Niya T. McCray, CIPP/US
Biometric technology has revolutionized the way clients conduct business, how consumers interact with products, and ultimately, how lawyers are able to provide counsel. Biometric data, as defined by the National Institute of Standards and Technology, is the measurement of physiological characteristics like fingerprints, iris patterns, or facial features used to identify an individual.[i] Biometric technology has become so commonplace in our daily lives that we often take for granted its presence when unlocking our phones—fingerprint and facial recognition—or yelling at Siri/Alexa to change the channel or remind us of a task to complete later—voice recognition. There is a swell in the number of entities who incorporate biometric data into their daily operations as tools to streamline their systems, prevent timekeeping fraud, and improve the strength and integrity of operational security.
As convenient and familiar as biometrics has become, its presence is no greater felt than in the flood of legislation and litigation arising from concerns over how this non-traditional data should be managed. The legislative horizon is murky, to say the least. However, a few states—Illinois, Washington, and Texas—have blazed the trail, creating comprehensive biometric data privacy legislation. As it stands, the states have taken dual approaches. Some, like Delaware, New Jersey and North Carolina have amended existing breach notification laws to include biometric data under sensitive personal information; whereas, others, like Alaska, Montana, and Connecticut, believe that biometric data warrants its own unique legislation.
Illinois’ Biometric Information Privacy Act (BIPA), the first of its kind, was passed in 2008.[ii] The hallmark of BIPA is its private right of action, which has caused grief for defendants both in and out of Illinois. Texas[iii] and Washington[iv] have both followed in Illinois’ footsteps, carving out their own biometric statutes. Unlike Illinois, though, Texas and Washington bypassed the private right of action, instead choosing to leave potential suits to the discretion of the state Attorney Generals.
From early September 2017 through December 2017, droves of entities—over fifty that we know of—were affected by the filing of class action suits claiming violations of Illinois’ BIPA.[v] The majority of suits were brought by employees alleging that the implementation of fingerprint scanning to streamline employer timekeeping systems violated BIPA’s notice, consent, and disclosure requirements. A few suits were instituted by consumers against commercial entities, alleging that similar biometric data—ranging from fingerprints to facial scans—were collected during transactions in contravention of BIPA’s safeguards.
However, in a surprising turn of events, a December ruling from the Illinois Appellate Court chilled the breadth of plaintiffs’ rights relative to BIPA’s private cause of action. In Rosenbach v. Six Flags Entertainment Corp.,[vi]—currently on appeal to the Illinois Supreme Court—the plaintiff alleged that defendant failed to obtain verifiable written consent and to disclose its policies for the collection, retention, and destruction of consumer biometric data—fingerprints—in connection with season pass purchases.[vii] The plaintiff, however, did not allege any actual injury, but rather claimed that if she had known of the defendant’s practices, she would not have allowed her son to purchase the season pass. The Appellate Court honed in on the “aggrieved by” language in BIPA’s remedy provision, Section 20, noting that BIPA was silent as to the meaning of “aggrieved,” and looked to the plain meaning of the term. Based on such plain meaning, the Illinois court held that an “aggrieved” plaintiff under BIPA must do more than allege a technical violation of the Act.
BIPA requires that there be “an actual injury, adverse effect, or harm.”[viii] So, a defendant’s failure to provide notice or obtain consent from a plaintiff prior to the collection of biometric identifiers, by itself, was not enough to meet the “aggrieved” standard under the Act. While the Rosenbach ruling is not dispositive of the future of pending BIPA suits, it does suggest that plaintiffs may slow their rush to the courthouse in favor of more creative litigation strategies that meet the “aggrieved” standard as clarified in the case.
Although Rosenbach is still being determined, In re: Facebook Biometric Information Privacy Litigation & Gullen v. Facebook Inc.,[ix] sheds additional light on the scope and extraterritorial reach of BIPA.[x] Specifically, Plaintiffs, both users and non-users of the Facebook platform, alleged that Facebook did not obtain “written, informed consent” for using facial recognition software to suggest “tagging” options to friends.[xi] Facebook, in an attempt to defeat class certification, argued that because its servers were not located in Illinois, BIPA could not be applied to the Plaintiffs’ claims. The Court explained that where “the named plaintiffs [were] located in Illinois along with all of the proposed class members, and the claims [were] based on the application of Illinois law to use of Facebook mainly in Illinois… the case [was] properly governed by Illinois law pursuant to California choice of law principles.”[xii] In practice, the Facebook case proves that despite BIPA’s lack of an extraterritorial reach, it can still transcend borders where Illinois citizens have been harmed.
Given that biometrics is now a permanent technological staple, legal counsel for clients in affected industries should start to consider how best to protect their clients from potential litigation. Specifically, counsel should chart out potential defenses, including the scope and reach of any applicable biometric and data privacy statutes. Also, counsel should thoroughly any possible jurisdictional issues, choice of law arguments, and standing merit. Going forward, both counsel and clients would do well to determine the types of personal information being collected, keeping an eye on the methods and stated policies for storage, retention, and destruction thereof. Moreover, clients, regardless of their sector or industry, should maintain a through log of all service providers and vendors and seek advice of counsel to determine whether their respective contracts include data privacy provisions.
Following this initial mapping of a data security framework, both lawyer and client, alike, should be looking to next steps. The strongest protection from potential litigation is a meticulously developed, plainly articulated written policy regarding an organization’s security plan. The value of internal privacy training and the need to regularly conduct privacy risk assessments should not be lost on clients. Effective counsel will ensure clients have a data response plan to successfully eliminate confusion in the event of a breach. Less is more when it comes to data collection; however, effective preparation and a thorough data security and response plan will help clients reduce the likelihood of incident and litigation.
[i]. Nat’l Inst. Standards & Tech., U.S. Dept. Commerce, Biometrics, NIST, https://www.nist.gov/programs-projects/biometrics (last updated July 11, 2018).
[ii]. 740 Ill. Comp. Stat. 14/10 (2008).
[iii]. Tex. Bus. & Com. Code Ann. § 503.001 (West 2015).
[iv]. Wash. Rev. Code Ann. § 40.26.020 (West 2017).
[v]. Fox Rothschild, LLP, Measuring the Impact of the Illinois Biometric Information Privacy Act, Fox Rothschild: Data Privacy Blog (June 21, 2018), https://dataprivacy.foxrothschild.com/2018/06/articles/data-protection-law-compliance/the-illinois-biometric-information-privacy-act/.
[vi]. Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317, 2017 WL 6523910 (Ill. App. Ct. 2017).
[vii]. Id. at *1.
[viii]. Id. at *3.
[ix]. In re Facebook Biometric Info. Privacy Litig., No.: 3:15-CV-03747-JD, (N.D. Cal. 2016).
[x]. Id. at *8.
[xi]. Id. at *1.
[xii]. Id. at *8.