Jackson Lewis Class Action Trends Report 2022: Biometric Privacy
Legal landmines continue to lurk for companies that collect, store, and use individuals’ biometric information. Class action cases continue to be filed against companies under the Illinois Biometric Information Privacy Act (BIPA). BIPA carries with it the potential for actual damages or statutory liquidated damages of $1,000 for each negligent violation and $5,000 for each reckless or intentional violation, plus attorneys’ fees and costs, and injunctive relief.
A wave of BIPA class action complaints have been brought against companies in recent years, and 2021 was no exception. Further, in 2021, plaintiffs’ attorneys expanded the types of BIPA cases they are bringing beyond just claims involving the use of alleged biometric time clocks. Cases involving all sorts of alleged biometric technology, including multiple cases involving consumers instead of (or in addition to) employees, have been filed. What constitutes a “violation” of the BIPA has not yet been settled by the courts, and it is expected to be a hotly contested issue.
State and federal courts issued several important BIPA decisions in 2021:
Standing. In a January decision, the Seventh Circuit ruled a federal court lacked standing to consider a class action BIPA case where the plaintiffs (in a deliberate strategy to keep their case in state court) did not allege they suffered concrete harm as a result of the alleged violation of the statute. The initial complaint alleged violations of three provisions of the BIPA against a company that developed a facial recognition program that “scrapes” photographs from social media sites, harvests the data, and stores the information in a database that users (typically law enforcement agencies) pay to access. After the defendant removed the case to federal court, the plaintiff voluntarily dismissed the suit and filed a new, narrower complaint in state court, asserting only a “bare procedural violation” of BIPA Section 15(c), which prohibits a private entity in possession of customer biometric information from profiting from that information. Once again, the defendant removed the case to the federal court, but this time the plaintiff filed a motion to remand, noting the complaint alleged a violation “divorced from any concrete harm.” The federal court concluded it lacked standing and remanded the suit to state court. The appeals court affirmed.
An essential element of Article III standing is that the plaintiff suffered an injury in fact that is concrete, particularized, and actual or imminent, but the plaintiffs conceded they suffered no such injury. “It is no secret to anyone that [plaintiffs] took care in their allegations, and especially in the scope of the proposed class they would like to represent, to steer clear of federal court,” the appeals court observed. “But in general, plaintiffs may do this .... And here, they may take advantage of the fact that Illinois permits BIPA cases that allege bare statutory violations, without any further need to allege or show injury.”
Labor preemption. In September, the Seventh Circuit affirmed dismissal of BIPA claims brought by a unionized employee. It extended an earlier holding in which it found BIPA claims are preempted by the Railway Labor Act and concluded BIPA claims of unionized employees are similarly preempted by the Labor Management Relations Act. The Seventh Circuit reaffirmed that, where resolution of a plaintiff’s BIPA claim depends on interpretation of a collective bargaining agreement, the claim is preempted by federal labor law.
Claim accrual. In December, the Illinois Appellate Court for the First Judicial District held that BIPA claims accrue at “each and every capture” of an individual’s biometric data, rejecting an argument from the defendant that a BIPA claim accrues the first time it collected the plaintiff’s alleged biometric data. However, as detailed below, the issue of when BIPA claims accrue will be decided by the Illinois Supreme Court in a pending matter.
Workers comp law does not preempt BIPA
The Illinois Supreme Court has ruled that the Illinois Workers’ Compensation Act does not preempt BIPA claims brought by employees against their employers, deciding this open question with finality and dashing hopes that the state high court’s long-awaited decision might help to rein in the onslaught of BIPA actions by Illinois-based employees. A detailed analysis of the recent decision can be found here.
BIPA settlements. In 2021, BIPA cases settled in the six-, seven-, eight-, and even nine-figure ranges, even in cases where there have been no allegations that the plaintiffs’ biometric data was hacked or improperly accessed by a nefarious third party.
In the past year, a federal court in California approved a $615 million settlement in a BIPA class action against a social media company that allegedly collected users’ facial geometry without following the requirements of the BIPA. A federal judge in Illinois also granted preliminary approval of a $92 million settlement involving alleged violations of the BIPA against another social media company. In that case, the plaintiffs alleged the defendant had been “surreptitiously harvesting and profiting from [their] private information, including their biometric data, geolocation information, personally identifiable information, and unpublished digital recordings.”
These settlements, among many others, reflect both the magnitude of possible liability under the BIPA and the reach of the statute.
Employers not yet subject to biometric privacy laws in the jurisdictions where they operate should nevertheless consider adopting notice and consent practices as a best practice given the proliferation of biometric privacy laws across the country.
Pending decisions. Several closely watched BIPA appeals await decisions from various appellate courts in 2022. These decisions may dramatically shape the course of biometric privacy litigation in Illinois.
Claim accrual. On December 20, the Seventh Circuit issued a decision certifying to the Illinois Supreme Court the question of whether claims under 15(b) and 15(d) of the BIPA “accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission.” The federal appeals court further invited the Illinois Supreme Court to consider the related question of “whether every unauthorized fingerprint scan amounts to a separate violation of the statute.” The Illinois Supreme Court accepted the certified question on December 23.
Workers’ compensation preemption. The Illinois Supreme Court also is set to decide whether BIPA claims brought by employees against their employers are preempted by the Illinois Workers’ Compensation Act. Previously, the Illinois Appellate Court for the First Judicial District rejected an employer’s contention that the plaintiff’s BIPA claim was barred by the exclusivity provisions of the Workers’ Compensation Act. However, the Illinois Supreme Court decided to take the appeal and is poised to decide this issue with finality. The state high court heard oral arguments in September, and a decision is expected to be imminent.
Other laws enacted. Other states have biometric privacy laws, including Texas and Washington. Legislation similar to the Illinois BIPA, which creates a private right of action, is pending in several state legislatures, including New York. Also, a number of states have added biometric information to the categories of personal data that require notification under their respective breach notification laws. Local governments have begun to regulate the use of biometric technologies as well. In 2021, Baltimore and New York City joined Portland in prohibiting the use of facial recognition technology or requiring notice prior to collection of biometric data. Additional states and municipalities can be expected to adopt biometric privacy measures as the expanding use of biometric technology coincides with a sharp rise in public wariness about privacy risks.
The best defense...
Employers not yet subject to biometric privacy laws in the jurisdictions where they operate should nevertheless consider adopting notice and consent practices as a best practice given the proliferation of biometric privacy laws across the country. Further, for companies that operate in Illinois, even if the organization has created a strategy for BIPA compliance, it is important to periodically review time management, point of purchase, physical security, or other systems that may obtain, use, or disclose biometric identifiers or biometric information against the requirements under the BIPA, particularly as the case law continues to develop.