Biometric Technology: Putting a Finger on the Problem


Niya T. McCray, CIPP/US
An Overview
Biometric technology has revolutionized the way clients conduct business, how consumers interact with products, and ultimately, how lawyers are able to provide counsel.  Biometric data, as defined by the National Institute of Standards and Technology, is the measurement of physiological characteristics like fingerprints, iris patterns, or facial features used to identify an individual.[i]  Biometric technology has become so commonplace in our daily lives that we often take for granted its presence when unlocking our phones—fingerprint and facial recognition—or yelling at Siri/Alexa to change the channel or remind us of a task to complete later—voice recognition.   There is a swell in the number of entities who incorporate biometric data into their daily operations as tools to streamline their systems, prevent timekeeping fraud, and improve the strength and integrity of operational security.

Biometric Legislation
As convenient and familiar as biometrics has become, its presence is no greater felt than in the flood of legislation and litigation arising from concerns over how this non-traditional data should be managed.  The legislative horizon is murky, to say the least.  However, a few states—Illinois, Washington, and Texas—have blazed the trail, creating comprehensive biometric data privacy legislation.  As it stands, the states have taken dual approaches.  Some, like Delaware, New Jersey and North Carolina have amended existing breach notification laws to include biometric data under sensitive personal information; whereas, others, like Alaska, Montana, and Connecticut, believe that biometric data warrants its own unique legislation.

Illinois’ Biometric Information Privacy Act (BIPA), the first of its kind, was passed in 2008.[ii]  The hallmark of BIPA is its private right of action, which has caused grief for defendants both in and out of Illinois. Texas[iii] and Washington[iv] have both followed in Illinois’ footsteps, carving out their own biometric statutes.  Unlike Illinois, though, Texas and Washington bypassed the private right of action, instead choosing to leave potential suits to the discretion of the state Attorney Generals.

Biometric Litigation
From early September 2017 through December 2017, droves of entities—over fifty that we know of—were affected by the filing of class action suits claiming violations of Illinois’ BIPA.[v]  The majority of suits were brought by employees alleging that the implementation of fingerprint scanning to streamline employer timekeeping systems violated BIPA’s notice, consent, and disclosure requirements.  A few suits were instituted by consumers against commercial entities, alleging that similar biometric data—ranging from fingerprints to facial scans—were collected during transactions in contravention of BIPA’s safeguards.

However, in a surprising turn of events, a December ruling from the Illinois Appellate Court chilled the breadth of plaintiffs’ rights relative to BIPA’s private cause of action.  In Rosenbach v. Six Flags Entertainment Corp.,[vi]—currently on appeal to the Illinois Supreme Court—the plaintiff alleged that defendant failed to obtain verifiable written consent and to disclose its policies for the collection, retention, and destruction of consumer biometric data—fingerprints—in connection with season pass purchases.[vii]  The plaintiff, however, did not allege any actual injury, but rather claimed that if she had known of the defendant’s practices, she would not have allowed her son to purchase the season pass.  The Appellate Court honed in on the “aggrieved by” language in BIPA’s remedy provision, Section 20, noting that BIPA was silent as to the meaning of “aggrieved,” and looked to the plain meaning of the term.  Based on such plain meaning, the Illinois court held that an “aggrieved” plaintiff under BIPA must do more than allege a technical violation of the Act.

BIPA requires that there be “an actual injury, adverse effect, or harm.”[viii]  So, a defendant’s failure to provide notice or obtain consent from a plaintiff prior to the collection of biometric identifiers, by itself, was not enough to meet the “aggrieved” standard under the Act.  While the Rosenbach ruling is not dispositive of the future of pending BIPA suits, it does suggest that plaintiffs may slow their rush to the courthouse in favor of more creative litigation strategies that meet the “aggrieved” standard as clarified in the case.

Although Rosenbach is still being determined, In re: Facebook Biometric Information Privacy Litigation & Gullen v. Facebook Inc.,[ix] sheds additional light on the scope and extraterritorial reach of BIPA.[x]  Specifically, Plaintiffs, both users and non-users of the Facebook platform, alleged that Facebook did not obtain “written, informed consent” for using facial recognition software to suggest “tagging” options to friends.[xi]  Facebook, in an attempt to defeat class certification, argued that because its servers were not located in Illinois, BIPA could not be applied to the Plaintiffs’ claims.  The Court explained that where “the named plaintiffs [were] located in Illinois along with all of the proposed class members, and the claims [were] based on the application of Illinois law to use of Facebook mainly in Illinois… the case [was] properly governed by Illinois law pursuant to California choice of law principles.”[xii]  In practice, the Facebook case proves that despite BIPA’s lack of an extraterritorial reach, it can still transcend borders where Illinois citizens have been harmed.

Litigation Preparedness
Given that biometrics is now a permanent technological staple, legal counsel for clients in affected industries should start to consider how best to protect their clients from potential litigation. Specifically, counsel should chart out potential defenses, including the scope and reach of any applicable biometric and data privacy statutes.  Also, counsel should thoroughly any possible jurisdictional issues, choice of law arguments, and standing merit.  Going forward, both counsel and clients would do well to determine the types of personal information being collected, keeping an eye on the methods and stated policies for storage, retention, and destruction thereof.  Moreover, clients, regardless of their sector or industry, should maintain a through log of all service providers and vendors and seek advice of counsel to determine whether their respective contracts include data privacy provisions.

Following this initial mapping of a data security framework, both lawyer and client, alike, should be looking to next steps.  The strongest protection from potential litigation is a meticulously developed, plainly articulated written policy regarding an organization’s security plan.  The value of internal privacy training and the need to regularly conduct privacy risk assessments should not be lost on clients. Effective counsel will ensure clients have a data response plan to successfully eliminate confusion in the event of a breach.  Less is more when it comes to data collection; however, effective preparation and a thorough data security and response plan will help clients reduce the likelihood of incident and litigation.



[i].          Nat’l Inst. Standards & Tech., U.S. Dept. Commerce, Biometrics, NIST, https://www.nist.gov/programs-projects/biometrics (last updated July 11, 2018).
[ii].          740 Ill. Comp. Stat. 14/10 (2008).
[iii].         Tex. Bus. & Com. Code Ann. § 503.001 (West 2015).
[iv].         Wash. Rev. Code Ann. § 40.26.020 (West 2017).
[v].      Fox Rothschild, LLP, Measuring the Impact of the Illinois Biometric Information Privacy Act, Fox Rothschild:  Data Privacy Blog (June 21, 2018), https://dataprivacy.foxrothschild.com/2018/06/articles/data-protection-law-compliance/the-illinois-biometric-information-privacy-act/.
[vi].          Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317, 2017 WL 6523910 (Ill. App. Ct. 2017).
[vii].          Id. at *1.
[viii].         Id. at *3.
[ix].            In re Facebook Biometric Info. Privacy Litig., No.: 3:15-CV-03747-JD, (N.D. Cal. 2016).
[x].             Id. at *8.
[xi].            Id. at *1.
[xii].           Id. at *8.

A Potential Shift in Tide: Is the Sunshine State Leading the Charge Towards a Tighter Grip on Association Boards ?


Scheherazade Ferrand

While the condominium as a form of property ownership within the United States was a relatively novel concept during its’ inception, unfortunately, the existence of abuse within this market has not been.[1]  Since the late 1950s, when condominium legislation was first introduced within the United States,[2] individual states have used state amendments to take their condominium legislation within their own separate directions.[3]  Florida, being one of the first states to welcome condominiums with great popularity,[4] has seen its’ own fair share of confusion with its’ Condominium Act.[5]  After a history of continued revision, the legislature has recently adopted an amendment, HB 1237,[6] geared towards ending much of the corruption and fraud which has seemingly accompanied this semi-communal form of property ownership.[7] 
            Within the world of condominiums and homeowner associations, there are roughly three powerful layers of legal direction guiding unit owners, association board members, and developers.[8]  These include existing judicial rules, state statutes, and constitutions.[9]  This article focuses on the effect that existing state statutes —and the state agencies charged with enforcing these statutes— have on these groups, and proposes an adoption of the Florida Legislatures recent legal changes by states across the country. 
            The many complaints heard throughout the State of Florida have led to legislative action and a potential shift which, if furthered and replicated within other states, appears to have the ability to finally develop a legal equilibrium amongst the many competing factions within the United States condominium market.[10]  Florida’s recently passed legislation, HB 1237, hints that a shift towards tougher enforcement of condominium issues on a more local level, through the use of prosecutors, may be exactly what the doctor prescribed to cure the ills of condo corruption within the State of Florida.[11]  This new piece of legislation addresses the concern of election fraud seen throughout the state[12], owner access to condominium documents[13], and existing conflicts of interest while also attaching a possible criminal penalty for violations.[14] 
            To conclude, while property ownership has been typically viewed as distinctly local in nature, there are certain concerns which have seemingly found themselves in most of the United States.  Much of these problems with vexatious litigation, election fraud, and self-dealing have for the most part seemingly gone unabated.  In addressing many of these concerns it appears that the Florida Legislature has taken a giant leap in the right direction, in terms of consumer protection, with the recent passage of HB 1237.  Given that many states throughout the United States have faced similar complaints and looming concerns within this sector, it appears rational for states to begin to follow the shift taken by the Florida Legislature. 



                  [1].               Walter Rugaber, Few States Protect Condominium Buyers, N.Y. Times (June 16, 1974), http://www.nytimes.com/1974/06/16/archives/few-states-protect-condominium-buyers-only-a-few-states-have-real.html; See Evan McKenzie, Privatopia:  Homeowner Associations and the Rise of Residential Private Government 108-09 (1994).
                  [2].               Donna S. Bennett, Condominium Homeownership in the United States: A Selected Annotated Bibliography of Legal Sources, 103:2 L. Libr. J. 249, 255 (2011).  
                  [3].               Rugaber, supra note 1.
                  [4].               Id.
                  [5].               See Joseph E. Adams, Community Associations: 1998 Survey of Florida Law, 23 Nova L. Rev. 65, 66 (1998).
                  [6].               See Joseph E. Adams, Survey of Florida Law:  Community Associations:  1996 Survey of Florida Law, 21 Nova L. Rev. 69, 70 (1996). Additionally, HB 1237 has also at times been used interchangeably with SB 1682.  See Fla. CS for CS for HB 1237 (2017) (proposed Fla. Stat. § 718.111); See also Fla. CS for CS for SB 1682 (2017) (proposed Fla. Stat. § 718.111).  Both Bills were generated simultaneously within both the Florida House and Senate, ultimately passing with unanimous approval after a little revision. Id.
                  [7].               See also Adams, supra note 5.
                  [8].               Brian L. Weakland, Condominium Associations:  Living under the Due Process Shadow, 13 Pepp. L. Rev. 297, 298 (1986).
                  [9].               Id. at 298–99.
                  [10].            Brenda Medina, Bad Condo Boards, Beware: Legislature Passes New Laws Unanimously, Miami Herald (May 1, 2017), http://www.miamiherald.com/news/business/real-estate-news/article147952959.html; C.M. Guerrero, Crack Down on Condo Abuses, Miami Herald (Mar. 20, 2016, 1:00 PM), http://www.miamiherald.com/opinion/editorials/article67241137.html.  
                  [11].            Ch. 2017-188, 2017 Fla. Laws at 1–3
                  [12].            Id.
                  [13].            Id. at 7–9.
                  [14].            Id. at 2.