Illinois Biometric Privacy Suit over Collection of Fingerprints Settled
Earlier this month, an Illinois state court approved a $1.5 million settlement in a class action against L.A. Tan Enterprises, Inc., operator (directly and through franchisees) of L.A. Tan tanning salons. The settlement resolved allegations that L.A. Tan violated the Illinois Biometric Information Privacy Act (BIPA) by collecting Illinois members’ fingerprints for verification during check-in without complying with BIPA’s notice and consent requirements. (See Sekura v. L.A. Tan Enterprises, Inc., No. 2015-CH-16694 (Ill. Cir. Ct. Cook Cty. First Amended Class Complaint filed Apr. 8, 2016)). Under the settlement, approximately 37,000 class members who had their fingerprints scanned at a L.A. Tan location in Illinois between a specified three-year period (Nov. 13, 2013 to August 11, 2016) will receive a pro rata share of the settlement. Moreover, L.A. Tan agreed to comply with BIPA in the future and ensure the compliance of its franchisees.
Unlike other facilities that issue membership cards or fobs for individuals to present at check-in, L.A. Tan salons reportedly collected members’ fingerprints and stored them in a company-wide database to enable check-in at any national location. Beyond alleged violations for such fingerprint collection without proper consent, the Complaint asserted that L.A. Tan salons violated BIPA by disclosing member fingerprints to an out-of-state third party vendor without first obtaining member consent. In addition, the Complaint claims that L.A. Tan failed to provide members with a written data retention policy that disclosed guidelines for permanently destroying its customers’ fingerprints when the initial purpose for collecting their fingerprints was no longer relevant, as required by BIPA. A retention schedule and policy may be especially relevant, the Complaint suggests, since there would be uncertainty about the disposition of a member’s fingerprint data in the event his or her local L.A. Tan salon went out of business.
Generally speaking, under BIPA an entity cannot collect, capture, purchase, or otherwise obtain a person’s “biometric identifier” or “biometric information,” unless it first:
(1) informs the subject in writing that a biometric identifier is being collected;
(2) informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(3) receives a written release executed by the subject.
Notably, BIPA provides for a private right of action, and potential awards of $1,000 in statutory damages for each negligent violation ($5,000 for each intentional or reckless violation), as well as injunctive relief and attorney’s fees. The statute contains defined terms and limitations, and parties in other suits are currently litigating what “biometric identifiers” and “biometric information” mean under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute.
This is one of the few reported settlements for BIPA violations, and unlike other ongoing biometric privacy litigation, the L.A. Tan dispute did not involve jurisdictional or choice or law issues or statutory construction debates about whether BIPA’s definition of “biometric identifier” or “biometric information” applies to social media photo tagging functions. As fingerprints are expressly included in definition of “biometric identifier,” the salient legal issues in the dispute appeared to be whether or not L.A. Tan complied with the statute, to what extent L.A. Tan could be liable for alleged BIPA violations of its franchisees (interestingly, the Settlement’s definition of “Released Parties” expressly excludes all L.A. Tan franchisees), and any potential class certification issues. It should be noted that the allegations against L.A. Tan did not involve any misuse, unauthorized access or breach of members’ biometric data.
This case and settlement should be reviewed by all businesses with a presence in, or customers from, Illinois, to the extent such businesses collect fingerprint or other biometric data.