Last December, we noted the continuing robust wave of Illinois biometric privacy suits.  At that time, dozens of suits had been filed in Illinois state court against Illinois-based employers and other businesses alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which generally regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, and encourages businesses that collect such personal data to employ reasonable safeguards.  More and more BIPA actions against employers and businesses based upon alleged violations of the notice and consent provisions of the statute continue to be filed, even as the Illinois Supreme Court considers the appeal of the Rosenbach decision.  In that case, the Illinois Supreme Court will presumably answer the question of whether a person “aggrieved” by a violation of BIPA must allege some injury or harm beyond a procedural violation.  The ruling will certainly have an effect on the pending lawsuits alleging mere procedural BIPA violations.

Beyond the myriad of BIPA-related lawsuits against employers that used biometric timekeeping devices to track employees clocking in and out, and the suits against social media companies for photo tagging or similar functions, some recent lawsuits have been filed against companies that use biometrics as part of their core products and services.

One example is a recent case which addresses BIPA in connection with IoT-enabled devices.  In Komorski v. U-Tec Group Inc., No. 2018-CH-11884 (Ill. Cir. Ct., Cook Cty filed Sept. 20, 2018), the plaintiff brought suit against U-Tec Group Inc., a company that manufactures biometric-enabled “keyless” door locks, alleging that U-Tec’s technology required users to upload, store and transmit their fingerprints to open the smart door locks without U-Tec first obtaining the proper notice and consent and without informing users of U-Tec’s data retention policy.  Moreover, the plaintiff also claimed that U-Tec did not obtain consent to transmit plaintiff’s biometrics to third party data storage and equipment vendors.

Also, in a pair of similar complaints filed this past summer, BIPA allegation were asserted against companies using biometrics to verify the identity of their customers. In Glynn v. eDriving LLC, No. 2018-CH-7116 (Ill. Cir. Ct., Cook Cty filed June 5, 2018) (subsequently removed to the Northern District of Illinois, No. 18-cv-04645)), the plaintiffs’ alleged that an online driving education provider’s capture and storage of student voiceprints was in violation of BIPA’s notice and disclosure requirements. In Viot v. Prometric LLC, No. 2018-CH-08512 (Ill. Cir. Ct., Cook Cty filed July 9, 2018, an educational testing company was alleged to have violated BIPA when it used biometric devices to collect fingerprints to authenticate the identity of test takers to prevent cheating and impersonation.

Some clarification of the legal landscape in this area may arrive, but it may take time. While the Illinois legislature introduced a bill back in February that, among other things, would have placed limits on BIPA suits against employers for biometric collection for HR and security purposes, legislators subsequently proposed several amendments that would have significantly narrowed BIPA’s reach in other ways, prompting the bill to be re-referred back to the Senate Assignment Committee (where it has languished since April).  We will also have to wait for the Illinois Supreme Court’s decision in Rosenbach to interpret questions surrounding statutory standing under BIPA (though, even a pro-defendant ruling affirming the appellate court may not be a cure-all for the wave of suits, as we discuss in a companion blog post). Regardless, to the extent a business activity involves the collection and use of biometric information, it is prudent to understand the requirements of BIPA as well as other state or federal laws that may be relevant.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise…

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law discipline, Jeff continues to lead on a range of business-critical transactions involving the use of emerging technology and distribution methods. For example, Jeff has become one of the foremost private practice lawyers in the country for the implementation of blockchain-based technology solutions, helping clients in a wide variety of industries capture the business opportunities presented by the rapid evolution of blockchain. He is a member of the New York State Bar Association’s Task Force on Emerging Digital Finance and Currency.

Jeff counsels on a variety of e-commerce, social media and advertising matters; represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements; advises on the implementation of biometric technology; and represents clients on a wide range of data aggregation, privacy and data security matters. In addition, Jeff assists clients on a wide range of issues related to intellectual property and publishing matters in the context of both technology-based applications and traditional media.