Biometric Information Privacy Act: Lawsuits on the horizon?
Slowly but surely, tech companies are diversifying by moving into new and emerging markets, including the financial services. And, if legal departments are not involved at the get-go this could easily create some regulatory headaches. Could a new EU copyright law be the harbinger of a wave of lawsuits?
In January, in the case of Rosenbach versus Six Flags Entertainment, the Illinois Supreme Court held that a violation of the state’s Biometric Information Privacy Act (BIPA), is sufficient to confer standing even without concrete evidence of harm.
Partner Julie O'Neill and Associate Max Phillip Zidel of Morrison & Foerster reported on the case, noting that the court’s decision “indicates that failure to comply with the Illinois biometric privacy law may expose businesses to significant liability, even where there has been no actual harm to the plaintiffs.”
So, the question is… How can companies collect and use biometric data without becoming a target for litigation?
What types of businesses need to be aware of the laws around biometric data?
Any business that engages in the collection and/or use of biometric data should be fully conversant with biometric privacy laws. Examples of biometric data include, but not limited to:
facial scans, and;
iris and retina scans
There may be other biological identifiers, based on available technology at the time. Regardless of whether this data is from consumers, employees, or other individuals, it is vital that companies are fully aware of current biometric privacy laws.
Although the BIPA has been around for more than a decade, it has been relatively low profile until last year, when a significant number of lawsuits were filed. BIPA law prohibits any organization from collecting, purchasing, or in any way obtaining an individual’s biometric information, unless it complies with certain notice, explicit consent, and data retention requirements.
Codified as 740 ILCS/14 and Public Act 095-994, the BIPA became law in 20018. At that time, it was generally considered that the use of fingerprint or facial recognition technologies for identification purposes was largely the domain of organizations such as law enforcement agencies and those with a legitimate need for increased levels of security. However, in many businesses, both small and large across a wide spectrum of industries these identification technologies are in use, largely for employee identification.
Why is the BIPA so important in the world of biometrics?
One of the most significant features of the BIPA is its private right of action. Like other data privacy acts, it provides for actual damages. But it also provides for up to $5,000 in statutory damages for each violation.
This makes life a whole lot easier for plaintiffs’ attorneys who are seeking to bring a class action. This has resulted in the already large numbers of BIPA class actions during the past couple of years - and this trend shows no signs of slowing down. It is not surprising that, in much the same way as California’s Consumer Privacy Act (CCPA) has been influenced by Europe’s General Data Protection Regulation (GDPR), other states across the U.S. are considering their own biometric data legislation, based on the BIPA model.
According to the Seyfarth Work Class Action Blog, “Since 2014, Defendants, operators of an amusement park in Illinois, have used a fingerprinting process when issuing repeat-entry passes to the park. Id. at *2. Plaintiff alleged that this system scans pass holders’ fingerprints; collects, records and stores biometric identifiers and information gleaned from the fingerprints; and then stores that data in order to quickly verify customer identities upon subsequent visits by having customers scan their fingerprints to enter the theme park. She further alleged that in 2014, while the fingerprinting system was in operation, her 14-year-old son visited the amusement park on a school field trip, where his thumbprint was used to gain access as a season pass holder.
“Plaintiff filed a three count complaint alleging Defendants violated the BIPA by: (1) collecting, capturing, storing, or obtaining biometric identifiers and biometric information from Plaintiff’s son and other members of the proposed class without informing them or their legally authorized representatives in writing that the information was being collected or stored; (2) not informing them in writing of the specific purposes for which Defendants were collecting the information or for how long they would keep and use it; and (3) not obtaining a written release executed by Plaintiff, her son, or members of the class before collecting the information. Id. at *6.
“Defendants moved to dismiss the complaint, arguing among many things, that plaintiff had suffered no actual or threatened injury and therefore lacked standing to sue. Id. at *6-7. The Circuit Court granted Defendants’ motion to dismiss Count III, but denied its motion as to Counts I and II. Defendants thereafter sought interlocutory review of the Circuit Court’s ruling, which the Illinois Appellate Court granted.
“On December 21, 2017, the Illinois Appellate Court for the Second District became the first to address the issue of whether a plaintiff can recover for technical violations of the BIPA, even if the complaint does not allege that the plaintiff suffered any harm, loss or injury. It held that a plaintiff is not “aggrieved” within the meaning of the Act and may not pursue either damages or injunctive relief under the Act based solely on a defendant’s violation of the statute. Additional injury or adverse effect must be alleged. The injury or adverse effect need not be pecuniary, the Appellate Court held, but it must be more than a technical violation of the Act. Plaintiff thereafter petitioned the Illinois Supreme Court for leave to appeal, which was granted.”
The Illinois Supreme Court ruled that an alleged violation of BIPA alone is sufficient for standing under Illinois law. Could this be relevant to your company?
The Illinois Supreme Court’s ruling appears to contradict certain other decisions made by the federal court, which found that the mere allegation of a violation is insufficient to confer standing to sue under the statute. Certainly, as a ruling based strictly on Illinois state law, the Illinois Supreme Court carries a lot of weight.
However, it is not known at this time, whether federal courts will attempt to depart from this ruling by characterizing it as a purely procedural matter, over which they retain their own jurisdiction. Furthermore, so far, the focus on procedural issues has meant that there is essentially no guidance on what the various prohibitions and requirements under BIPA actually mean.
For example, the BIPA prohibits the use of biometric information for profit. But the very use of the word “profit” raises a couple of important questions; What does the term “profit” actually signify? And, what if biometric data is being used simply to improve a product, which is so doing, indirectly leads to increased profits for the company concerned? Accurately assessing the risks of liability under BIPA may therefore be more complicated that it might, at first, be seen.
But whichever way we look at it, the ruling by the Illinois Supreme Court is a strong indicator that we are going to see a great deal more activity in this area. More than ever, organizations will need to be very sure that they are compliant with the various notices, consent, disclosure and all other requirements under the BIPA if they are to avoid punitive fines and reputational damage, if found liable.
Without an explicit requirement for standing, it is going to be much easier for plaintiffs to successfully bring class action lawsuits, on the basis of the most basic statutory violations—even in the absence of any actual harm whatsoever.
What steps should a company take if planning to collect biometric data from employees?
First and foremost, a company must determine whether any of the state laws apply to its proposed intentions to collect biometric data.
If a law does apply, a company must determine precisely how it should comply with the relevant notice, consent, use, disclosure, and retention requirements. The requirements are fairly similar across the three laws (Illinois, Washington and Texas), but there are some key differences. For example, while all three require notice and consent for the collection and use of biometric data, the BIPA is a great deal more restrictive than its two counterparts.
The BIPA requires that proper notice be given, and explicit consent obtained from each employee in writing. Such notice must include the specific reasons and intended duration for the collection and use of the data. (Washington and Texas do not prescribe any specific form of notice and consent.) The BIPA also requires that a company develop a publicly available written policy, which includes a retention schedule and guidelines for the permanent deletion of biometric data.
Companies must also carefully consider any restrictions on its ability to disclose the data. All three states generally prohibit data disclosure, except in circumstances where the employee has given written consent, or where the disclosure falls under a specific exception, such as complying with law enforcement, or other legal requirements, or for completing a financial transaction requested by the employee. However, unlike Texas and Washington, the BIPA also prohibits the sale or disclosure of biometric data for profit, irrespective of whether or not an employee has given their consent.
Please note these are merely some of the highlights of the requirements under the laws. The important factor for any company that plans to collect biometric data, is that it must carefully consider the applicable law(s) in order to determine whether it needs to make changes to its practices.
What about the GDPR?
The European Union’s GDPR treats biometric data as a type of “sensitive data”. This means that the data is subject to heightened protections. The GDPR generally prohibits the collection of sensitive data unless a company can rely on one of the exceptions provided under the GDPR. For instance, it might be possible to collect biometric data with the explicit consent of the individual. However, within the employment context, consent may not represent a valid option, as European data protection authorities generally take the position that an employee is, by virtue of her position and the employer’s power over them, unable to provide consent in the “freely given” manner required by the law.