Tag Archives: BIPA

Facebook Facing Massive Class Action Trial: Ninth Circuit Rules BIPA Class Action Can Proceed

By Carlos Arévalo and Molly Arranz, August 12, 2019

Social media design, vector illustration.

In January 2019, we reported on the Illinois Supreme Court’s decision, Rosenbach v. Six Flags Entertainment Corp., where the highest court in Illinois unanimously found that an individual need not allege (or show) an actual injury to qualify as an “aggrieved” person under the Illinois’s Biometric Information Privacy Act (BIPA). This decision opened up the floodgates for additional, class action litigation under this Illinois statute.

Then, last week, in Patel v. Facebook, (a case that was originally filed in Illinois but later transferred to the Northern District of California where Facebook is headquartered), the Ninth Circuit ruled that an Illinois class of Facebook users can proceed in their class action lawsuit against Facebook over its use of facial recognition technology. Specifically, the Ninth Circuit panel answered in the affirmative the question of whether the mere collection of an individual’s biometric data in violation of BIPA was sufficient to establish standing in federal courts. In order to have standing, a plaintiff need only show she has suffered an invasion of a “legally protected interest that is concrete and actual or imminent, not conjectural or hypothetical.”   

No actual damages from a company’s failure to comply with BIPA? The Ninth Circuit confirmed that is no hurdle to proceeding in a class action trial. Like the plaintiff in Rosenbach, the plaintiff contended that violation of the requirements of obtaining written consent and establishing a compliant retention schedule resulted in an actual injury. On the other hand, Facebook advanced that these were only procedural violations and did not amount to “an injury of a concrete interest.” 

The NinthCircuit was not persuaded by the defendant’s argument. The three-judge panel concluded that since BIPA provisions were established to protect the plaintiffs’ privacy rights, which “encompassed an individual’s control of information concerning his or her person,” Facebook’s development of a face template using facial recognition technology without consent served as an invasion of private affairs and affected concrete interests. Plaintiffs had advanced injury to their substantive privacy rights, not just complained about procedural failures.

Because BIPA provides for fines between $1,000 and $5,000 per violation, the ruling exposes Facebook to a potentially massive class action judgment. It is reasonable to expect that Facebook will seek an en banc review of this decision—and that this is not the last petition for review of this holding.

For other companies, like Rosenbach, the Ninth Circuit decision serves as yet another reminder that BIPA impacts every company that uses, controls or collects biometric data. For employers, this means reviewing, auditing and updating practices regarding the use of your employees’ biometric data. All companies with an Illinois presence should be reviewing policies and protocols regarding the use of biometric data. We continue to recommend the following:

  1. Establish and make public (for example, post on the company’s website) a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
  2. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
  3. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
  4. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection in writing.
  5. Train supervisors on the company’s policies and practices to ensure consistency.
  6. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
  7. Consult with competent counsel to ensure that policies and practices comply with relevant law.

Illinois Supreme Court to Decide Biometric Privacy Case

Contributed by Carlos Arévalo, November 27, 2018

Data breach 2In October of 2017, we first reported on the filing of a class action suit by a group of Chicago-area employees where plaintiffs alleged that their employer’s use of worker fingerprints for time-tracking purposes violates the Illinois Biometric Information Privacy Act (BIPA).  Specifically, the employees claimed that their employer failed to properly inform them in writing of the specific purpose for which their fingerprints were being collected and the length of time their fingerprints would be stored. Plaintiffs also claimed the employer failed to obtain written consent before obtaining fingerprints.

Then, this past June, we reported on a federal court’s decision finding that despite no concrete damage, an employee (and her putative class) might have a triable cause of action for violating her privacy and right to control her biometric data. The allegations in this case also included a failure to inform the specific purpose of collection and failing to obtain written authorization for the collection of biometric data.

On November 20, 2018, the Illinois Supreme Court heard oral arguments in a Rosenbach v. Six Flags Entertainment Corp., a case specifically addressing BIPA. While Rosenbach is not an employment case (it concerns a patron’s access to Six Flags), it nevertheless involves the issue of whether collection of biometric data alone triggers statutory damages even if the plaintiff has not claimed actual harm. The lower appellate court in Rosenbach found that alleging only technical violations of the notice and consent provisions of the statute is not tantamount to alleging an adverse effect or harm. Thus, how the Illinois Supreme Court rules in the next few months is bound to have a significant impact on Illinois employers and potentially elsewhere in the country.

In the meantime, to avoid and/or minimize any BIPA issues or potential liability, we continue to recommend that employers take the following steps:

    1. Establish a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
    2. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
    3. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
    4. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection.
    5. Train supervisors on the company’s policies and practices to ensure consistency.
    6. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
    7. Finally, consult with competent employment counsel to ensure that policies and practices comply with relevant law.

 

Illinois Employer Faces Class Action for Using Fingerprints to Track Attendance

Contributed by Suzanne Newcomb, October 5, 2017

Data Protection Keyboard

Technology allowing employers to use biometric data tools to track attendance and maintain worksite security abounds. Purveyors hype the advanced technology’s ability to accurately validate time entries, eliminate fraud, and better control access to the workplace or to sensitive areas within the workplace. If these systems are so readily available, it must be legal for employers to use them, right? As with seemingly everything involving HR and the workplace, it depends.

Last week, a group of Chicago-area employees filed a class action suit, alleging their employer’s use of worker fingerprints for time-tracking purposes violates the state’s biometric information privacy law. Specifically, the employees claimed that their employer failed to:

  • Properly inform them in writing of the specific purpose for which their fingerprints were being collected and the length of time their fingerprints would be stored and used;
  • Provide a publically available retention schedule and guidelines for permanently destroying their fingerprints; and
  • Obtain their written consent before obtaining fingerprints.

In 2008, Illinois became the first state to explicitly regulate the use of “biometric identifiers” which it defines as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and their derivatives, regardless of how that information is captured, converted, stored, or shared. 740 ILCS 14/10. The Illinois Biometric Information Privacy Act (BIPA) applies broadly to any individual or entity other than the government, and therefore encompasses all private-sector employers operating within the state.

Illinois Biometrics Legislation Sets Trend

Until recently, Illinois and Texas were the only states with laws addressing biometrics. However, a new wave of high-exposure litigation under BIPA has had an impact on other states’ decisions to introduce legislation on the matter. Many states, including Illinois, have data breach notification laws that cover biometric information, as well as other sensitive personal information.

Employers operating exclusively in jurisdictions that have not regulated the use of biometric information specifically could still face breach of privacy or negligence claims if their employee’s biometric information is compromised.

Tips for Employers

Due to the growing number of data breaches, employers are encouraged to ensure they have protocols in place to safeguard all of the personal information they possess, particularly biometric information.

Whether you are thinking about adopting and using biometric data or have already implemented this technology, it is vital that employers take the following steps before collecting any biometric data to ensure their use complies with the growing regulation in this area:

  1. Assemble a team of experienced legal, cyber-security, and data-breach experts prior to selecting or implementing any technology that uses biometrics. Involve this team in vetting potential vendors, negotiating the terms of vendor contracts, and developing protocols.
  2. Carefully draft policies and procedures to safeguard and properly destroy biometric information, as well as protocols in case of a breach. Ensure those policies, procedures, and protocols (and those of your outside vendors) comply with all applicable laws, including notice and disclosure requirements.
  3. Clearly disclose to your employees, in writing, your intent to collect and use biometric information, the ways the information will be used, the means by which the information will be collected, maintained, and eventually destroyed, as well as the safeguards the company has put in place to secure this information.
  4. Obtain each employee’s informed written content prior to collecting any biometric information. Consider good faith objections and requests for accommodation and analyze and address those requests in accordance with all applicable laws.
  5. Continue to monitor changing federal, state and local regulations in this area.