Even though Washington passed its own biometric privacy law last month (HB 1493), and other states are currently debating their own bills, Illinois’s Biometric Information Privacy Act (BIPA) is still the crux of biometric and facial recognition privacy-related litigation.  Such suits have typically involved social media services, video game makers or businesses that collect biometric data to authenticate customers.  In a slight twist, on May 11, 2017, a putative class of employees filed suit against Roundy’s Supermarkets alleging violations of BIPA surrounding the collection and retention of employees’ fingerprints – as opposed to using last century’s analog time cards, Roundy’s requires employees to scan their fingers each time they clock “in” and “out” of their work shifts to verify their identities.  In the suit, plaintiffs claim that Roundy’s failed to offer notice and obtain written consent prior to capturing employees’ fingerprints, or post a retention policy about how long the company stores the biometric data. (See Baron v. Roundy’s Supermarkets, Inc., No. 17-03588 (N.D. Ill. filed May 11, 2017)).

Generally speaking, under BIPA an entity cannot collect, capture, purchase, or otherwise obtain a person’s “biometric identifier” or “biometric information,” unless it first:

  • informs the subject in writing that a biometric identifier is being collected;
  • informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
  • receives a written release executed by the subject. Under the statute, “written release” means “informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.”

BIPA also requires private entities to “store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry,” and to treat such identifiers and information as they would other sensitive and confidential information. Notably, the statute provides for a private right of action, and potential awards of $1,000 in statutory damages for each negligent violation ($5,000 for each intentional or reckless violation), as well as injunctive relief and attorney’s fees.

In the complaint, plaintiffs specifically assert that Roundy’s has not: (1) informed its employees in writing that biometric information is being recorded and stored, (2) notified employees about the specific purpose and length of term for which biometric information is being collected and used, or (3) obtained employees’ written consent (or executed written release as a condition of employment) to the collection and storage of their biometric information.  According to the complaint, Roundy’s imposed the biometric timekeeping system upon the named plaintiff after plaintiff had begun working at the supermarket, and not as a condition of employment. The plaintiffs also claim that Roundy’s has not publicly posted its retention schedule and guidelines for destruction of the employees’ biometric data.   Plaintiffs seek statutory damages under the Act for the defendant’s alleged negligent violations of BIPA and an order requiring Roundy’s to comply with BIPA and otherwise make the proper public disclosures about its biometric retention and collection policies, including its standard of care used to secure such sensitive data.  The defendant’s Answer is due at the end of the month.

Unlike other ongoing biometric privacy litigation, the Roundy’s dispute does not, at first blush, appear to involve jurisdictional issues or statutory construction debates about whether BIPA’s definition of “biometric identifier” or “biometric information” applies to the data at issue. As fingerprints are expressly included in definition of “biometric identifier,” the pertinent legal issues in the dispute appear to center on whether Roundy’s complied with BIPA.  Perhaps relevant, it will be interesting to see if the defendant offer any evidence of employment agreements which may have provided some form of notice about their biometric data collection practices with respect to timekeeping for employees.  Most importantly, however, the court will have to determine whether a procedural violation of the statute’s notice and consent provisions (absent any allegations of wrongful misuse or disclosure) is enough to plead a concrete harm and establish that plaintiffs have Article III standing.  It should be noted that earlier this year, a New York district court dismissed BIPA claims against a videogame maker based upon bare procedural violations of the statute and no allegations of any data mishandling, holding that: “The alleged failure to give the plaintiffs more extensive notice and consent is not a material risk to a concrete BIPA interest where no material risk of biometric data misuse ever materialized.”

We will continue to watch this dispute closely and monitor developments in biometric privacy and technology, including other ongoing litigation and pending legislative efforts in other states.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise…

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law discipline, Jeff continues to lead on a range of business-critical transactions involving the use of emerging technology and distribution methods. For example, Jeff has become one of the foremost private practice lawyers in the country for the implementation of blockchain-based technology solutions, helping clients in a wide variety of industries capture the business opportunities presented by the rapid evolution of blockchain. He is a member of the New York State Bar Association’s Task Force on Emerging Digital Finance and Currency.

Jeff counsels on a variety of e-commerce, social media and advertising matters; represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements; advises on the implementation of biometric technology; and represents clients on a wide range of data aggregation, privacy and data security matters. In addition, Jeff assists clients on a wide range of issues related to intellectual property and publishing matters in the context of both technology-based applications and traditional media.