Biometric Privacy Developments
Biometric privacy litigation has exploded in the last several years, with the current hot spot focus in Illinois. Class actions under the Illinois Biometric Information and Privacy Act (“BIPA”) have flooded the Illinois state and federal courts since a January 2019 Illinois Supreme Court decision.
The Illinois Statute
The Illinois legislature passed the state’s BIPA in 2008 to address the enhanced risk of identity theft associated with the collection and processing of biometric data (fingerprints, voiceprints, facial identifiers, retinal scan data, etc.). When biological data such as this is compromised, the attacker obtains a permanent marker for the affected individual. The Illinois legislature designed BIPA to require publicly posting a general notice and obtaining consent from the particular person whose biometric information was collected. 740 ILCS 14/15(a), (b). And, importantly, BIPA provides for a private right of action to a person aggrieved by a violation of the statute. Id. at 14/20. The costs of BIPA non-compliance are significant, with uncapped statutory damages of $1,000 for a negligent violation and $5,000 for each intentional or reckless violation. Id. BIPA also permits the recovery of attorney fees, making it an attractive claim for attorneys seeking compensation for their clients.
Several developments have occurred in the past year regarding BIPA litigation, including federal courts addressing the parameters of subject matter jurisdiction over BIPA claims, the statute of limitations issues, insurance coverage decisions and the applicability of preemption as a defense. This alert initially discusses these recent developments, then identifies issues on the horizon in biometric privacy and concludes with a discussion about BIPA compliance.
Comparatively, with little litigation following the statute’s enactment, this changed dramatically in 2019 when the Illinois Supreme Court decided a watershed case holding a mere violation of BIPA was enough to confer standing upon a plaintiff. An individual need not allege an actual injury beyond the violation of her statutory rights to be an aggrieved person under the law. Since that time, BIPA class actions have exploded in the state of Illinois.
Below are recent developments in BIPA litigation:
- Federal courts within Illinois, and the Seventh Circuit Court of Appeals, continue to examine issues regarding subject matter jurisdiction. Because the statute creates an Illinois cause of action, federal court jurisdiction is usually obtained upon removal under either ordinary diversity or the Class Action Fairness Act (“CAFA”). In both instances, however, the courts must review and scrutinize their subject matter jurisdiction, in particular, whether plaintiffs in BIPA cases have standing under federal law. In a case decided late last year, Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146 (7th Cir. 2020), the court found standing existed where the plaintiff alleged the defendant employer not only violated Section 15(a)’s publication requirements but also violated that law’s data retention and destruction provisions. The defendant was alleged to have failed to publish its retention policies and retain biometric identifiers beyond the time permitted by statute and illegally disclosed them to a third party. The Seventh Circuit held these allegations sufficiently stated a concrete and personalized injury sufficient to create Article III injury supporting federal subject matter jurisdiction. The court concluded that unlawful retention of biometric data inflicts a privacy injury that is concrete and particularized reversing the district court’s order remanding the case to state court.
In the most recent decision, Thornley v. Clearview AI, Inc., 2021 WL 128170 (7th Cir., Jan. 14, 2021), the Seventh Circuit held that the allegations did not rise to sufficient concrete harm where the class plaintiffs asserted nothing more than procedural violations. The case presented a bit of procedural maneuvering. The class plaintiffs initially filed a putative class action in state court alleging violations of three BIPA sections. Shortly after the first removal, the class plaintiffs voluntarily dismissed the complaint without prejudice and refiled a new and narrower complaint in state court specifically asserting that their cause of action was based upon a bare procedural violation divorced from any concrete harm. The defendant removed the second case. The plaintiff once again moved for remand arguing that the allegations did not give rise to Article III injury. The Seventh Circuit agreed with the district court’s remand order, recognizing it, as the master of the complaint, the class plaintiffs had the right to assert the cause of action they wanted to pursue.
Statutes of limitations are also a significant issue under BIPA as the statute includes no specific limitations period. Defendants have been asserting the appropriate statute of limitation for BIPA claims as one or two years. Meanwhile, plaintiffs contend that the five-year catch-all statute of limitations applies. The Illinois Supreme Court has not decided the applicable statute of limitations for BIPA claims. However, there are two cases on appeal to the Illinois intermediate appellate courts, and they will likely provide guidance. An additional issue is: when does a BIPA violation accrue and does a BIPA violation accrue when an individual’s biometric information is first collected or each time it collects or discloses the data in violation of the statute? The Seventh Circuit is currently considering this accrual issue under a certified question.
Many defendants have submitted BIPA claims to their insurance carriers. Usually, coverage has been denied. However, in a March 2020 Illinois appellate court decision, the panel held that an insurer had a duty to defend BIPA claims under the general liability policy’s personal injury coverage provision. That intermediate appellate court decision is currently on appeal to the Illinois Supreme Court which granted review on September 30, 2020.
Another issue of significance is preemption. This is because employees assert most BIPA claims and questions arise whether there is a federal labor law preemption or worker’s compensation preemption under state law. With federal preemption, the Seventh Circuit has held the Labor Relations Management Act (“LMRA”) preempts BIPA claims where the LMRA applies to the workforce. On the latter issue, courts in Illinois have generally determined that the state’s worker’s compensation act does not preempt BIPA claims. However, this issue has been appealed to the Illinois Supreme Court in a case watched closely.
What’s Next in Biometric Privacy?
While most of the litigation involving BIPA claims has occurred within Illinois, many other states have also passed privacy legislation or are currently considering it. Washington and Texas have biometric privacy statutes, but their laws have no private rights of action. The New York legislature is considering a biometric statute akin to Illinois that would include a private right of action. Other state legislatures have taken or are taking action in amendments to existing privacy or data breach response legislation, including in Arizona, Arkansas, California, Colorado, Delaware, Iowa, Maryland, Nebraska and Washington D.C. Further developments on these statutes will be significant.
While most BIPA litigation involves fingerprints, e.g., employees clocking in or clocking out, other biometric makers can be the subject of biometric privacy cases. Perhaps the most recognized extension of the BIPA statute occurred a suit against an American technology conglomerate where the company recently agreed to pay $650 million to settle claims involving facial recognition technology that could be used to make tagging suggestions for uploaded photographs. The Clearview AI case mentioned above involves a defendant that scraped photographic information from social media websites. An American multinational technology company has also been sued for collecting voice prints using products it offers. BIPA litigation will likely continue to evolve as new technologies hit the market.
Can Biometric Claims Be Avoided?
Mostly, biometric privacy statutes control and direct the disclosures and consents needed to collect and use biometric data. As discussed above, the Illinois BIPA does not prohibit the collection and use of biometric information if there are appropriate disclosures and consents provided by the individuals who are subject to the data collection. The statute provides specific guidelines for observing its requirements but compliance with the Illinois BIPA should include:
A publicly available record retention policy;
Specific disclosures to persons whose biometric data is to be collected, used, or stored;
Written consent by the person whose information is being collected;
Securely stored biometric data; and
Retention or destruction of data under the company’s data retention policy.