Last December, we noted the continuing robust wave of Illinois biometric privacy suits. At that time, dozens of suits had been filed in Illinois state court against Illinois-based employers and other businesses alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which generally regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, and encourages businesses that collect such personal data to employ reasonable safeguards. More and more BIPA actions against employers and businesses based upon alleged violations of the notice and consent provisions of the statute continue to be filed, even as the Illinois Supreme Court considers the appeal of the Rosenbach decision. In that case, the Illinois Supreme Court will presumably answer the question of whether a person “aggrieved” by a violation of BIPA must allege some injury or harm beyond a procedural violation. The ruling will certainly have an effect on the pending lawsuits alleging mere procedural BIPA violations.
Biometrics
Illinois Appellate Court Reinstates Biometric Privacy Action, Finding Potential Harm in Alleged Disclosure of Fingerprint to Outside Vendor
Late last month, an Illinois appellate court reversed a lower court’s dismissal of biometric privacy claims against a tanning salon franchisee that had collected the plaintiff’s fingerprint to allow entry in its own salon and any L.A. Tan salon location nationwide. (Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175 (Ill. App. Sept. 28, 2018)). The plaintiff alleged that the tanning salon violated the Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, by collecting her fingerprints without obtaining the required written release and providing the required disclosure concerning its retention policy, and further by disclosing her fingerprints to a third-party vendor. [Note: In 2016, in a separate suit, the same plaintiff settled BIPA claims with L.A. Tan Enterprises, Inc., operator (directly and through franchisees) of L.A. Tan tanning salons].
Illinois Biometric Privacy Suit over Employee Fingerprinting Remanded for Lack of Standing
An Illinois district court remanded to state court for lack of standing a biometric privacy suit brought by employees over the collection and storage of individuals’ fingerprints allegedly in violation of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 (“BIPA”). (Aguilar v. Rexnord, LLC, No. 17 CV 9019 (N.D. Ill. July 3, 2018)). This decision echoes other recent rulings where federal courts have found a lack of Article III standing in disputes where employees claimed procedural violations of BIPA over the knowing collection of fingerprints for timekeeping purposes, absent any claims of wrongful sharing or disclosure. See e.g., Howe v. Speedway LLC, No. 17-07303 (N.D. Ill. May 31, 2018) (even if failing to provide certain disclosures and obtain his written authorization prior to collecting and storing plaintiff’s fingerprints may constitute a violation of BIPA, such procedural violations did not cause an injury in fact where the employee was aware of the nature and purpose of collection); Goings v. UGN, Inc., No. 17-9340 (N.D. Ill. June 13, 2018) (remanding BIPA claims for lack of Article III standing because claims were too abstract and employee was aware he was providing fingerprint data to his employers and did not claim any non-consensual disclosure of such data).
Illinois Biometric Privacy Suit Survives Dismissal Based on Harm from Alleged Disclosure of Data to Outside Vendor
Last December, an Illinois appellate court, in the Rosenbach v. Six Flags decision (2017 IL App (2d) 170317 (Dec. 21, 2017)), dismissed biometric privacy claims lodged against theme park operators for collecting fingerprints to authenticate season-pass holders allegedly in violation of the notice and consent provisions of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information. BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party. In interpreting what “aggrieved” means under BIPA, the Rosenbach court ruled that a “person aggrieved by a violation of [the] Act” must allege some harm (“[A] plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under…the Act”). While federal courts have weighed in on whether litigants have Article III standing when asserting mere procedural violations of BIPA’s consent and data retention requirements, it was not clear if such procedural violations, without any showing of harm or data misuse, were actionable under the statute. Rosenbach was the first time an Illinois appellate court weighed in on the meaning of an “aggrieved” party under BIPA.
Following Rosenbach, we speculated whether the decision would curb the wave of BIPA class actions asserting procedural violations filed against employers and businesses that used biometrics to authenticate employees or customers; the answer to that question remains in flux, with subsequent rulings falling both ways. For example, at least two Illinois trial courts followed Rosenbach in dismissing BIPA claims, though without intensive analysis of the issue. See: Rottner v. Palm Beach Tan, Inc., No. 15-CH-16695 (Ill. Cir. Ct. Mar. 2, 2018) (bound by Rosenbach‘s holding that neither liquidated damages nor injunctive relief is authorized under BIPA when the only injury alleged is a statutory violation; court stated that plaintiff allowed defendants to scan her fingerprint and there had been no publication of plaintiffs private information to sustain injury to a privacy right); Sekura v. Krishna Schaumburg Tan, Inc., No. 16-CH-04945 (Ill. Cir. Ct. Jan. 16, 2018) (brief order dismissing claims “[f]or the reasons outlined in Rosenbach”) (on appeal).
However, the recent California district court ruling in the Facebook biometric privacy litigation parted company with a reading of Rosenbach that would require a litigant to show an “actual” injury beyond the invasion of privacy rights outlined under BIPA and instead ruled that the plaintiffs had “sufficiently alleged” an intangible injury to a privacy right to be “aggrieved” under BIPA. It should be noted that the California court did look differently at Rosenbach and other cases involving voluntary fingerprinting where individuals knew that their biometric data would be collected before they accepted services as opposed to the social media photo tagging situation where such plaintiffs allege that they were not put on adequate notice that biometric data could be collected from uploaded photos.
This past month, in a notable ruling, an Illinois district court followed Rosenbach yet still declined to dismiss a suit brought by a former employee who asserted BIPA and negligence claims, among others, against a senior living center (“Defendant” or “Smith”) and its time clock vendor over the scanning of her fingerprints onto an employee biometric timekeeping device. (Dixon v. The Washington and Jane Smith Community – Beverly, No. 17-8033 (N.D. Ill. May 31, 2018)). Specifically, the complaint alleged that Smith required new employees to have their fingerprints scanned by the defendant Kronos’s fingerprint scanner and entered into a database so employees could be authenticated when clocking in and out. According to the plaintiff, Smith, among other things, failed to give adequate notice or obtain written consent before colleting her fingerprints, or post a biometric data retention policy. Moreover – and really the allegation that pushed the complaint over the line – plaintiff claimed that, in addition to collecting and storing her biometric information, Smith also “systematically disclosed” that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric time clocks, without informing her that it was doing so.
A Busy Month in the Facebook Photo Tagging Biometric Privacy Dispute
As discussed in past posts about the long-running Facebook biometric privacy class action, users are challenging Facebook’s “Tag Suggestions” program, which scans for and identifies people in uploaded photographs for photo tagging. The class alleges that Facebook collected and stored their biometric data without prior notice or consent in violation of the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq. While other technology companies face BIPA actions over photo tagging functions, In Re Facebook is the headliner of sorts for BIPA litigation, being the most closely-watched and fully-litigated.
There have been a host of new developments in this case as the parties continued to joust when the prospect of a trial was looming. Earlier this month, a California district court denied both parties’ motions for summary judgment and found that a “multitude of factual disputes” barred judgment as a matter of law for either side. (In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal. May 14, 2018)). The court’s prior orders over the past several years provide the context for the denial of summary judgment and the court’s refusal to revisit procedural rulings. See: In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016) (declining to enforce California choice of law provision in user agreement and applying Illinois law and refusing to find that the text of BIPA excludes from its scope all information involving photographs); Patel v. Facebook Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018) (declining to dismiss based on lack of Article III standing); In re Facebook Biometric Info. Privacy Litig., No. 15-03747, 2018 WL 1794295 (N.D. Cal. Apr. 16, 2018) (certifying Illinois user class and refusing Facebook’s renewed arguments to dismiss on procedural grounds).
Illinois Considering Amendments to Biometric Privacy Law (BIPA) That Would Create Major Exemptions to Its Scope
We have written before about the issues presented by the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”). BIPA is still the only state biometric privacy statute with a private right of action. It has garnered national attention and become the epicenter of biometrics-based litigation, with dozens of cases pending alleging violations of the statute (defendants include employers of all types, social media platforms, service providers, and many other businesses that interact with Illinois residents). Just as the privacy concerns surrounding the collection and storage of biometric data have come into sharper focus with more and more companies employing such technologies for digital authentication, security and other uses, the litigation surrounding BIPA has garnered much controversy and the legislature has previously been called upon to amend the statute to limit its reach. The Illinois legislature is now considering a bill (SB3053) that would fundamentally alter the privacy protections under BIPA
Facebook Granted Dismissal of Biometric Privacy Claims Brought by “Non-Users”
UPDATE: On June 14, 2019, the Ninth Circuit, in an unpublished two-page decision, affirmed the lower court’s dismissal of the case.
This week, the District Court for the Northern District of California dismissed the Gullen putative class action asserting Illinois biometric privacy claims brought by “non-users” based on evidence that…
California Court Declines to Dismiss Illinois Facial Recognition/Biometric Privacy Suit against Facebook on Standing Grounds
UPDATE: On March 2, 2018, in a related biometric privacy litigation surrounding Tag Suggestions brought by non-users of Facebook, a California district court in a brief order declined to dismiss the action for lack of standing, citing its reasoning in the Patel opinion. (Gullen v. Facebook, Inc., No. 16-00937 (N.D. Cal. Mar. 2, 2018)). While Facebook offered evidence that it does not store faceprint data on non-users, but only analyzes it to see if there is a match, the court stated such substantive arguments are best left for summary judgment or trial. Note: the Gullen case is related to the consolidated Facebook biometric privacy litigation and as such, is being heard before the same judge. The difference between the two actions is that Gullen involves non-Facebook users, whereas the plaintiffs in In re Facebook are registered users.
This past week, a California district court again declined Facebook’s motion to dismiss an ongoing litigation involving claims under the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”), surrounding Tag Suggestions, its facial recognition-based system of photo tagging. In 2016, the court declined to dismiss the action based upon, among other things, Facebook’s contention that BIPA categorically excludes digital photographs from its scope. This time around, the court declined to dismiss the plaintiffs’ complaint for lack of standing under the Supreme Court’s 2016 Spokeo decision on the ground that plaintiffs have failed to allege a concrete injury in fact. (Patel v. Facebook, Inc., No. 15-03747 (N.D. Cal. Feb. 26, 2018) (cases consolidated at In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal.)). As a result, Facebook will be forced to continue to litigate this action.
This dispute is being closely watched as there are a number of similar pending BIPA suits relating to biometrics and facial recognition and other defendants are looking at which of Facebook’s defenses might hold sway with a court.
Google App Disables Art-Selfie Biometric Comparison Tool in Illinois and Texas
We have been closely following the legal and legislative developments relating to biometric privacy, and in particular, the flow of litigation under the Illinois biometrics privacy law. It was interesting to see how the Illinois law (as well as a similar Texas law) influenced Google’s offering of a new facial recognition feature on the Google Arts & Culture app. (It is also interesting to note that the media coverage of the app has made the Illinois and Texas laws subjects of mainstream discourse.)
The Google Arts & Culture app, which was originally released a couple years ago, offers users virtual tours of museums and a searchable database of other art-related content. What recently made it one of the hottest free apps is a new entertaining tool that compares a selfie to a database of great works of art and presents the results that most closely match the user’s face. [Note: My classical art doppelgänger is “Portrait of a Gentleman in Red” by Rosalba Carriera. What’s yours?]. However, out of an apparent abundance of caution, Google has disabled this art-twinning function in Illinois and Texas, presumably because those states have biometric privacy laws that regulate the collection and use of biometric identifiers like facial templates; while the Texas statute can only be enforced by the state attorney general, Illinois’s Biometric Information Privacy Act (BIPA) contains a private right of action and remedies that include statutory damages. Interestingly, Washington users are able to access this tool, despite Washington having enacted its own biometric privacy law last year. Perhaps that is because, as described in the referenced blog post, compliance under the Washington statute is less demanding than under the Illinois or Texas statutes.
Litigants Alleging Procedural Violations of Illinois Biometric Privacy Statute (BIPA) Are Not “Aggrieved” Parties That May Seek Legal Remedies
As 2017 drew to an end, we noted the continuing flood of Illinois biometric privacy suits filed over the past year. There are literally dozens of cases pending, most in Illinois state courts, alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information. The suits initially targeted the use of biometrics on social media platforms, but, perhaps reflecting the increased use of biometrics in the workplace, have increasingly been asserted against businesses that collect biometric data to authenticate customers or employees.
While federal courts have weighed in on whether litigants have standing for asserting procedural violations of BIPA, it was not clear if mere procedural violations of BIPA’s consent and data retention requirements, without any showing of actual harm or data misuse, were actionable under the statute (i.e., whether persons pleading procedural violations are “aggrieved” under the statute, as BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party).
As the year came to a close, an Illinois appellate court may have cooled the New Year’s Eve celebrations of BIPA class action lawyers a bit, as the court issued a decision which could provide defendants with a shield against BIPA suits. The court ruled that if a party alleges only a technical violation of BIPA without alleging any injury or adverse effect, then such a party is not “aggrieved” under the Act and may not seek remedies (i.e., monetary damages or injunctive relief). (Rosenbach v. Six Flags Entertainment Corp., No. 2-17-0317, 2017 IL App (2d) 170317 (Ill. App. Dec. 21, 2017)).