Earlier this month, an Illinois state court approved a $1.5 million settlement in a class action against L.A. Tan Enterprises, Inc., operator (directly and through franchisees) of L.A. Tan tanning salons.  The settlement resolved allegations that L.A. Tan violated the Illinois Biometric Information Privacy Act (BIPA) by collecting Illinois members’ fingerprints for verification during check-in without complying with BIPA’s notice and consent requirements. (See Sekura v. L.A. Tan Enterprises, Inc., No. 2015-CH-16694 (Ill. Cir. Ct. Cook Cty. First Amended Class Complaint filed Apr. 8, 2016)).   Under the settlement, approximately 37,000 class members who had their fingerprints scanned at a L.A. Tan location in Illinois between a specified three-year period (Nov. 13, 2013 to August 11, 2016) will receive a pro rata share of the settlement. Moreover, L.A. Tan agreed to comply with BIPA in the future and ensure the compliance of its franchisees.

Unlike other facilities that issue membership cards or fobs for individuals to present at check-in, L.A. Tan salons reportedly collected members’ fingerprints and stored them in a company-wide database to enable check-in at any national location.  Beyond alleged violations for such fingerprint collection without proper consent, the Complaint asserted that L.A. Tan salons violated BIPA by disclosing member fingerprints to an out-of-state third party vendor without first obtaining member consent.  In addition, the Complaint claims that L.A. Tan failed to provide members with a written data retention policy that disclosed guidelines for permanently destroying its customers’ fingerprints when the initial purpose for collecting their fingerprints was no longer relevant, as required by BIPA.  A retention schedule and policy may be especially relevant, the Complaint suggests, since there would be uncertainty about the disposition of a member’s fingerprint data in the event his or her local L.A. Tan salon went out of business.

Generally speaking, under BIPA an entity cannot collect, capture, purchase, or otherwise obtain a person’s “biometric identifier” or “biometric information,” unless it first:

  • (1) informs the subject in writing that a biometric identifier is being collected;
  • (2) informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
  • (3) receives a written release executed by the subject.

Notably, BIPA provides for a private right of action, and potential awards of $1,000 in statutory damages for each negligent violation ($5,000 for each intentional or reckless violation), as well as injunctive relief and attorney’s fees. The statute contains defined terms and limitations, and parties in other suits are currently litigating what “biometric identifiers” and “biometric information” mean under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute.

This is one of the few reported settlements for BIPA violations, and unlike other ongoing biometric privacy litigation, the L.A. Tan dispute did not involve jurisdictional or choice or law issues or statutory construction debates about whether BIPA’s definition of “biometric identifier” or “biometric information” applies to social media photo tagging functions. As fingerprints are expressly included in definition of “biometric identifier,” the salient legal issues in the dispute appeared to be whether or not L.A. Tan complied with the statute, to what extent L.A. Tan could be liable for alleged BIPA violations of its franchisees (interestingly, the Settlement’s definition of “Released Parties” expressly excludes all L.A. Tan franchisees), and any potential class certification issues.  It should be noted that the allegations against L.A. Tan did not involve any misuse, unauthorized access or breach of members’ biometric data.

This case and settlement should be reviewed by all businesses with a presence in, or customers from, Illinois, to the extent such businesses collect fingerprint or other biometric data.

We will continue to monitor developments in biometric privacy litigation, including the important Facebook litigation still ongoing in California.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise…

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law discipline, Jeff continues to lead on a range of business-critical transactions involving the use of emerging technology and distribution methods. For example, Jeff has become one of the foremost private practice lawyers in the country for the implementation of blockchain-based technology solutions, helping clients in a wide variety of industries capture the business opportunities presented by the rapid evolution of blockchain. He is a member of the New York State Bar Association’s Task Force on Emerging Digital Finance and Currency.

Jeff counsels on a variety of e-commerce, social media and advertising matters; represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements; advises on the implementation of biometric technology; and represents clients on a wide range of data aggregation, privacy and data security matters. In addition, Jeff assists clients on a wide range of issues related to intellectual property and publishing matters in the context of both technology-based applications and traditional media.