Fear of new technology sometimes creates strange legislative results and perhaps unintended consequences.
In 2008, Illinois passed the Biometric Information Privacy Act (BIPA), designed to protect employees and consumers against perceived abuses associated with the collection of bio metric data by businesses and providing a statutory cause of action for its violation.
Fearing how such technology might be used and worried about the privacy implications of how data might be used, (the Preamble actually provides “the full ramifications of biometric technology are not fully known”), the Illinois Legislature enacted a law requiring businesses planning to maintain any sort of databases of these identifiers enact policies to receive written authorization from customers or employees before scanning fingerprints, retinas or other biometric identifiers. It also requires businesses to share with those whose biometrics are being scanned information on how those identifiers would be stored and even disposed of.
Growing out of this Act, the state issued regulations on businesses that collect and store biometric identifiers like fingerprints, retinal scans and other physical characteristics for customers or employees.
But here’s the rub: under the BIPA, plaintiffs may request damage awards of $1,000-$5,000 per violation, plus attorney fees
But here’s the rub: under the BIPA, plaintiffs may request damage awards of $1,000-$5,000 per violation, plus attorney fees. So just like the plethora of cases brought under the Telephone Consumer Protection Act (TCPA) which also has statutory penalties and a private right of action for unauthorized robo calls to cell phones, we have seen over the years, the BIPA has likewise spawned class actions seeking millions of dollars from companies doing business in Illinois. (Currently, Illinois, Texas and Washington are the only states with statutes addressing the collection of biometric information by private businesses; only Illinois provides for such a private cause of action).
Employers have increasingly used such biometric systems in recent years, rather than time cards, swipe cards or keypads into which employees would enter an identification number, to more efficiently and accurately log employee work hours, while decreasing incidences of fraud, such as someone other than the employee punching the clock to make it appear an absent employee was working. Retailers, banks and medical providers also use biometric identifiers in a variety of ways retailers such as for marketing, in-store security, loss and fraud prevention and patient identification purposes.
But because the statutory penalties can be aggregated in class action lawsuits, massive lawsuits have been brought against retailers and employers who now face significant financial exposure.
But because the statutory penalties can be aggregated in class action lawsuits, massive lawsuits have been brought against retailers and employers who now face significant financial exposure. These suits accuse employers and other businesses of not properly handling scanning and managing their employees’ or customers’ fingerprints to log employees’ work hours, failing to secure authorization from employees or customers before scanning and storing fingerprints, and failing to explain in writing the company’s policies for storing and ultimately disposing of the scanned prints, thus allegedly violating the Illinois BIPA law.
Since earlier this year, dozens of BIPA lawsuits against have piled up in the state, and particularly in Cook County and come on the heels of dozens of others brought against nursing homes, restaurants, janitorial service firms and hoteliers, among others. Class actions have been filed against companies such as Aramark, a large food and vendor supplier, United Airlines, Hyatt Hotels, Life Time Fitness, Kerry Ingredients and Flavors, Kellermeyer Berenson’s Services, and the Suparossa Restaurant Group, among others.
Similar suits have been filed against Facebook, Google and Shutterfly, and businesses who use biometric data for security, loss prevention or marketing purposes may also become litigation targets.
And federal judges have declined to narrow the statute’s applicability encouraging the filing of even more suits. In September of this year, an Illinois federal judge denied a motion to dismiss a putative class action accusing Shutterfly of violating BIPA by collecting and storing facial recognition data without the plaintiff’s consent from pictures uploaded to the Shutterfly website. Monroy v. Shutterfly, Inc., No. 16 C 10984, 2017 WL 4099846 (N.D. Ill. Sept. 15, 2017). Shutterfly’s argued that the BIPA did not apply to scans of biometric data derived from photographs, that application of BIPA to the complaint in issue would give it extraterritorial effect in violation of the Commerce Clause and that the plaintiff failed to allege actual damages resulting from Shutterfly’s conduct. The court rejected all three arguments.
First, while recognizing that the statute expressly excludes photographs from the definition of “biometric identifier,” the court determined that data obtained from a photograph may nevertheless constitute a “biometric identifier.” Second, the court found that although the plaintiff is a resident of Florida, it would be inappropriate to conclude that the lawsuit requires extraterritorial application of BIPA or violates the Commerce Clause at the motion to dismiss stage given that the complaint alleges that the photo was uploaded to Shutterfly’s website from a device in Illinois by a citizen of Illinois and the circumstances surrounding the claim are not fully known.
Last, the court held that a showing of actual damages was unnecessary to state a claim under BIPA, analogizing to other consumer protection statutes with statutory damages provisions such as the Fair Credit Reporting Act, the Fair Debt Collection Practices Act and the Truth in Lending Act. In a footnote, the court also found that the plaintiff sufficiently alleged an injury-in-fact for Article III and Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) purposes by alleging a violation of his right to privacy. (Here is a link to an in-depth discussion of Spokeo and to the standing controversy.
Earlier this year, another Illinois federal judge denied a motion to dismiss two complaints brought by individuals who alleged Google captured biometric data from facial scans of images taken with Google android devices in Illinois without the plaintiffs’ consent. Rivera v. Google, Inc., 238 F. Supp. 3d 1088 (N.D. Ill. 2017).
And in May 2016, a California federal judge denied a motion to dismiss a putative class action of Illinois residents who alleged Facebook scanned and captured their biometric data from images uploaded to Facebook without their consent in violation of BIPA. In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016). Like Shutterfly, both Google and Facebook argued that BIPA does not apply to scans of photographs, and Google also argued that applying BIPA to the plaintiff’s claims would give the statute extraterritorial effect and violate the Commerce Clause. The courts in both cases rejected these arguments and permitted the cases to move forward.
Besides the standing and statutory interpretation issues, these cases also raise the specter of non-Illinois businesses being sued for capturing or storing biometric information of individuals accessing the business websites from devices within the state of Illinois
Besides the standing and statutory interpretation issues, these cases also raise the specter of non-Illinois businesses being sued for capturing or storing biometric information of individuals accessing the business websites from devices within the state of Illinois.
However well intended the Illinois Legislature may have been in wanting to protect the privacy of Illinois citizens and any unintended use of biometric data, the consequence is the door has been open for class actions exposing companies doing business is Illinois to millions of dollars of exposure. The result: more often than not the cases will be settled and the employees and consumers will get a token settlement. This is the same scenario has played time and time again under the TCPA.
Will the BIPA chill the use of businesses in Illinois and perhaps elsewhere from using biometric identifiers? That would be an unfortunate result since this technology brings so many security advantages to the table. And biometric identifiers are really not that much different from traditional personally identifiable information for which Illinois has not offered statutory remedies for violation. But fear and misunderstanding of technology often produces unfortunate and unintended consequences.
Photo Attribution: Lester Leszczyn via Flickr; Roman Boed via Flickr