Last December, we noted the continuing robust wave of Illinois biometric privacy suits. At that time, dozens of suits had been filed in Illinois state court against Illinois-based employers and other businesses alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which generally regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, and encourages businesses that collect such personal data to employ reasonable safeguards. More and more BIPA actions against employers and businesses based upon alleged violations of the notice and consent provisions of the statute continue to be filed, even as the Illinois Supreme Court considers the appeal of the Rosenbach decision. In that case, the Illinois Supreme Court will presumably answer the question of whether a person “aggrieved” by a violation of BIPA must allege some injury or harm beyond a procedural violation. The ruling will certainly have an effect on the pending lawsuits alleging mere procedural BIPA violations.
Beyond the myriad of BIPA-related lawsuits against employers that used biometric timekeeping devices to track employees clocking in and out, and the suits against social media companies for photo tagging or similar functions, some recent lawsuits have been filed against companies that use biometrics as part of their core products and services.
One example is a recent case which addresses BIPA in connection with IoT-enabled devices. In Komorski v. U-Tec Group Inc., No. 2018-CH-11884 (Ill. Cir. Ct., Cook Cty filed Sept. 20, 2018), the plaintiff brought suit against U-Tec Group Inc., a company that manufactures biometric-enabled “keyless” door locks, alleging that U-Tec’s technology required users to upload, store and transmit their fingerprints to open the smart door locks without U-Tec first obtaining the proper notice and consent and without informing users of U-Tec’s data retention policy. Moreover, the plaintiff also claimed that U-Tec did not obtain consent to transmit plaintiff’s biometrics to third party data storage and equipment vendors.
Also, in a pair of similar complaints filed this past summer, BIPA allegation were asserted against companies using biometrics to verify the identity of their customers. In Glynn v. eDriving LLC, No. 2018-CH-7116 (Ill. Cir. Ct., Cook Cty filed June 5, 2018) (subsequently removed to the Northern District of Illinois, No. 18-cv-04645)), the plaintiffs’ alleged that an online driving education provider’s capture and storage of student voiceprints was in violation of BIPA’s notice and disclosure requirements. In Viot v. Prometric LLC, No. 2018-CH-08512 (Ill. Cir. Ct., Cook Cty filed July 9, 2018, an educational testing company was alleged to have violated BIPA when it used biometric devices to collect fingerprints to authenticate the identity of test takers to prevent cheating and impersonation.
Some clarification of the legal landscape in this area may arrive, but it may take time. While the Illinois legislature introduced a bill back in February that, among other things, would have placed limits on BIPA suits against employers for biometric collection for HR and security purposes, legislators subsequently proposed several amendments that would have significantly narrowed BIPA’s reach in other ways, prompting the bill to be re-referred back to the Senate Assignment Committee (where it has languished since April). We will also have to wait for the Illinois Supreme Court’s decision in Rosenbach to interpret questions surrounding statutory standing under BIPA (though, even a pro-defendant ruling affirming the appellate court may not be a cure-all for the wave of suits, as we discuss in a companion blog post). Regardless, to the extent a business activity involves the collection and use of biometric information, it is prudent to understand the requirements of BIPA as well as other state or federal laws that may be relevant.