By: Danielle Kays and Kristin Stokes

Seyfarth Synopsis:  While the plaintiffs’ bar has aggressively pursued class actions under the Biometric Information Privacy Act (“BIPA”) in recent years, these cases soon may be rivaled by the influx of class actions brought under the Genetic Information Privacy Act (“GIPA”), 410 Ill. Comp. Stat. Ann. 513/1, et seq.  After GIPA’s 1998 enactment, only two cases were brought under the statute in nearly 25 years; however, in 2023, over 40 GIPA class action complaints have been filed in Illinois courts.

What is the Illinois Genetic Information Privacy Act (GIPA)?

GIPA was intended to facilitate voluntary and confidential genetic testing by providing protection from discriminatory use or disclosure of such information.  In the employment context, GIPA bars employers from directly or indirectly acquiring “genetic testing or genetic information” from a prospective or current employee.  See 410 ILCS 513/25(c)(1).  In 2008, GIPA was amended to more closely conform to a later, federal analog—the Genetic Information Nondiscrimination Act (“GINA”).  Both GINA and GIPA prohibit employer discrimination because of “genetic information” including: information about an individual or family member’s genetic test, request for genetic services, or manifestation of a disease or disorder.  See 45 CFR 160.103.  GIPA provides for a private right of action to “any person aggrieved by a violation of this Act . . . .”  410 ILCS 513/40.

This sudden influx of GIPA class actions likely are the result of steep statutory damages and a broad private right of action.  While monetary damages are limited under GINA, GIPA contemplates no statutory cap and provides for damages of $2,500 per negligent violation or actual damages, whichever is greater.  Moreover, an employer may be liable for $15,000 per intentional or reckless violation.  410 ILCS 513/40(a).  GIPA even provides for significantly greater statutory damages than popular class action vehicle, BIPA.  See 740 ILCS 14/20.

Current litigation also may be fueled by a recent decision in the case Bridges v. Blackstone Group, Inc., No. 21-cv-1091, 2022 WL 2643968 (S.D. Ill. 2022), establishing a broad class of possible claimants. In Bridges, plaintiffs brought a class action, alleging that Blackstone violated GIPA when it acquired Ancestry.com.  The complaint was ultimately dismissed for failure to state a plausible violation of GIPA.  Bridges, 2022 WL 2643968 at *2.  However, the court first addressed whether the plaintiffs were “aggrieved persons” for purposes of bringing a claim. See 410 ILCS 513/40.  The court adopted the Illinois Supreme Court’s definition of “aggrieved person” under BIPA.  Accordingly, “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights.”  Bridges, 2022 WL 2643968 at *2 (citing to Rosenbach v. Six Flags Ent. Corp., 129 N.E. 3d 1197 (Ill. 2019)).

Relatedly, genetic information and post-offer medical exams recently crossed the radar of the EEOC.  Last month, the EEOC settled a case for alleged unlawful post-offer medical exams that required applicants to divulge family history of cancer, diabetes, and heart disease.  See EEOC Press Release, Dollar General to Pay $1 Million to Settle EEOC Disability and GINA Lawsuit, https://www.eeoc.gov/newsroom/dollar-general-pay-1-million-settle-eeoc-disability-and-gina-lawsuit (Oct. 19, 2023).

Perhaps spurred by the breadth of potential claimants, and in the wake of several Illinois Supreme Court plaintiff-friendly BIPA decisions (Cothron v. White Castle and Tims v. Black Horse) and the first BIPA jury verdict (Rogers v. BNSF Railway Co.), plaintiffs firms have doggedly filed more than 40 GIPA class actions pending in Illinois courts.  Utilizing nearly identical format, these complaints allege that large employers and companies solicited, requested, or required employee disclosure of genetic information.  Specifically, these cases pursue generous statutory damages for GIPA violations arising out of required pre-employment physical exams, interviews, and questionnaires seeking family medical history.

Implications for Employers

In light of trending GIPA class actions, Illinois employers should exercise caution when requiring employees to submit to physical exams, inquiries, or screenings.  Although courts have yet to resolve many legal defenses to these claims, targets of GIPA lawsuits may be vulnerable to significant exposure as plaintiffs allege that they are not required to prove actual injury.  Businesses should review current hiring policies and procedures for compliance with this state genetic privacy law.

For more information about the GIPA and how genetic information laws may affect your business, contact the authors Danielle Kays and Kristin Stokes, your Seyfarth attorney, or Seyfarth’s Workplace Privacy & Biometrics Practice Group.

By Karla Grossenbacher, Thomas E. Ahlering & Andrew R. Cockroft

Seyfarth Synopsis: Both Portland and New York City have followed the example set by Illinois’ Biometric Information Privacy Act (“BIPA”), a statute that has spawned thousands of cookie-cutter class action suits regarding the alleged collection of biometric information. Like BIPA, these new ordinances create a private right of action for individuals that could subject local businesses to potentially millions of dollars in liability. Businesses in these cities should carefully review these new ordinances as well as any technology they be using that has the potential to collect biometric information.

For several years now, businesses operating in Illinois have become well accustomed to the myriad lawsuits being filed, and harsh and unwavering penalties being imposed, under Illinois’ Biometric Information Privacy Act (“BIPA”). Despite the toll on businesses imposed by the ever-increasing class action and appellate litigation brought on by the statute, other jurisdictions have enacted similar legislation.

As of January 1, 2021, Portland, OR and New York City have become the newest jurisdictions to pass laws placing restrictions on the collection and/or use of biometric technology by businesses. Although the Portland and New York City ordinances differ from each other (as well as BIPA) in significant ways, they each share a common feature: a private right of action. Accordingly, these new laws have the potential to bring on a rash of high-stakes class action litigation in each of these cities.

The specifics of each ordinance are detailed below:

Portland, OR

Portland’s ordinance bans private entities from using any “facial recognition technology” in any “places of public accommodation,” with limited exceptions, such as when it is necessary to comply with federal, state, or local laws, for individuals to access their smart devices (like facial recognition on iPhones) and for use in social media applications.

The ordinance creates a private right of action “against the Private Entity in any court of competent jurisdiction for damages sustained as a result of the violation or $1,000 per day for each day of violation, whichever is greater and such other remedies as may be appropriate,” as well as attorneys’ fees to a prevailing party.

While at first reading it may appear that the law only covers the use of facial recognition in public places, the ordinance is not so narrowly drafted. Private entities are subject to the ordinance if they constitute a “place[] of public accommodation,” which is defined in the ordinance to include “any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise” but excludes “an institution, bona fide club, private residence, or place of accommodation that is in its nature distinctly private.”

Accordingly, if a facility constitutes a “place of public accommodation,” then it could be liable for facial recognition technology employed anywhere in the facility regardless of whether it is public facing. Although a narrower reading of the statute may be more reasonable, courts in Illinois have routinely broadened the scope of BIPA and it is possible Portland courts would do the same.

New York City

New York City’s newly passed biometric privacy legislation has been pending before the city council for several years. Indeed, Seyfarth previously detailed this ordinance while it was still pending legislation.

The ordinance orders that “[a]ny commercial establishment” that collects biometric information from “customers” must disclose such collection “by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language” that customers’ biometric information is being collected. The ordinance further makes it “unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”

The law provides that individuals “aggrieved by” a violation of the ordinance may file a private right of action, but places some conditions on this right.

  • If the individual alleges the business collected their biometric information without making the required disclosures, the individual can only initiate a private action if they first provide written notice to the business of their intent to sue and provide the business 30 days to cure the violation by placing clear and conspicuous notice at their establishment. If the business does not cure within 30 days, the individual may sue and recover $500 for “each” violation.
  • If the individual alleges the business shared their biometric information in exchange for something of value or otherwise profited from the “transaction,” then the individual may sue without any prior notice to the business. The individual may recover $500 for “each” negligent violation of this section and may recover $5,000 for “each” intentional or reckless violation of this section.

Only the biometric information of “customers” is protected under the law and the law also makes clear that “‘customer’ means a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment.”

*****

Businesses in Portland, OR, and New York City should be mindful of these new laws and act accordingly. Such businesses with compliance questions should contact a member of Seyfarth’s Biometric Privacy Compliance & Litigation Practice Group.

 

By Gerald L. Maatman, Jr., Thomas E. Ahlering, Alex W. Karasik

Seyfarth Synopsis:  After a defendant in a biometric privacy class action lawsuit unilaterally implemented an arbitration clause, a federal court in Illinois granted the company’s motion to compel arbitration, holding that the plaintiff previously agreed to allow unilateral modifications of the agreement without notice, and that she agreed to arbitrate by continuing to use the defendant’s website. In this respect, the ruling in Miracle-Pond, et al. v. Shutterfly, Inc., No. 19-CV-4722, 2020 U.S. Dist. LEXIS 86083 (N.D. Ill. May 15, 2020), is important for workplace arbitration agreements in general and defense of workplace class actions in particular.

For companies defending class action lawsuits, this ruling provides a new angle of attack for these bet the company cases, by taking them into a single-plaintiff arbitration forum.

Case Background

Plaintiff was a Shutterfly user that registered for an account in August 2014 via mobile app.  The terms of use for the account, which she accepted, included a class action waiver.  Id. at *3.  In May 2015, Shutterfly added an arbitration provision to its terms of use.  Every version of Shutterfly’s terms of use since May 2015, including the most recent version from September 2019, has included an arbitration provision.

In June 2019, Plaintiff filed a class action lawsuit in Illinois state court alleging that Shutterfly violated the Illinois Biometric Information Privacy Act (“BIPA”) by using facial-recognition technology to extract biometric identifiers for “tagging” individuals and by “selling, leasing, trading, or otherwise profiting from Plaintiffs’ and Class Members’ biometric identifiers and/or biometric information.”  Id. at *5.  In July 2019, Shutterfly removed the lawsuit to federal court.

In September 2019, about three months after the lawsuit was filed, Shutterfly sent an email to all of its users nationwide. The email notified Shutterfly users that the terms of use had been updated. After listing various updates, in relevant part, the email indicated that, “We also updated our Terms of Use to clarify your legal rights in the event of a dispute and how disputes will be resolved in arbitration.”  Id.  Finally, the email advised users: “If you do not contact us to close your account by October 1, 2019, or otherwise continue to use our websites and/or mobile applications, you accept these updated terms.”  Id.

Shutterfly’s records indicated that the plaintiff opened that email on September 8, 2019, and that as of October 2, 2019, her account remained open. Shutterfly moved to compel arbitration. In opposition, Plaintiffs argued the September 2019 email “was an improper ex parte communication with Plaintiff and putative class members because it failed to advise them of the pending litigation while seeking to deprive them of their rights as plaintiffs or class members.”  Id.

The Court’s Decision

The Court granted Shutterfly’s motion to compel arbitration.  After finding that the plaintiff agreed to be bound by Shutterfly’s terms of use, the Court addressed the plaintiff’s arguments that even if a contract formed between the parties, there was no valid agreement to arbitrate because: (i) arbitration clauses subject to unilateral modification are illusory; (ii) she could not have assented to the arbitration provision because Shutterfly failed to provide notice of the 2015 modification; and (iii) arbitration clauses that apply retroactively are unenforceable.  Plaintiff further argued that even if the arbitration clause was valid, the plaintiff could not waive the right to class arbitration of the claim for an injunction.

First, the Court rejected the plaintiff’s argument that arbitration clauses subject to unilateral modification are illusory. It cited several Illinois decisions that allowed parties to agree to authorize one party to modify a contract unilaterally.  Id. at *11-12.  Second, the Court rejected the plaintiff’s argument that she could not assent to an arbitration provision of which she had no notice. The Court reasoned that when she entered into a service contract with Shutterfly in 2014, she explicitly gave Shutterfly the right to unilaterally modify the agreement at any time and without notice.  Third, the Court rejected the plaintiff’s argument that arbitration clauses that apply retroactively are unenforceable. It found that the plaintiff agreed to her arbitrate her claims in the 2015 modification, thus mooting the retroactive arbitration argument.

Finally, the Court addressed the plaintiff’s argument that under McGill v. Citibank, 393 P.3d 85 (Cal. 2017), the plaintiff could not waive the right to class arbitration of the claim for an injunction prohibiting Shutterfly from continuing to collect face scans of Illinois residents notwithstanding the class waiver provision in the terms of use.  Id. at *17. Shutterfly argued that the McGill rule only applied to claims arising under California’s consumer protection laws, and that the plaintiff in this case was not seeking a public injunction, but a private one.  The Court agreed with Shutterfly’s position, holding that the plaintiffs’ substantive claim arose under an Illinois statute, the BIPA, and did not arise under the consumer protection laws of California, and therefore the McGill rule did not apply to the arbitration agreement in this case.  Accordingly, the Court granted Shutterfly’s motion to compel arbitration.

Implications For Employers

Over the last several years, many businesses have been implementing arbitration clauses in both employment and consumer agreements.  Accordingly, it is possible that upon entering into agreements, many employees and consumers may not have initially agreed to arbitrate disputes and waive their rights to initiate class action litigation.  When businesses are thus confronted with large scale class action claims, the ruling in Miracle-Pond, et al. v. Shutterfly, Inc. demonstrates that it would be worth their while to closely examine modifications of dispute resolution provisions to determine if there is a potential avenue to attack class action claims.  In addition, businesses without arbitration provisions may consider implementing this mechanism to deter potential litigants from filing class action lawsuits.

By Gerald L. Maatman, Jr., Thomas E. Ahlering, and Alex S. Oxyer

Seyfarth Synopsis: On January 29, 2020, Facebook announced that it had reached a settlement with plaintiffs in a class action brought under the Illinois Biometric Information Privacy Act (the “BIPA”) in the U.S. District Court for the Northern District of California. The settlement represents one of the largest payouts in a case brought under the BIPA since the law was passed in 2008. However, as the case against Facebook was not reflective of typical litigation brought under the BIPA, companies and their counsel should not be used it as a yardstick to value the majority of BIPA settlements moving forward.  

Wednesday’s settlement puts an end to the largest BIPA case filed to date. Though the settlement included a hefty price tag, the Facebook litigation was an unusual case filed under the BIPA in both class size and subject matter and should not necessarily serve a guidepost for BIPA settlements in the future.

Case Background

In In Re Facebook, plaintiffs alleged that Facebook violated the BIPA when it unlawfully collected and stored biometric data on Facebook users without prior notice or consent. Plaintiffs’ claims arose out of Facebook’s “Tag Suggestions” function, which identifies other Facebook users through scanning uploaded photographs. Plaintiffs alleged that Facebook created and stored digital representations of people’s faces based on the geometric relationship of facial features unique to each individual.

The case was originally filed as three separate lawsuits in the U.S. District Court for the Northern District of Illinois. After the parties stipulated to transfer the cases to the Northern District of California, the Court consolidated the three suits into one class action complaint and Facebook moved to dismiss, asserting that the plaintiffs lacked standing under Article III to bring the suit because the collection of biometric information without notice or consent did not result in “real-world harms,” “such as adverse employment or even just anxiety.” Facebook’s motion to dismiss was denied. The District Court held that the plaintiffs had standing because they were never offered the opportunity to withhold consent from the storage of biometric data. The District Court also certified a class of “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011.” Patel v. Facebook, Inc., 932 F.3d 1264, 1269 (9th Cir. 2019).

Facebook subsequently appealed the denial of the motion to dismiss and the class certification order to the U.S. Court of Appeals for the Ninth Circuit. In Patel v. Facebook, Inc., 932 F.3d at 1277, the Ninth Circuit affirmed the District Court’s decision in August 2019, holding that plaintiffs had alleged a harm sufficient to confer standing and that the class had been appropriately certified. Facebook then appealed the decision up to the U.S. Supreme Court, which denied certiorari last week on January 22, 2020. See Facebook, Inc. v. Patel, No. 19-706, 2020 WL 283288 (Jan. 21, 2020).

The Settlement

Facebook disclosed the settlement of the In Re Facebook case in conjunction with its quarterly financial results on January 29, 2020. Facebook’s disclosure indicated that, under the settlement agreement, Facebook will pay $550 million to eligible class members and plaintiffs’ attorneys. The parties have not yet released any additional information about the settlement, which follows closely on the heels of the Supreme Court’s decision last week not to hear Facebook’s appeal.

Implications For Illinois Companies

While the size of this settlement should certainly be noteworthy to companies doing business in Illinois, it is not reflective of the typical value of settlements for BIPA cases. The class certified in In Re Facebook included all Facebook users located in Illinois for whom Facebook created or stored a face template after June 2011. Extrapolating from the Plaintiffs’ allegations, the class could have presumably included millions of members, each of whom may have been awarded statutory damages ranging from $1,000 to $5,000 under the BIPA had Facebook proceeded to trial. Further, Facebook’s alleged use of the biometric information was much different than the typical BIPA case, which usually involves fingerprint or retina scans for payroll or security purposes.

However, despite the unique posture of the Facebook lawsuit, this significant settlement amount may exacerbate an already growing trend in privacy lawsuits being filed across the nation, with Illinois serving as a hotbed for such litigation under the BIPA (we have previously discussed the rise in BIPA lawsuits and the onset of other biometric privacy legislation here). Companies conducting business in Illinois and utilizing biometric information (such as fingerprint scans, retina scans, or, like Facebook, facial mapping or imaging, among other types) should be mindful that they are aware of and compliant with the requirements of the BIPA.

By Gerald L. Maatman, Jr., Thomas E. Ahlering and Andrew R. Cockroft

Seyfarth Synopsis: While most employers are likely familiar with the Illinois Biometric Information Privacy Act (“BIPA”), they should know that Illinois is not the only state with a biometric privacy law and many other states are not far behind from joining that group.  In addition to states with existing biometric privacy laws (Illinois, Texas, and Washington), various state legislatures are considering similar (often-times identical) statutes. As a result, employers should take account of this patchwork quilt of laws in their compliance activities.

Since 2018, employers operating in Illinois have become well accustomed to recent flurry of class actions involving the Illinois Biometric Information Privacy Act (“BIPA”).  Following the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., 2019 Ill. Lexis 7 (Ill. Jan. 25, 2019), there has been a sharp rise in cookie-cutter claims alleging violations of the BIPA with often no concrete injury even alleged.  Though there are current legislative efforts that could potentially curtail the prevalence of lawsuits under the BIPA, Illinois employers should be aware that non-compliance could expose employers to potential damages of $1,000 or $5,000 for each employee relating to improper collection of biometric information or biometric identifiers.

 

However, employers in other states also should be aware that the BIPA-craze is not isolated to Illinois.  Indeed, at least two other states have biometric privacy statutes on their books right now (Washington and Texas) and nearly a dozen more have considered implementing statutes like the BIPA.  Though all of these statutes in some way prohibit the collection of biometric information and/or biometric identifiers, only some are like the BIPA in that they contain a private right of action and apply to the collection of biometric information or identifiers in an employment context.

In particular, employers in Alaska, Michigan, and New York (as well as employers based solely in New York City) should be aware that these respective legislative bodies are considering statutes nearly identical to the BIPA.  Similarly, employers should monitor the current efforts to expand the private right of action in the California’s Consumer Privacy Act (“CCPA”).  Should the California legislature allow private individuals to sue for the violations of every one of the CCPA’s various requirements, California could become the “new Illinois hotbed” in biometric privacy litigation.

Set forth below we have grouped each state’s respective biometric privacy law based on whether it is: (1) current law; (2) signed, but not yet effective; (3) pending in the legislature; or (4) introduced in the legislature, but has since died.

Current Biometric Privacy Laws In Other States

Texas – The Texas Biometric Privacy Act prohibits the “capture” of biometric identifiers for a “commercial purpose” without notice and consent.  The Act defines “biometric identifiers” as specifically “a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.” “Commercial purpose” is left undefined in the statute.  The law does not define whether notice and consent must be done in writing.  Only the attorney general can bring suit for violations of the Act.  Each violation is subject to a civil penalty of up to $25,000.

Washington – Washington prohibits the collection and use of biometric identifiers for commercial purposes without notice and consent.  Unlike Texas’s law, Washington restricts the “enrollment” of biometric identifiers, which is defined as “capturing” a biometric identifier or “convert[ing] it into a reference template.” The law does not define whether notice and consent must be done in writing.  However, notice and consent provisions do not apply to data collected for “security purposes” (i.e. stored for “the purpose of preventing shoplifting, fraud, or any other misappropriation or theft of a thing of value”).  The law does not have a private right of action to allow for suits by individual plaintiffs.  Instead, only the Washington Attorney General can enforce the requirements.

Signed, But Not Yet Effective, Biometric Privacy Laws in Other States

Arkansas – On April 15, 2019, Governor Asa Hutchinson signed HB1943 and the bill goes into effect on July 23, 2019.  The bill amends Arkansas’ Personal Information Protection Act (“PIPA”) by adding “biometric data” into the definition of “personal information” protected by the PIPA. “Biometric data” is defined as “fingerprints, faceprint, a retinal or iris scan, hand geometry, voiceprint analysis, DNA, or any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or account.”

If a breach affects 1,000 or more individuals and the data owner is required to report the breach to individuals under the PIPA, then the data owner must disclose the security breach to the Arkansas Attorney General.  Additionally, businesses that suffer a security breach must retain a copy of the written determination of the breach, as well as any supporting documentation, for five years from the date of determination of the breach.  However, the determination and documentation are to remain confidential and are not subject to public disclosure.  Crucially, the bill does not contain a private right of action.

California – On June 28, 2018, California passed the California Consumer Privacy Act (“CCPA”) which will become effective January 1, 2020.  “Biometric information” is included under the definition of “personal information” protected by the statute.  Under the CCPA, biometric information is “an individual’s physiological, biological or behavioral characteristics, including . . . iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”

The CCPA requires companies make certain disclosures to consumers via their privacy policies, or otherwise at the time the personal data is collected. As currently drafted, the CCPA has a limited private right of action which allows individuals to sue for statutory damages of $100 to $750 per violation if one’s personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” For all other violations, the CCPA provides that only the Attorney General may sue to recover civil penalties, with the recovery of those penalties to be earmarked for a new consumer privacy fund designed to offset the Attorney General’s and courts’ additional costs in enforcing the CCPA.

However, the state of the finalized CCPA is still in flux — particularly in two respects of utmost importance: (1) the expansiveness of the CCPA’s private right of action; and (2) the CCPA’s application to employers.  Recently, an amendment providing for a sweeping private right of action failed to get out of committee.  Additionally, another bill is pending that is seeking to exclude information relating to employees from the scope of the CCPA and seeks to narrow the definition of “consumer” to exclude employees.

We recommend keeping an eye on these two developments relating to the CCPA moving forward as they are crucial to employers’ compliance efforts.

Pending Biometric Privacy Laws in Other States

Alaska – Alaska’s biometric privacy bill, H.B. 72 mirrors the BIPA in providing a private right of action and statutory damages of between $1,000 and $5,000 depending on the type of violation.  H.B. 72 also requires employers to provide individuals notice of the collecting entity’s biometric privacy practices and obtain written consent.  Unlike the BIPA, however, H.B. 72 does not explicitly allow employers to make consent to the collection of biometric information a condition of employment.  The bill has been pending since 2017, however, and it still remains in committee.

Arizona  – On January 22, 2019, HB 2478 was introduced in Arizona’s legislature.  HB 2478 does not include a private right of action, however, the bill would prohibit businesses from capturing, converting, or storing an individual’s biometric identifier in a database for a “commercial purpose” unless (1) it provides “a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose; or (2) advance notice [is] provided and consent [is] obtained from the individual.”

Massachusetts – Massachusetts’ proposed legislation, Bill SD.341, “an Act relative to consumer data privacy,” is still in committee.  However, employers should be aware that this bill as currently written does not apply to “business[es] collecting or disclosing personal information of the business’s employees so long as the business is collecting or disclosing such information within the scope of its role as an employer.”

Michigan – Michigan’s biometric privacy law, House Bill No. 5019, is still in committee after being introduced in September 2017.  The text of the bill is nearly identical to the BIPA, and includes a private right of action.

New Hampshire – Though a BIPA-like law has not been introduced since 2017, there have been more recent attempts at prohibiting the collection of biometric information.  This year, HB 536 was introduced seeking to add two new provisions to New Hampshire’s Consumer Protection Act making it unlawful to “Obtain[], us[e], disclos[e], or retain[] biometric information about an individual with whom the person is engaged in trade or commerce for any purpose other than that which the individual reasonably expects.” If the amendment is successful, such a provision can only be enforced by New Hampshire’s Consumer Protection and Antitrust Bureau.

New York – New York has two different biometric privacy bills pending in their legislature.  On January 11, 2019, NY SB 1203 was introduced for the third time in just as many years.  Like the bill pending in Michigan, the text of the New York bill is nearly identical to the BIPA, and includes a private right of action.

Another bill, S5642, is similar to California’s Consumer Privacy Act, though it’s private right of action allows individuals to bring suit for unlawful disclosure of biometric information as well as the unlawful collection of biometric information.  Unlike California’s law, however, S5642 does not apply to the collection of personal information in the employment context.  “Consumer” as defined in the bill “does not include an employee or contractor of a business acting in their role as an employee or contractor.”

New York City – On October 17, 2018, Bill Int. No. 1170 was introduced seeking to amend Section 1, Chapter 5 of Title 20 of the Administrative Code of the City of New York.  While the bill contains some similar provisions to the BIPA, including a private right of action, and avoids the statutory standing issues by providing that “any person who[se] biometric identifier information was collected, retained, converted, stored or shared in violation of [the law] may commence an action,” the bill as written only applies to the collection of biometric identifier information of “customers” defined as “a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment.” The bill has yet to be presented before a committee.

Introduced Biometric Privacy Laws In Other States Which Did Not Pass

DelawareDelaware’s biometric privacy bill, DE HB350, was introduced in March 2018 and remains pending.  Though individuals must be provided notice and give consent prior to the collection of their biometric information, unlike the BIPA, the law does not mandate consent be in writing.  The bill as written may only be enforced by the Delaware Consumer Protection Unit. As of this writing, the bill is dead.

Florida – On March 5, 2019, the “Florida Biometric Information Privacy Act” (SB 1270)  was introduced in the Florida legislature.  The statute generally follows the text of the BIPA regarding notice and consent requirements, a private right of action and the availability of statutory damages.  As of the date of publication, the bill has died in committee.

Montana – Montana has actually had two failed attempts at passing BIPA-like legislation.  On February 17, 2017, the “Montana Biometric Information Privacy Act” (HB 518) was introduced in the Montana legislature.  Like the BIPA, HB 518 requires written notice and consent before biometric data or information may be collected and also provides for a private right of action. However, the bill has died in committee.  On March 1, 2018, an act of the same name was introduced as HB 645 with the private right of action removed and leaving enforcement to the state’s attorney general.  This too died in committee.

New Hampshire – New Hampshire last considered a BIPA-like law in 2017 following the introduction of HB 523.  The bill is similar to the BIPA in its notice and consent requirements. However, the bill made it unlawful to refuse to employ someone who declined to consent to the collection of their biometric information.  Nevertheless, the bill, died in committee.

Best Practices For Compliance

Though many of these statutes have not made it passed committee, much less passed, it is still important to get ahead while it is costs far less than the potential class action lawsuit.  Accordingly, it is critical for employers in these jurisdictions to:

  • Have a written policy relating to the collection, storage, and retention of biometric information stating the business’s retention schedule for the data and the rules governing its destruction;
  • Obtain written consent from employees who are using technologies that collect or capture biometric information;
  • Take steps ensure that neither the company nor any vendor storing biometric data on the company’s behalf sells or discloses the data;
  • Implement security protocols for the protection of biometric data; and
  • Have appropriate provisions in vendor contracts ensuring they comply with existing laws and that the company may retain the right to request information and have the right to be notified in the event of a suspected breach.

Compliance is key, and there no better time to think about your company’s biometric privacy compliance than right now.  Businesses with compliance questions should contact a member of Seyfarth Shaw’s Biometric Privacy Compliance & Litigation Practice Group.

By: Gerald L. Maatman, Jr., Thomas E. Ahlering, and Alex W. Karasik

Seyfarth Synopsis: Over the last few years, Illinois companies have quickly become aware of the risks associated with the state’s unique biometric privacy law. Originally passed in 2008, the Illinois Biometric Information Privacy Act (“BIPA”) made Illinois the first state to enact a policy governing the collection and storage of biometric data resulting in a surge of class action lawsuits filed by employees and consumers alleging that their biometric data was improperly collected for timekeeping, security, and consumer transactions. While filing activity under the statute remained silent for nearly a decade following its enactment, the recent explosion of class actions in Illinois under the BIPA has since made biometric privacy compliance a top priority for many employers. In today’s blog, we examine this novel class action trend and provide a comprehensive analysis of the class action filing history of claims under the BIPA including the volume of class action filings, a breakdown of jurisdictions in which class actions are filed, who is filing, and the primary industries facing class actions.

Background Of The BIPA

As biometric technology has become more practical and affordable, businesses have gradually begun to utilize these innovative tools for various beneficial purposes, such as implementing biometric time clocks to prevent “buddy punching,” facilitate consumer transactions, and for restricting access to secure areas. Accordingly, the BIPA was enacted by the Illinois state legislature as a reaction to the increased use of biometric technology due to the sensitive nature of biometric identifiers and associated data.

The BIPA regulates the collection, capture, and storage of “biometric identifiers,” such as fingerprints, voiceprints, retina/iris scans, and scans of hand or face geometry. Specifically, the statute prohibits an entity from collecting biometric information unless it first: (1) informs individuals in writing that his or her biometric data is being captured; (2) outlines the purpose and period of time for which the data will be utilized; and (3) receives a written release from individuals consenting to the collection. Outside of these guidelines, the BIPA also includes regulations requiring a compliant, publically-available written policy, prohibits disclosure of biometric data to third-parties absent consent, and mandates a “standard of care” that businesses must adhere to in protecting biometric data.

While other states have also implemented biometric privacy statutes, the BIPA is unique because it provides a private right of action, and therefore allows plaintiffs to recover liquidated damages and attorneys’ fees for violation of the statute. Under the BIPA, “[a]ny person aggrieved by a violation” can recover “liquidated damages of $1,000 or actual damages, whichever is greater” for negligent violations, and “liquidated damages of $5,000 or actual damages, whichever is greater” for intentional or reckless violations.

Since the BIPA was the first biometric privacy statute of its kind, there were still a few important questions to be answered regarding the interpretation of the law. Namely, the most pressing threshold issue was whether individuals need to sustain actual damages in order to qualify as a “person aggrieved” in order to asserts claims under the BIPA. As we blogged HERE, this question was answered in the negative by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019). In Rosenbach, the Illinois Supreme Court held that a person does not need to allege any actual injury or adverse effect, beyond technical violations of the statute in order to state a claim.

Analysis Of Class Action Filing Trends Under The BIPA

Despite the BIPA being enacted in 2008, the first class action under this law was not filed until 2015. Though this filing drew some attention to Illinois’ unique statute governing biometric data, filing activity under the statute remained minimal until approximately 2017. As indicated in the graphic below, there were only a total of 15 class actions filed in Illinois under the BIPA from 2008 through 2016. However, filings have since increased at an exponential and rapid pace. Most notably, the approximately 161 class actions filed already in 2019 (as of the date this blog was published) more than doubles the total number from 2017, and filings have increased approximately 27 times from the total filings a mere four years ago.Perhaps the most striking trend of all is the substantial increase in class action filings under the BIPA since the Illinois Supreme Court’s decision in Rosenbach. Since this decision was issued on January 25, 2019, there have been a total of 151 class actions under the BIPA filed in Illinois – approximately a rate of an additional case filed every day. In fact, in just 148 days following the Rosenbach decision, the Illinois plaintiff’s bar filed nearly as many class action lawsuits under the BIPA as it did during a 10-year span prior to the decision. The pie graph below offers a visual account of this prompt spike in litigation activity. It has become clear to all Illinois businesses utilizing biometric technology that the plaintiff’s bar views the Rosenbach decision as a “door-opener” for class action filings under the BIPA.

 

In terms of jurisdiction, the large majority of class actions are filed in the Circuit Court of Cook County – a traditionally plaintiff friendly jurisdiction. In fact, approximately 82% of filings have been initiated in Cook County. The next most popular jurisdiction is the U.S. District Court for the Northern District of Illinois. However, this federal court represents a distant second to the Circuit Court of Cook County, accounting for just 4% of all class action filings under the statute. While the plaintiff’s bar has filed biometric privacy class actions in a total of nine different courts, the BIPA is, by all accounts, being primarily litigated in the Circuit Court of Cook County.

With the rising number of filings in Illinois, the plaintiff’s class action bar have been staying busy and some plaintiff’s class action firms have carved out a niche in this arena. As indicated below, three firms alone account for more than half of all class actions file under the BIPA in Illinois.

Finally, it is important for employers to know which types of businesses are commonly targeted in these types of biometric privacy cases. As the bar graph below demonstrates, there is no clear target of class actions in terms of industry. One of the most targeted industry of class actions under the BIPA is the business services industry, which includes all companies designed to service other businesses, such as those performing staffing, logistics, or janitorial services. The healthcare industry is also a popular BIPA class action target, and the manufacturing and retail industries are not far behind. Furthermore, though the filing numbers are not as large, the software and technology industry is also notable because it includes many businesses who produce, maintain, or sell the types of timekeeping software at issue.

Best Practices For Compliance

Given the rising class action litigation activity, businesses must proactively implement biometric privacy compliance measures. First and foremost, companies utilizing biometric technology must obtain written consent from individuals prior to storing or collecting their biometric data. This action alone resolves some of the core privacy issues at issue in many biometric privacy class actions. Additionally, companies must maintain a publically-available written policy stating the company’s retention and destruction schedule for all biometric data. Companies should also take steps to ensure that biometric data is not sold or disclosed to third parties by implementing security guidelines for the protection of individuals’ biometric data and ensuring that company vendors provide the same level of data protection, if not higher, than that of the business.

Compliance is key, and there no better time to think about your company’s biometric privacy compliance than right now. Businesses with compliance questions should contact a member of Seyfarth Shaw’s Biometric Privacy Compliance & Litigation Practice Group.

By Gerald L. Maatman, Jr., Thomas E. Ahlering, and Alex W. Karasik

Seyfarth Synopsis: The Illinois Supreme Court held in its first ever ruling concerning the state’s Biometric Information Privacy Act (“BIPA”) that a person need not have sustained actual damage beyond technical violations of BIPA in order to pursue claims for damages.  The Illinois Supreme Court’s ruling will likely greatly increase the potential exposure for companies in actions alleging violations of the Act, and makes strict compliance with the Act significantly important.

For businesses in Illinois (and potentially in states with similar statues), the ruling in Rosenbach v. Six Flags Entertainment Corp., No. 123186, 2019 Ill. Lexis 7 (Ill. Jan. 25, 2019), serves as a loud warning shot that they must immediately take steps to strictly comply with BIPA’s requirements, or risk facing costly class action litigation.  As determined by the Illinois Supreme Court, “[w]hatever expenses a business might incur to meet the law’s requirements are likely to be insignificant,” in light of the potential for “liability for failure to comply with [BIPA’s] requirements.”  Id. at *21.

***

BIPA Background

Despite being barely over a decade old, BIPA litigation was rather stagnant for its first ten years, until a flurry of lawsuits were filed under this law in 2018.  The BIPA prohibits an entity from collecting, capturing, purchasing or otherwise obtaining a person’s “biometric identifier” or “biometric information,” unless it satisfies certain notice, consent, and data retention requirements.  At the time BIPA was passed into law, the thought of an entity utilizing fingerprint or facial recognition for employee identification was typically reserved for high-net-worth entities or those with dire need for added levels of security.  In today’s workplace, businesses small and large across nearly every industry are using fingerprint or facial recognition for both employee and customer identification.

The BIPA outlines several requirements for the collection and use of biometric information by private entities. Private entities collecting a person’s biometric information musty (1) inform the person in writing that his or her biometric information is being collected; (2) explain the purpose and length of time for which the information will be used; and (3) receive written consent.

The BIPA also creates a limited right of action for “person[s] aggrieved by a violation” of its terms. A “person aggrieved” by a negligent violation of the BIPA may recover “liquidated damages of $1,000 or actual damages, whichever is greater.”  A “person aggrieved” by an intentional or reckless violation of the BIPA may recover “liquidated damages of $5,000 or actual damages, whichever is greater.”

Case Background

Since 2014, Defendants, operators of an amusement park in Illinois, have used a fingerprinting process when issuing repeat-entry passes to the park.  Id. at *2.  Plaintiff alleged that this system scans pass holders’ fingerprints; collects, records and stores biometric identifiers and information gleaned from the fingerprints; and then stores that data in order to quickly verify customer identities upon subsequent visits by having customers scan their fingerprints to enter the theme park.  She further alleged that in 2014, while the fingerprinting system was in operation, her 14-year-old son visited the amusement park on a school field trip, where his thumbprint was used to gain access as a season pass holder.

Plaintiff filed a three count complaint alleging Defendants violated the BIPA by: (1) collecting, capturing, storing, or obtaining biometric identifiers and biometric information from Plaintiff’s son and other members of the proposed class without informing them or their legally authorized representatives in writing that the information was being collected or stored; (2) not informing them in writing of the specific purposes for which Defendants were collecting the information or for how long they would keep and use it; and (3) not obtaining a written release executed by Plaintiff, her son, or members of the class before collecting the information.  Id. at *6.

Defendants moved to dismiss the complaint, arguing among many things, that plaintiff had suffered no actual or threatened injury and therefore lacked standing to sue.  Id. at *6-7.  The Circuit Court granted Defendants’ motion to dismiss Count III, but denied its motion as to Counts I and II.  Defendants thereafter sought interlocutory review of the Circuit Court’s ruling, which the Illinois Appellate Court granted.

On December 21, 2017, the Illinois Appellate Court for the Second District became the first to address the issue of whether a plaintiff can recover for technical violations of the BIPA, even if the complaint does not allege that the plaintiff suffered any harm, loss or injury.  It held that a plaintiff is not “aggrieved” within the meaning of the Act and may not pursue either damages or injunctive relief under the Act based solely on a defendant’s violation of the statute.  Additional injury or adverse effect must be alleged.  The injury or adverse effect need not be pecuniary, the Appellate Court held, but it must be more than a technical violation of the Act.  Plaintiff thereafter petitioned the Illinois Supreme Court for leave to appeal, which was granted.

The Illinois Supreme Court’s Decision

On January 25, 2019, in a highly anticipated ruling, the Illinois Supreme Court reversed the Illinois Appellate Court and remanded the case back to the Circuit Court for further proceedings.  After summarizing the BIPA, the Illinois Supreme Court began its analysis by zeroing in its statutory construction, noting that Defendants had read the Act as evincing an intention by the legislature to limit a plaintiff’s right to bring a cause of action to circumstances where he or she has sustained some actual damage, beyond violation of the rights conferred by the statute, as the result of the defendant’s conduct.  Id. at *13-14.  The Illinois Supreme Court rejected this argument as untenable, noting that when the General Assembly has wanted to impose such a requirement in other situations, it has made that intention clear.  Id.

Next, the Illinois Supreme Court held that a person who suffers actual damages as the result of the violation of his or her rights would meet this definition of course, but sustaining such damages is not necessary to qualify as “aggrieved.”  Id. at *16.  Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.”  Id.  Accordingly, based on this construction, the Illinois Supreme Court held that a when a private entity fails to comply with one of the BIPA’s Section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.  Id. at *17-18.  Further, it opined that “[n]o additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”  Id. at *18.

Finally, the Illinois Supreme Court explained that the BIPA vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.  Id.  It explained that these procedural protections are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers — identifiers that cannot be changed if compromised or misused.  Id. at *18-19 (citations and quotation marks omitted).  The Illinois Supreme Court further opined that “[w]hen a private entity fails to adhere to the statutory procedures, as [D]efendants are alleged to have done here, the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.  This is no mere ‘technicality.’  The injury is real and significant.”  Id. at *19 (citations and quotation marks omitted).

The Illinois Supreme Court concluded its opinion by holding that contrary to the Appellate Court’s view, an individual need not allege some actual injury or adverse effect beyond violation of his or her rights under the Act in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to BIPA.  Id. at *22.  Therefore, it reversed the judgment of the Appellate Court and remanded to the Circuit Court for further proceedings.

What This Means For Businesses

The decision will make it significantly easier for individuals to assert causes of action and seek damages for mere non-compliance with the BIPA’s requirements – absent any allegations of harm or injury.  In that regard, the decision makes it of the utmost importance that companies take strict measures to comply with the BIPA’s requirements.  As stated by the Illinois Supreme Court, “[w]hatever expenses a business might incur to meet the law’s requirements are likely to be insignificant,” in light of the potential for the significant “liability for failure to comply with [the BIPA’s] requirements.”  Id. at *21.

By Gerald L. Maatman, Jr. and Thomas E. Ahlering

 Seyfarth Synopsis:  As the number of class action lawsuits alleging violations of the Illinois Biometric Information Privacy (“BIPA”) has exploded in the last six months, defendants have been eagerly awaiting guidance from an Illinois appellate court regarding what a Plaintiff must allege in order to have a viable right of action under the statute. In Rosenbach v. Six Flags, 2017 IL App (2d) 170317 (Ill. App. Ct., Dec. 21, 2017), the Illinois Appellate Court for the Second District issued the first such ruling in this area, holding that a Plaintiff must allege an actual injury to be “aggrieved” under the Act in order to seek statutory damages and injunctive relief. 

The decision represents a significant victory for employers because defendants in both federal and state courts – facing potentially catastrophic damages under the statute for implementation of biometric technology for various purposes, including timekeeping practices – have made similar arguments that plaintiffs alleging mere technical violations of the statute are not “persons aggrieved,” thereby entitling plaintiffs to statutory damages and injunctive relief.  The decision in Rosenbach provides clarity as to the viability of certain potential employer defenses in BIPA class actions, particularly at the motion to dismiss stage.  Most notably, the decision will almost certainly serve to shift the tide in favor of employers facing BIPA class actions.

***

The Illinois Appellate Court’s Decision

In Rosenbach, Plaintiff, as the mother of her minor son, brought a class action on behalf of herself and all others similarly-situated, alleging that Defendants Six Flags Entertainment Corp. (“Six Flags”) and Great America LLC (“Great America”) violated the BIPA when her son purchased a season pass for Great America theme park and defendants fingerprinted him using a biometric scanner without obtaining written consent or disclosing their plan for the collection, storage, use, or destruction of his biometric identifiers or information.  Rosenbach,  2017 IL App (2d) 170317, *1.  Defendants moved to dismiss on the grounds that Plaintiff was not a “person aggrieved by a violation” of the BIPA as required by the statute in order for a Plaintiff to have a right of action because Plaintiff alleged mere technical violations of the statute.  Id. (quoting 740 ILCS 14/20).

The trial court denied the motion to dismiss, but later certified two questions for appellate review relating to whether a person aggrieved by a violation of the BIPA must allege some actual harm, including: (1) whether an individual is an aggrieved person under section 20 of BIPA and may seek statutory damages authorized under the BIPA when the only injury he or she alleges is a violation that a defendant collected his or her biometric identifiers and/or biometric information without providing him or her the disclosures and obtaining written consent; and (2) whether an individual is an aggrieved person under section 20 of the BIPA and may seek injunctive relief authorized under the BIPA when the only injury he or she alleges is a violation that a defendant collected his or her biometric identifiers and/or biometric information without providing him or her the disclosures and obtaining written consent.  Id. *3.

The Illinois Appellate Court answered both questions in the negative and held that a Plaintiff must allege an actual injury to be “aggrieved” under the Act.  In so holding, the Illinois Appellate Court analyzed the plain language of the statute and consulted various definitions of “aggrieved,” including Black’s Law Dictionary, to find that “there must be actual injury, adverse effect, or harm in order for [a] person to be ‘aggrieved.’”  Id.

It further noted:

Likewise, if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word “aggrieved” and stated that every violation was actionable. A determination that a technical violation of the statute is actionable would render the word “aggrieved” superfluous. Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under section 20 of the Act.

Id. *4.

In sum, the primary holding of the case is that “[i]f a person alleges only a technical violation of the Act without alleging any injury or adverse effect, then he or she is not aggrieved and may not recover under any of the provisions in section 20.”  Id. *5.

Analysis And Implications For Employers

The Illinois Appellate Court’s decision constitutes a significant victory for employers facing BIPA class actions.

Most notably, the Illinois Appellate Court held that a Plaintiff cannot proceed on a claim for either statutory damages or injunctive relief for mere technical violations of the statute.  This holding is key for employers because class actions brought under the BIPA frequently consist of cookie cutter complaints which merely allege technical violations of the BIPA (i.e., failure to obtain written consent, failure to maintain a “publically available” biometric privacy plan, and failure to provide notice of biometric retention and destruction policies) and not an actual injury (i.e., identity theft).

While the decision represents a significant decision at this juncture in favor of employers, we anticipate that the Plaintiffs’ class action bar will continue to attempt craft creative arguments to circumvent this ruling and find a way to argue that an individual is an “aggrieved person” for purposes of the BIPA.

Accordingly, employers should remain vigilant and ensure that they are in compliance with the BIPA’s requirements to ensure that a mere “technical” violation of the statute does not result in something which could constitute an actual injury entitling an individual to pursue statutory damages and injunctive relief.

By Gerald L. Maatman, Jr. and Thomas E. Ahlering

Seyfarth Synopsis:  As biometric technology has become more advanced and affordable, more companies and employers have begun implementing procedures and systems that rely on biometric data.  Given the serious repercussions of compromised biometric data, a number of states have proposed or passed laws regulating the collection and storage of biometric data, including Illinois through the passage of the Illinois Biometric Privacy Act (“BIPA”) – the only biometric statute which provides a private cause of action.

Plaintiffs’ class action attorneys have taken notice, as the number of class action lawsuits alleging violations of the BIPA in Illinois has surged in recent months.  As more and more employers are utilizing biometric technology for various purposes, including timekeeping, employers are at a significant risk of becoming a target of class action litigation under the BIPA if it fails to comply with the requirements of the statute.  Cases brought pursuant to the BIPA are akin to other “gotcha” statutory class actions – highly popular with the plaintiffs’ bar due to the inclusion of statutory damages and a provision for attorneys’ fees.

The theories underlying BIPA class actions, and the defenses thereto, remain largely untested.  However, the Second Circuit became the first U.S. Court of Appeals to wade into the rising tide of litigation under the BIPA in Santana v. Take Two Interactive Software, 2017 U.S. App. LEXIS 23446 (2d Cir. Nov. 21, 2017), by affirming the district court’s dismissal of the case based upon a lack of Article III standing under the principles announced by the Supreme Court in Spokeo v. Robins, 136 S. Ct. 1540 (2016), but vacating the district court’s finding that plaintiffs were not “aggrieved by” a violation the BIPA (e.g., failed to state a cause of action under the statute due to a failure to plead actual damages).

The decision sheds light on the viability of certain potential employer defenses in BIPA class actions, particularly at the motion to dismiss stage.

***

Requirements Of The BIPA

Notice And Consent

 The BIPA prohibits companies from collecting employees’ biometric information until the company notifies the employee in writing that the information is being collected. Specifically, the written notice must inform the individual of the “specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored and used.” 740 ILCS § 14/15(b).  Likewise, a company must obtain a written release from the individual enabling it to collect and store the information.  In the employment context, “written release” is defined as a “a release executed by an employee as a condition of employment.”  740 ILCS § 14/10.

Written Policy

The BIPA also requires companies to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting them has been satisfied or within three years of the employee’s last interaction with the employer, whichever occurs first.  740 ILCS § 14/15(a).  The policy must be made available to the public.  Id.

Disclosure To Third-Parties

In addition, a company may not disclose biometric information to a third party unless: it obtains consent for disclosure from the individual; the disclosure completes a financial transaction requested by the individual; the disclosure is required by law; or the disclosure is required by a valid warrant or subpoena.  740 ILCS § 14/15(d).

Standard Of Care

Also, the BIPA requires that a company use “the reasonable standard of care” within its industry for storing, transmitting and protecting biometric information and act “in a manner that is the same as or more protective than the manner in which the [company] stores, transmits and protects other confidential and sensitive information.”  Id. § 14/15(e).

Case Background

In Santana, Plaintiffs alleged that Defendant violated the BIPA based on the use of a feature in the NBA 2K15 and NBA 2K16 video games, which contain a feature called “MyPlayer” which allows gamers to create a personalized basketball player that has a realistic 3-D rendition of the gamer’s face.  The 3-D mapping process used cameras to capture a scan of the gamer’s facial geometry to disseminate a realistic rendition of the gamer’s face which requires gamers to hold their faces within 6 to 12 inches of the camera and slowly turn their heads during the scanning process.  Id. *2-3.  To use the feature, gamers must also first agree to terms and conditions acknowledging that the face scan will be visible and may be recorded during gameplay and requires gamers to “agree and consent to such uses.”  Id.

Plaintiffs alleged that Defendant: (1) collected their biometric data without their informed consent; (2) disseminated their biometric data to others during game play without their informed consent; (3) failed to inform them in writing of the specific purpose and length of term for which their biometric data would be stored; (4) failed to make publicly available a retention schedule and guidelines for permanently destroying plaintiffs’ biometric data; and (5) failed to store, transmit, or protect from disclosure plaintiffs’ biometric data by using a reasonable standard of care or in a manner that is at least as protective as the manner in which it stores, transmits, and protects other confidential and sensitive information.  Id. *4.

Defendant moved to dismiss Plaintiffs’ claims for lack of Article III standing and for failure to state a cause of action under the statute (i.e., lack of “statutory standing”).  The district court granted the motion on both grounds and dismissed the action with prejudice, and Plaintiffs appealed.

The Second Circuit’s Decision

In its ruling of November 21, 2017, the Second Circuit entered a summary order affirming the district court’s decision insofar as it held that plaintiffs lacked Article III standing, but vacating the decision in part insofar as it held that plaintiffs lacked a statutory cause of action as “aggrieved” parties.

In regards to Article III standing, the Second Circuit held that “none of the alleged procedural violations [] raise[d] a material risk of harm” to Plaintiffs arising out of the use, collection, or disclosure of an individual’s biometric data.  Id. *7.  In reaching this conclusion the Second Circuit noted that no reasonable person would believe that the feature of the game at issue was anything other than a facial scan and Plaintiffs did “not plausibly assert (beyond a mere conclusory allegation) that they would have withheld their consent had Take-Two included additional language in its consent disclaimer.  Id. *8.  Plaintiffs’ alleged violations of the BIPA’s notice provisions similarly failed to raise a material risk of harm because Plaintiffs did not allege that Defendant had not or will not destroy their biometric data within the period specified by the statute nor did Plaintiffs allege that Defendant lacked such protocols or that its policies were inadequate and “there is accordingly no material risk that [Defendant’s procedural violations have resulted in plaintiffs’ biometric data being used or disclosed without their consent.  Id. *9.  Finally, the Court was not persuaded by Plaintiffs attempts to “manufacture an injury” by alleging that they would be deterred from using biometric technology in the future because “Plaintiffs’ fear, without more, is insufficient to confer Article III injury-in-fact.  Id. *11.

Despite this ruling, the Second Circuit remanded to the district court with the instruction that the district court shall enter dismissal without prejudice finding that the district court did not have subject matter jurisdiction to ultimately find that plaintiff did not have “statutory standing,” e.g., that Plaintiffs had not alleged a cause of action under the statute – specifically, that Plaintiffs were not “aggrieved by” a violation of the statute because they did not allege “actual damages.”  The Second Circuit held:

Since the statutory standing arguments here are based on differing constructions of the term ‘aggrieved party’ as used in BIPA, the district court’s resolution of the issue was a judgment on the merits that could not be properly addressed absent subject matter jurisdiction.  The district court was therefore without power to dismiss the complaint with prejudice for failure to state a cause of action under the statute.

Id. at *13.

Implications For Employers

The Second Circuit’s ruling represents a victory for employers to the extent that it will make it more difficult for plaintiffs to plead and maintain Article III standing to survive a motion to dismiss in federal courts.  On the other hand, the Second Circuit opinion did not bring any clarity as to who a “person aggrieved” is for purposes of the statute and whether plaintiffs must plead actual damages in order to state a cause of action under the BIPA.

The practical import of this ruling is that the battleground for defenses based on subject-matter jurisdiction and standing grounds and a lack of statutory standing (e.g. failure to plead a cause of action because plaintiffs were not “aggrieved by” a violation of the statute) will likely shift back to the Illinois state courts, which (despite being similar in many respects) have different and independent standing principles from federal courts.

Courts remain split as whether plaintiffs alleging violations under the BIPA must allege actual damages in order to state a cause of action, with state courts generally finding that actual damages are not necessary to plead a cause of action under the statute.   Compare McCollough v. Smarte Carte, Inc., 2016 WL 4077108, at *4 (N.D. Ill. Aug. 1, 2016) (dismissing BIPA action for lack of actual damages) and Rottner v. Palm Beach Tan, Inc., 2015-CH-16695 (BIPA requires showing of actual damages) with Monroy v. Shutterfly, Inc., 2017 WL 4099846, at *9 (N.D. Ill. Sept. 15, 2017) (“[w]hile the matter is not free from doubt, the court declines to hold that a showing of actual damages is necessary in order to state a claim under the BIPA); Rosenbach v. Six Flags Entertainment Corporation et al., 16 CH 13 (Cir. Court, Lake County, IL, June 17, 2016) (finding sufficient statutory standing for the plaintiff to survive a motion to dismiss where the plaintiff had provided fingerprints to Six Flags as part of an annual pass program to the amusement park); Sekura v. Krishna Schaumberg Tan, Inc., 2017 WL 1181420 (Cir. Ct., Cook County, IL, Feb. 9, 2017) (denying motion to dismiss BIPA claim and noting that ”the term ‘aggrieved’ has been used consistently in numerous statutes to provide claims for the infringement of granted legal rights without the need to plead specific or actual damages” and “it is not this court’s role to determine whether BIPA was well intentioned or even well drafted, only to determine, in this case, whether it requires that plaintiffs plead actual damages to state claims thereunder.”)

In sum, while the Second Circuit’s opinion provides employers with strong support for arguments based on a lack of subject-matter jurisdiction and standing (particularly in federal courts), arguments by employers at the motion to dismiss stage that a plaintiff lacks statutory standing (e.g., whether the statute requires a plaintiff to plead actual damages to state a cause of action) will likely have to be resolved by Illinois state courts and any such arguments in federal court may result in remand to state court, or a dismissal without prejudice allowing plaintiffs to re-file in state court.

Seyfarth Synopsis: The plaintiffs’ bar has recently brought a flurry of class action lawsuits against businesses under the Illinois Biometric Information Privacy Act, commonly known as “BIPA.”  In this Vlog, Seyfarth Shaw Associate Alex Karasik sits down with esteemed class action litigator, Partner Jerry Maatman, to discuss this emerging legal trend, and to provide employers guidance on how to prevent and defend against BIPA class actions.

Background

Unique to the state of Illinois, the Biometric Information Privacy Act was the first of its kind enacted by a state legislature.  In light of the technological advancements of the past decade, the Illinois legislature enacted this law to protect the “biometric data” of individuals, including their fingerprints, retinal scans, and facial recognition.  Since BIPA’s passage in 2008, a number of states have followed suit and added “biometric data” to their privacy laws. 

Implications For Employers

Recently, there has been a major uptick in ligation across the country involving biometric technology, and there are no signs of this trend slowing down.  In terms of preventive measures, business should establish sound protocols for the handling and dissemination of biometrics.  This is important because, in this day and age, biometric data can be used to access sensitive personal information.  Businesses should thus be cognizant of the biometric data laws in the states where they operate and closely examine whether their own policies and procedures are compliant.

Businesses must also be prepared to defend against a potential lawsuit under a biometric privacy statute.  Following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins 136 S. Ct. 1540 (2016), the concept of “standing” has become highly relevant in employment law.  As such, when confronted with a BIPA suit, businesses should focus on whether the plaintiffs suffered a traceable harm stemming from the actions taken on their biometric data.