In January 2019, we reported on the Illinois Supreme Court’s decision, Rosenbach v. Six Flags Entertainment Corp., where the highest court in Illinois unanimously found that an individual need not allege (or show) an actual injury to qualify as an “aggrieved” person under the Illinois’s Biometric Information Privacy Act (BIPA). This decision opened up the floodgates for additional, class action litigation under this Illinois statute.
Then, last week, in Patel v. Facebook, (a case that was originally filed in Illinois but later transferred to the Northern District of California where Facebook is headquartered), the Ninth Circuit ruled that an Illinois class of Facebook users can proceed in their class action lawsuit against Facebook over its use of facial recognition technology. Specifically, the Ninth Circuit panel answered in the affirmative the question of whether the mere collection of an individual’s biometric data in violation of BIPA was sufficient to establish standing in federal courts. In order to have standing, a plaintiff need only show she has suffered an invasion of a “legally protected interest that is concrete and actual or imminent, not conjectural or hypothetical.”
No actual damages from a company’s failure to comply with BIPA? The Ninth Circuit confirmed that is no hurdle to proceeding in a class action trial. Like the plaintiff in Rosenbach, the plaintiff contended that violation of the requirements of obtaining written consent and establishing a compliant retention schedule resulted in an actual injury. On the other hand, Facebook advanced that these were only procedural violations and did not amount to “an injury of a concrete interest.”
The NinthCircuit was not persuaded by the defendant’s argument. The three-judge panel concluded that since BIPA provisions were established to protect the plaintiffs’ privacy rights, which “encompassed an individual’s control of information concerning his or her person,” Facebook’s development of a face template using facial recognition technology without consent served as an invasion of private affairs and affected concrete interests. Plaintiffs had advanced injury to their substantive privacy rights, not just complained about procedural failures.
Because BIPA provides for fines between $1,000 and $5,000 per violation, the ruling exposes Facebook to a potentially massive class action judgment. It is reasonable to expect that Facebook will seek an en banc review of this decision—and that this is not the last petition for review of this holding.
For other companies, like Rosenbach, the Ninth Circuit decision serves as yet another reminder that BIPA impacts every company that uses, controls or collects biometric data. For employers, this means reviewing, auditing and updating practices regarding the use of your employees’ biometric data. All companies with an Illinois presence should be reviewing policies and protocols regarding the use of biometric data. We continue to recommend the following:
- Establish and make public (for example, post on the company’s website) a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
- Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
- If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
- Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection in writing.
- Train supervisors on the company’s policies and practices to ensure consistency.
- Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
- Consult with competent counsel to ensure that policies and practices comply with relevant law.