of action under the state’s Biometric Information Privacy Act (BIPA), Rogers v. BNSF Railway Company[1], the court ruled that a railroad hauling hazardous chemicals through major urban areas needed to change, and probably diminish, its security procedures for who it allows into restricted space. Why? Because the railroad used biometric security to identify authorized entrants, BIPA forces the railroad to receive the consent of each person authorized to enter restricted space, and because BIPA is not preempted by federal rail security regulations.

The court’s decision, based on the fact that federal rail security rules do not specifically regulate biometrics, is a reasonable reading of the law. However, with BIPA not providing exceptions for biometric security, BIPA will impede the adoption and effectiveness of biometric-based security systems, and force some businesses to settle for weaker security. This case illustrates how BIPA reduces security in our most vulnerable and dangerous places.

I can understand some of the reasons Illinois, Texas, Washington and others want to restrict the unchecked use of biometrics. Gathering physical traits – even public traits like faces and voices – into large searchable databases can lead to overreaching by businesses. The company holding the biometric database may run tests and make decisions based on physical properties.  If your voice shows signs of strain, maybe the price of your insurance should rise to cover risk that stress puts on your body. But this kind of concern can be addressed by regulating what can be done with biometric readings.

There are also some concerns that may not have the foundation they once had. Two decades ago, many biometric systems stored bio data as direct copies, so that if someone stole the file, that person would have your fingerprint, voiceprint or iris scan.  Now, nearly all of the better biometric systems store bio readings as algorithms that can’t be read by computers outside the system that took the sample. So some of the safety concerns are no longer valid.

I propose a more nuanced thinking about biometric readings. While requiring data subject consent is harmless in many situations, the consent regime is a problem for security systems that use biometric indications of identity. And these systems are generally the best for securing important spaces.  Despite what you see in the movies, 2019 biometric security systems can be nearly impossible to trick into false positive results. If we want to improve our security for critical infrastructure, we should be encouraging biometrics, not throwing hurdles in the path of people choosing to use it.

Illinois should, at the very least, provide an exception to BIPA for physical security systems, even if that exception is limited to critical facilities like nuclear, rail and hazardous shipping restricted spaces. The state can include limits on how the biometric samples are used by the companies taking them, so that only security needs are served.

The field of biometrics may scare some people, but it is a natural outgrowth of how humans have always told each other apart.  If limit its use for critical security, we are likely to suffer from the decision.

[1] 2019 WL 5699910 (N.D. Ill).


Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more on biometric identifier privacy, see the National Law Review Communications, Media & Internet law page.

Vimeo Hit with Class Action for Alleged Violations of Biometric Law

Vimeo, Inc. was sued last week in a class action case alleging that it violated the Illinois Biometric Information Privacy Act by “collecting, storing and using Plaintiff’s and other similarly situated individuals’ biometric identifiers and biometric information…without informed written consent.”

According to the Complaint, Vimeo “has created, collected and stored, in conjunction with its cloud-based Magisto service, thousands of “face templates” (or “face prints”)—highly detailed geometric maps of the face—from thousands of Magisto users.” The suit alleges that Vimeo creates these templates using facial recognition technology and “[E]ach face template that Vimeo extracts is unique to a particular individual, in the same way that a fingerprint or voiceprint uniquely identifies one and only one person.” The plaintiffs are trying to liken an image captured by facial recognition technology to a fingerprint by calling it a “faceprint.” Very creative in the wake of mixed reactions to the use of facial recognition technology in the Facebook and Shutterfly cases.

The suit alleges “users of Magisto upload millions of videos and/or photos per day, making videos and photographs a vital part of the Magisto experience….Users can download and connect any mobile device to Magistoto upload and access videos and photos to produce and edit their own videos….Unbeknownst to the average consumer, and in direct violation of…BIPA, Plaintiff…believes that Magisto’s facial recognition technology scans each and every video and photo uploaded to Magisto for faces, extracts geometric data relating to the unique points and contours (i.e., biometric identifiers) of each face, and then uses that data to create and store a template of each face—all without ever informing anyone of this practice.”

The suit further alleges that when a user uploads a photo, the Magisto service creates a template for each face depicted in the photo, and compares that face with others in its face database to see if there is a match. According to the Complaint, the templates are also able to recognize gender, age and location and are able to collect biometric information from non-users. All of this is done without consent of the individuals, and in alleged violation of BIPA.

Although we previously have seen some facial recognition cases alleging violation of BIPA, and there are numerous cases alleging violation of BIPA for collection of fingerprints in the employment setting, this case is a little different from those, and it will be interesting to watch.



Copyright © 2019 Robinson & Cole LLP. All rights reserved.
For more on biometrics & privacy see the National Law Review Communications, Media & Internet law page.

Facebook “Tagged” in Certified Facial Scanning Class Action

Recently, the Ninth Circuit Court of Appeals held that an Illinois class of Facebook users can pursue a class action lawsuit arising out of Facebook’s use of facial scanning technology. A three-judge panel in Nimesh Patel, et al v. Facebook, Inc., Case No. 18-15982 issued an unanimous ruling that the mere collection of an individual’s biometric data was a sufficient actual or threatened injury under the Illinois Biometric Information Privacy Act (“BIPA”) to establish standing to sue in federal court. The Court affirmed the district court’s decision certifying a class. This creates a significant financial risk to Facebook, because the BIPA provides for statutory damages of $1,000-$5,000 for each time Facebook’s use of facial scanning technology was used in the State of Illinois.

This case is important for several reasons. First, the decision recognizes that the mere collection of biometric information may be actionable, because it creates harm to an individual’s privacy. Second, the decision highlights the possible extraterritorial application of state data privacy laws, even those that have been passed by state legislatures intending to protect only their own residents. Third, the decision lays the groundwork for a potential circuit split on what constitutes a “sufficiently concrete injury” to convey standing under the U.S. Supreme Court’s landmark 2016 decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). Fourth, due to the Illinois courts’ liberal construction and interpretation of the statute, class actions in this sphere are likely to continue to increase.

The Illinois class is challenging Facebook’s “Tag Suggestions” program, which scans for and identifies people in uploaded photographs for photo tagging. The class plaintiffs alleged that Facebook collected and stored biometric data without prior notice or consent, and without a data retention schedule that complies with BIPA. Passed in 2008, Illinois’ BIPA prohibits gathering the “scan of hand or face geometry” without users’ permission.

The district court previously denied Facebook’s numerous motions to dismiss the BIPA action on both procedural and substantive grounds and certified the class. In moving to decertify the class, Facebook argued that any BIPA violations were merely procedural and did not amount to “an injury of a concrete interest” as required by the U.S. Supreme Court’s landmark 2016 decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).

In its ruling, the Ninth Circuit determined that Facebook’s use of facial recognition technology without users’ consent “invades an individual’s private affairs and concrete interests.” According to the Court, such privacy concerns were a sufficient injury-in-fact to establish standing, because “Facebook’s alleged collection, use, and storage of plaintiffs’ face templates here is the very substantive harm targeted by BIPA.” The Court cited with approval Rosenbach v. Six Flags Entertainment Corp., — N.E.3d —, 2019 IL 123186 (Ill. 2019), a recent Illinois Supreme Court decision similarly finding that individuals can sue under BIPA even if they suffered no damage beyond mere violation of the statute. The Ninth Circuit also suggested that “[s]imilar conduct is actionable at common law.”

On the issue of class certification, the Ninth Circuit’s decision creates a precedent for extraterritorial application of the BIPA. Facebook unsuccessfully argued that (1) the BIPA did not apply because Facebook’s collection of biometric data occurred on servers located outside of Illinois, and (2) even if BIPA could apply, individual trials must be conducted to determine whether users uploaded photos in Illinois. The Ninth Circuit rejected both arguments. The Court determined that (1) the BIPA applied if users uploaded photos or had their faces scanned in Illinois, and (2) jurisdiction could be decided on a class-wide basis. Given the cross-border nature of data use, the Court’s reasoning could be influential in future cases where a company challenges the applicability of data breach or data privacy laws that have been passed by state legislatures intending to protect their own residents.

The Ninth Circuit’s decision also lays the groundwork for a potential circuit split. In two cases from December 2018 and January 2019, a federal judge in the Northern District of Illinois reached a different conclusion than the Ninth Circuit on the issue of BIPA standing. In both cases, the Northern District of Illinois ruled that retaining an individual’s private information is not a sufficiently concrete injury to satisfy Article III standing under Spokeo. One of these cases, which concerned Google’s free Google Photos service that collects and stores face-geometry scans of uploaded photos, is currently on appeal to the Seventh Circuit.

The Ninth Circuit’s decision paves the way for a class action trial against Facebook. The case was previously only weeks away from trial when the Ninth Circuit accepted Facebook’s Rule 23(f) appeal, so the litigation is expected to return to the district court’s trial calendar soon. If Facebook is found to have violated the Illinois statute, it could be held liable for substantial damages – as much as $1000 for every “negligent” violation and $5000 for every “reckless or intentional” violation of BIPA.

BIPA class action litigation has become increasingly popular since the Illinois Legislature enacted it: over 300 putative class actions asserting BIPA violations have been filed since 2015. Illinois’ BIPA has also opened the door to other recent state legislation regulating the collection and use of biometric information. Two other states, Texas and Washington, already have specific biometric identifier privacy laws in place, although enforcement of those laws is accomplished by the state Attorney General, not private individuals. A similar California law is set to go into effect in 2020. Legislation similar to Illinois’ BIPA is also currently pending in several other states.

The Facebook case will continue to be closely watched, both in terms of the standing ruling as well as the potential extended reach of the Illinois law.


© Polsinelli PC, Polsinelli LLP in California

For more in biometric data privacy, see the National Law Review Communications, Media & Internet law page.

Ubers of the Future will Monitor Your Vital Signs

Uber has announced that it is considering developing self-driving cars that monitor passengers’ vital signs by asking the passengers how they feel during the ride, in order to provide a stress-free and satisfying trip. This concept was outlined in a patent filed by the company in July 2019. Uber envisions passengers connecting their own health-monitoring devices (e.g., smart watches, activity trackers, heart monitors, etc.) to the vehicle to measure the passenger’s reactions. The vehicle would then synthesize the information, along with other measurements that are taken by the car itself (e.g., thermometers, vehicle speed sensors, driving logs, infrared cameras, microphones, etc.). This type of biometric monitoring could potentially allow the vehicle to assess whether it might be going too fast, getting too close to another vehicle on the road, or applying the brakes too hard.  The goal is to use artificial intelligence to create a more ‘satisfying’ experience for the riders in the autonomous vehicle.

This proposed technology presents yet another way that ride-sharing companies such as Uber can collect more data from their passengers. Of course, passengers would have the choice about whether to use this feature, but this is another consideration for passengers in this data-driven industry.


Copyright © 2019 Robinson & Cole LLP. All rights reserved.

For more about self-driving cars, see the National Law Review Communications, Media & Internet law page.

Biometrics: Facebook Files Motion to Dismiss Privacy Suit over Facial Recognition Technology

As discussed in a previous post on facial recognition technology, a putative class action has been filed against Facebook over the collection of “faceprints” for its online photo tagging function, Tag Suggestions.  (See e.g., Licata v. Facebook, Inc., No. 2015CH05427 (Ill. Cir. Ct. Cook Cty. filed Apr. 1, 2015) (the case has been transferred to a San Francisco district court, Licata v. Facebook, Inc., No. 15-03748 (N.D. Cal. Consolidated Class Action Complaint filed Aug. 28, 2015)).

The plaintiffs claim that Facebook’s use of facial recognition technology to scan user-uploaded photos for its Tag Suggestions feature violates Illinois’s Biometric Information Privacy Act (BIPA), 740 ILCS 14/1, and has been used to create, what the plaintiffs allege, is “the world’s largest privately held database of consumer biometrics data.”

Plaintiffs allege that Facebook extracts face geometry data (or faceprints) from user-uploaded photographs and retains such “biometric identifiers” within the meaning of the BIPA. The complaint alleges, among other things, that Facebook collected and stored biometric data without adequate consent.  The complaint seeks an injunction and statutory damages for each violation (note: BIPA provides for $1,000 in statutory damages for each negligent violation, and $5,000 for intentional violations, plus attorney’s fees).

Last week, Facebook filed its motion to dismiss, arguing, among other things, that based on the choice of law provision in its terms of service, California, not Illinois, law should apply (thereby precluding users from bringing a claim under BIPA), and that, regardless, Section 10 of BIPA expressly “excludes both ‘photographs’ and ‘information derived from photographs’ from its reach.”

Those wanting a preview of the plaintiffs’ response to Facebook’s motion should look to a similar privacy action against Shutterfly currently being litigated in Illinois federal court.  (See Norberg v. Shutterfly, Inc., No. 15-05351 (N.D. Ill. filed June 17, 2015)).  There, the plaintiff brought claims under BIPA against the photo storage service Shutterfly for allegedly collecting faceprints from user-upload photos for a tag suggestion feature without express written consent and “without consideration for whether a particular face belongs to a Shutterfly user or unwitting nonuser.”  In its motion to dismiss, Shutterfly, like Facebook, argued that scans of face geometry derived from uploaded photographs are not “biometric identifiers” under BIPA because the statute excludes information derived from photographs.

In his rebuttal, the plaintiff Norberg claimed if the intermediation of a photograph before processing face geometry excluded such data from the definition of a biometric identifier, then the statute would be meaningless:

“Defendants’ interpretation of the BIPA as inapplicable to face scans of photographs is contrary to the very nature of biometric technology and thus would undermine the statute’s core purpose. A photograph of a face is exactly what is scanned to map out the unique geometric patterns that establish an individual’s identity. Taken to its logical conclusion, Defendants’ argument would exclude all the biometric identifiers from the definition of biometric identifiers, because they are all based on the initial capture of a photograph or recording.”

We will be watching both disputes closely – if the suits are not dismissed on procedural or contractual grounds, this will be the first time a court will have the opportunity to interpret the contours of the Illinois biometric privacy statute with respect to facial recognition technology.

© 2015 Proskauer Rose LLP.