Even though Washington passed its own biometric privacy law last month (HB 1493), and other states are currently debating their own bills, Illinois’s Biometric Information Privacy Act (BIPA) is still the crux of biometric and facial recognition privacy-related litigation. Such suits have typically involved social media services, video game makers or businesses that collect biometric data to authenticate customers. In a slight twist, on May 11, 2017, a putative class of employees filed suit against Roundy’s Supermarkets alleging violations of BIPA surrounding the collection and retention of employees’ fingerprints – as opposed to using last century’s analog time cards, Roundy’s requires employees to scan their fingers each time they clock “in” and “out” of their work shifts to verify their identities. In the suit, plaintiffs claim that Roundy’s failed to offer notice and obtain written consent prior to capturing employees’ fingerprints, or post a retention policy about how long the company stores the biometric data. (See Baron v. Roundy’s Supermarkets, Inc., No. 17-03588 (N.D. Ill. filed May 11, 2017)). Continue Reading
Screen scraping is a problem that has vexed website owners since the early days of e-commerce – how to make valuable content available to users and customers, but prevent competitors from accessing such content for commercial purposes. Even in the advent of social media, mobile commerce, and advanced software, the issue remains relevant to today’s companies, as evidenced by the craigslist’s victory this past week against an aggregator that had formerly scraped its user postings.
An ongoing dispute from this past winter that we have been watching has raised these long-standing issues anew.
Heritage Auctions, a major auction house that specializes in rare coins, entertainment memorabilia and natural historical items, has brought a multi-count suit against Christie’s, alleging that its competitor scraped millions of proprietary and copyrighted photos and listings from Heritage’s website and reposted them on its own subscriber-only auction site Collectrium. (Heritage Capital Corp. v. Christie’s, Inc., No. 16-03404 (N.D. Tex. filed Dec. 9, 2016)). Plaintiffs claim that Collectrium removed copyright notices from the original listings and photos and ported the data onto its own site, thereby saving significant costs from producing similar listings or paying licensing fees and allegedly causing harm to Heritage in additional IT-related costs and diverted or lost business. Continue Reading
The blockchain or “distributed ledger network” was originally conceived as the peer-to-peer technology platform that allows for the transfer of Bitcoin without the need for a trusted intermediary. However, the blockchain protocol is being implemented across many industries and in many applications beyond digital currencies. Of course, there are questions about the enforceability of blockchain-based transactions and related, self-executing “smart contracts.”
Late last month, Arizona Governor Doug Ducey signed HB 2417 into law. This law clarifies some of the enforceability issues associated with the use of blockchain and smart contracts under Arizona law, in particular with respect to transactions relating to the sale of goods, leases, and documents of title governed respectively under UCC Articles 2, 2A and 7. Continue Reading
The blockchain protocol (a form of a ‘distributed ledger system’) was originally designed as a platform to process Bitcoin transactions. The protocol enables peer-to-peer transactions and eliminates the need for a trusted intermediary to verify and process the transactions.
The blockchain protocol as a platform is actually independent of Bitcoin, and is therefore transferable to other applications. Naturally, because blockchain was conceived of as supporting a specific digital payment system, the initial and most obvious use of the blockchain outside of Bitcoin is “fintech” – technology-based payment and financial transaction systems. The goal of recent experimentation and development in fintech is to reduce inefficiencies in the existing payments, clearance and settlement systems. Conceivably, many of these functions could be conducted through a “smart contract” – a completely automated process, executed via a software application that runs “on chain.” In pursuit of these goals, many in the financial services area have made significant investments in research, development, and pilot programs, in many cases through coalitions or in partnership with large technology companies as well as with blockchain-focused startup companies.
Beyond fintech, however, blockchain offers many other opportunities. The digital values that are tracked and processed through a blockchain implementation can represent any other type of information or assets. This capability has evoked the early development of new applications and technological developments involving many industries beyond financial services. Continue Reading
Update: On March 9, 2016, Google filed a motion requesting the court certify an interlocutory appeal. In particular, Google contends that the following question satisfies the statutory criteria: whether the term “biometric identifier,” as defined in Illinois Biometric Privacy Act, includes information derived from photographs.
We’ve closely followed the numerous biometric privacy disputes and legislative developments surrounding the Illinois Biometric Information Privacy Act (BIPA), which precludes the unauthorized collection and storing of some types of biometric data. In the latest ruling, an Illinois district court refused to dismiss a putative class action alleging that the cloud-based Google Photos service violated BIPA by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent. (Rivera v. Google, Inc., No. 16-02714 (N.D. Ill. Feb. 27, 2017)).
This is the third instance where a district court refused, at an early stage of a litigation, to dismiss BIPA claims relating to the online collection of facial templates for photo-tagging purposes. Unlike those prior courts’ relatively cursory interpretations, however, the Rivera court’s expansive 30-page opinion is the deepest dive yet into the statutory scheme (and purported vagaries) of the Illinois statute. The decision is the latest must-read for mobile or online services that collect and store biometric data from users as to what extent their activities might fall under the Illinois biometric privacy statute. It may well turn out that the plaintiffs’ claims in Rivera (as well as the ongoing biometric privacy litigation going on in California) may prove unsuccessful on procedural or statutory grounds, yet, these initial takes on the scope of BIPA stress the importance of examining current practices and rollouts of new services that feature biometrics. Continue Reading
We’ve written extensively about the numerous lawsuits, dismissals and settlements surrounding the Illinois Biometric Information Privacy Act (BIPA). The statute, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s “biometric identifier” or “biometric information,” unless it satisfies certain notice and consent and data retention requirements. The statute contains defined terms and limitations, and parties in ongoing suits are currently litigating what “biometric identifiers” and “biometric information” mean under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute. Moreover, in two instances in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing.
Thus, the epicenter of biometric privacy compliance and litigation has been the Illinois statute. A Texas biometric statute offers similar protections, but does not contain a private right of action.
The biometrics landscape may be about to get more complicated. An amendment has been proposed to the Illinois biometric privacy, and a number of biometric privacy bills mostly resembling BIPA have been introduced in other state legislatures. While most of the new proposed statutes are roughly consistent with the Illinois statute, as noted below, the Washington state proposal is, in many ways, very different. If any or all of these bills are enacted, they will further shape and define the legal landscape for biometrics. Continue Reading
For the second time in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing. In Vigil v. Take-Two Interactive Software, Inc., No. 15-8211 (S.D.N.Y. Jan. 27, 2017), the court dismissed Illinois biometric privacy claims against a videogame maker related to a feature in the NBA 2K videogame series that allows users to scan their faces and create a personalized virtual avatar for in-game play. In a lengthy opinion, the New York court provided Take-Two with a resounding victory when it ruled that procedural violations of the notice and consent provisions of the Illinois biometric privacy statute are not in-of-themselves sufficient to confer standing.
Biometric technology such as facial recognition, iris scans, or fingerprint authentication is being used and further developed to improve the security of financial and other sensitive transactions. At the same time, social media sites, mobile apps, videogame developers and others are employing biometrics for other cutting edge uses to improve services. The current Vigil ruling is particularly important, however, as it may buoy companies that collect biometric data under reasonable notice and usage policies, as they hope that the approval applied in Vigil is affirmed, if appealed, and followed in other jurisdictions.
A service provider seeking to take advantage of certain of the safe harbors under the Digital Millennium Copyright Act (DMCA) is required to designate an agent to receive takedown notices. The service provider is required to post the DMCA agent’s contact information on its website and to provide such information to the Copyright Office. On November 1, 2016, the U.S. Copyright Office, pursuant to its authority under 17 U.S.C. §512(c)(2), issued a final rule (codified at 37 C.F.R. § 201.38) establishing a new electronic system to designate agents to receive takedown notifications under the DMCA. Service providers that previously designated an agent with the Copyright Office via a paper filing will have until December 31, 2017 to submit new registrations through the electronic system or lose their safe harbor protection. It is extremely important that all service providers who rely on DMCA safe harbors are aware of, and comply with the requirements of, this new rule.
The new rule became effective on December 1, 2016, the date that the new online DMCA agent registration system and directory was launched, replacing the paper-based system implemented through the interim regulations adopted in 1998. Since December 1, 2016, the Office no longer accepts paper designations of DMCA designated agents.
Earlier this month, an Illinois state court approved a $1.5 million settlement in a class action against L.A. Tan Enterprises, Inc., operator (directly and through franchisees) of L.A. Tan tanning salons. The settlement resolved allegations that L.A. Tan violated the Illinois Biometric Information Privacy Act (BIPA) by collecting Illinois members’ fingerprints for verification during check-in without complying with BIPA’s notice and consent requirements. (See Sekura v. L.A. Tan Enterprises, Inc., No. 2015-CH-16694 (Ill. Cir. Ct. Cook Cty. First Amended Class Complaint filed Apr. 8, 2016)). Under the settlement, approximately 37,000 class members who had their fingerprints scanned at a L.A. Tan location in Illinois between a specified three-year period (Nov. 13, 2013 to August 11, 2016) will receive a pro rata share of the settlement. Moreover, L.A. Tan agreed to comply with BIPA in the future and ensure the compliance of its franchisees. Continue Reading