Legal landmines continue to hide for companies that collect, store and use individuals’ biometric information. Class action lawsuits continue to be filed against companies under Illinois’ Biometric Information Privacy Act (BIPA). BIPA carries potential actual damages or statutory damages of $1,000 for each negligent breach and $5,000 for each reckless or willful breach, plus attorneys’ fees and costs and injunctive relief.
A wave of BIPA class action lawsuits have been filed against companies in recent years, and 2021 has been no exception. Additionally, in 2021, plaintiffs’ attorneys expanded the types of BIPA cases they bring beyond simple claims involving the use of purported biometric time clocks. Cases involving all manner of alleged biometric technologies, including several cases involving consumers instead of (or in addition to) employees, have been filed. What constitutes a “violation” of BIPA has yet to be settled by the courts, and is expected to be a highly contentious issue.
State and federal courts issued several important BIPA decisions in 2021:
Upright. In a January ruling, the Seventh Circuit ruled that a federal court lacked standing to hear a BIPA class action case where the plaintiffs (in a deliberate strategy to keep their case in state court) did not did not allege that they had suffered concrete harm as a result of the alleged violation of the statute. The original complaint alleged violations of three BIPA provisions against a company that developed a facial recognition program that “scrapes” photographs from social media sites, harvests the data, and stores the information in a database that users ( usually law enforcement) pay. to access. After the defendant returned the case to federal court, the plaintiff voluntarily dismissed the lawsuit and filed a new, narrower lawsuit in state court, alleging only a “simple procedural violation” of section 15 ( c) BIPA, which prohibits a private entity in possession of customers’ biometric information from profiting from such information. Once again, the defendant returned the case to federal court, but this time the plaintiff filed a motion for dismissal, noting that the complaint alleged violation “dissociated from any concrete harm.” The federal court found he lacked standing and remanded the case to state court. The Court of Appeal confirmed.
An essential element of standing under Article III is that the plaintiff has suffered factual harm that is concrete, specific and real or imminent, but the plaintiffs have admitted that they have suffered no this guy. “It’s no secret that [plaintiffs] were careful in their claims, and especially in the scope of the proposed class they would like to represent, to avoid federal court,” the appeals court observed. “But generally plaintiffs can do that…And here they can take advantage of the fact that Illinois allows BIPA cases that allege simple violations of the law, no longer needing to allege or demonstrate harm .”
Preemption of work. In September, the Seventh Circuit upheld the dismissal of BIPA claims filed by a union employee. It extended an earlier decision in which it found that BIPA claims are preempted by the Railway Labor Act and found that BIPA claims of union employees are also preempted by the Labor-Management Relations Act. The Seventh Circuit reaffirmed that where the settlement of a plaintiff’s BIPA claim depends on the interpretation of a collective bargaining agreement, the claim is preempted by federal labor law.
Accumulation of claims. In December, the Illinois Court of Appeals for the First Judicial District ruled that BIPA claims accrue with “every capture” of an individual’s biometric data, rejecting a defendant’s argument that a claim BIPA accrued the first time it collected the applicant’s alleged biometric data. The data. However, as detailed below, the question of when BIPA claims accrue will be decided by the Illinois Supreme Court in an ongoing case..
The law on accidents at work does not precede the BIPA
The Illinois Supreme Court has ruled that Illinois workers’ compensation law does not bar BIPA claims brought by employees against their employers, deciding this open question with finality and dashing hope that the The state’s long-awaited High Court ruling could help stem the onslaught of BIPA actions by Illinois-based employees. A detailed analysis of the recent decision can be viewed here.
BIPA regulations. In 2021, BIPA cases settled in the six-, seven-, eight- and even nine-digit ranges, even in cases where there were no allegations that the plaintiffs’ biometric data was hacked or accessed in a way inappropriate by an infamous third party.
Last year, a federal court in California approved a $615 million settlement in a BIPA class action lawsuit against a social media company that allegedly collected users’ facial geometry without meeting BIPA requirements. A federal judge in Illinois has also granted preliminary approval for a $92 million settlement over alleged BIPA violations against another social media company. In this case, the plaintiffs alleged that the defendant “surreptitiously harvested and profited from [their] private information, including their biometric data, geolocation information, personally identifiable information and unpublished digital records.
These regulations, among many others, reflect both the extent of liability possible under BIPA and the scope of the law.
Employers who are not yet subject to biometric privacy laws in the jurisdictions where they operate should nonetheless consider adopting notice and consent practices as a best practice given the proliferation of biometric privacy laws across the country. country.
Decisions pending. Several closely watched BIPA appeals await decisions from various appellate courts in 2022. These decisions could significantly shape the course of biometric privacy litigation in Illinois.
Accumulation of claims. On December 20, the Seventh Circuit issued a decision certifying to the Illinois Supreme Court whether claims under Sections 15(b) and 15(d) of the BIPA “accumulate whenever a private entity scans the biometric identifier of a person and each time a private entity transmits such a scan to a third party, respectively, or only during the first scan and the first transmission. The federal appeals court further called on the Illinois Supreme Court to consider the related issue of “whether each unauthorized fingerprint scan amounts to a separate violation of law.” The Illinois Supreme Court accepted the certified question on December 23.
Pre-emption of workers’ compensation. The Illinois Supreme Court must also decide whether BIPA claims brought by employees against their employers are preempted by Illinois workers’ compensation law. Previously, the Illinois Court of Appeals for the First Judicial District rejected an employer’s assertion that the plaintiff’s BIPA claim was barred by the exclusivity provisions of the workers’ compensation law. However, the Illinois Supreme Court decided to appeal and is about to finally decide this issue. The state high court heard oral arguments in September and a ruling is expected to be imminent.
Other laws enacted. Other states have biometric privacy laws, including Texas and Washington. Legislation similar to Illinois’ BIPA, which creates a private right of action, is pending in several state legislatures, including New York. Additionally, a number of states have added biometric information to the categories of personal data that must be notified under their respective breach notification laws. Local governments have also begun to regulate the use of biometric technologies. In 2021, Baltimore and New York joined Portland in banning the use of facial recognition technology or requiring advance notice before biometric data collection. More states and municipalities can be expected to adopt biometric privacy measures, as the growing use of biometric technology coincides with a sharp rise in public distrust of privacy risks. .
The best defense…
Employers who are not yet subject to biometric privacy laws in the jurisdictions where they operate should nonetheless consider adopting notice and consent practices as a best practice given the proliferation of biometric privacy laws across the country. country. Additionally, for companies that operate in Illinois, even if the organization has created a BIPA compliance policy, it is important to periodically review time management, point of purchase, physical security, or other systems that may obtain, use or disclose biometric identifiers. or biometric information against BIPA requirements, especially as case law continues to develop.
© 2022 Jackson LewisNational Law Review, Volume XII, Number 49