New Wave Of Biometric Privacy Class Actions: Could You Be A Target?

by Shook, Hardy & Bacon L.L.P.
Contact

While the privacy world is focused on the Equifax data breach, another development is taking place that could have a more lasting effect on privacy law.  In the last month, plaintiffs’ lawyers in Illinois have filed over 20 lawsuits against companies that authenticate their employees or customers with their fingerprints.  The lawsuits are based on the Illinois Biometric Information Privacy Act (BIPA), which requires companies that possess or collect biometric information to provide notice to and obtain a written release from individuals whose biometric information the companies collect.

Why Do These Lawsuits Matter?

Companies are increasingly collecting biometric information from their customers and employees (“data subjects”) because this information helps authenticate users with greater accuracy.  It allows the company to provide customers a more seamless, secure, and tailored experience.  It also allows employees to securely and conveniently punch in and out of work by placing their finger on an electronic reader, which has the additional benefit of minimizing “buddy punching” (where employees ask their colleagues to check them in/out of work improperly).

What Is Biometric Information?

BIPA applies to “biometric Identifiers” and “biometric Information.”  A biometric identifier is a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.  Biometric identifiers do not include, among other things, writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.  Biometric information means any information based on an individual’s biometric identifier used to identify an individual.  Because BIPA does not treat biometric identifiers differently from biometric information, this blog post refers to both categories collectively as “biometric information.”

To Whom Does BIPA Apply?

BIPA applies to companies in possession of biometric information or companies that collect, capture, purchase, receive through trade or otherwise obtain biometric information about Illinois residents.  BIPA does NOT apply to entities governed by HIPAA or GLBA.  Nor does it apply to state or local government agencies or any court of Illinois.

What Does BIPA Require?

Companies that possess biometric information must develop a written policy, made available to the public, that establishes a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting or obtaining the information has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever occurs first.  The company must comply with this retention schedule and destruction guidelines, unless a valid warrant or subpoena issued by a court of competent jurisdiction provides otherwise.  The company must also adopt reasonable security safeguards to protect the storage and transmission of biometric information.  These safeguards must be at least the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

Companies that collect, capture, purchase, receive through trade, or otherwise obtain a person’s biometric information must:  (1) inform the subject in writing that biometric information is being collected or stored, and the specific purpose and length of term for which the information is being collected, stored, and used; and (2) obtain a written release executed by the subject of the biometric information.

What Conduct Does BIPA Prohibit?

Companies that possess biometric information are not allowed to sell, lease, trade, or otherwise profit from a person’s biometric information.  Additionally, disclosure, redisclosure, and other dissemination of the information is prohibited unless:  (1) the data subject consents to the disclosure; (2) the disclosure completes a financial transaction requested or authorized by the data subject; (3) the disclosure is required by law; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Can My Company Be Sued For Violating BIPA?

Any person “aggrieved by a violation” of BIPA can sue the violating company.  He or she may be entitled to $1,000 in liquidated damages for a negligent statutory violation or $5,000 in liquidated damages for an intentional statutory violation.  (If actual damages are greater, the plaintiff may seek those instead, but for the reasons discussed below, this is not usually the case).  Additionally, the prevailing party (plaintiff or defendant) may recover attorney’s fees and costs.

What Is This Latest Wave Of BIPA Lawsuits All About?

Between BIPA’s enactment in 2008 and a couple months ago there were relatively few lawsuits based on violations of BIPA.  Within the last couple of months, however, the Illinois plaintiffs’ bar has filed over 20 BIPA lawsuits.  Almost all of those lawsuits are based on the same underlying factual scenario:  an employee places his/her finger on a time clock to authenticate himself/herself when checking in or out of work.  In addition to suing the employer, plaintiffs are also suing the companies that sell/distribute the time clocks that use fingerprint readers.

Given the timing of the lawsuits and their almost identical language, this is surely a coordinated effort by the plaintiff’s bar to obtain quick settlements from risk-averse companies that would prefer to avoid or cannot afford the cost of litigation.  It is also a shotgun approach to flood the courts with these lawsuits in the hope that one or two of them will result in favorable precedent that can be used to file more lawsuits, so I don’t see this trend ending anytime soon.

Do The Lawsuits Have Merit?

No.  You can expect to see strong arguments by the defendants on the underlying technology and the meaning of biometric information.  But these lawsuits are meritless primarily because the plaintiffs didn’t suffer any real harm.  The lawsuits appear to be filed by former employees with axes to grind against their former employers.  Setting that aside, however, the arguments in the complaints are not persuasive.

The complaints allege that BIPA was designed to ensure that the plaintiffs receive notice that their biometric information is being collected, and that the plaintiffs should have been asked to sign written releases.  This lack of notice argument is silly when you remember that these individuals were essentially receiving notice every day by placing their fingers on a time clock to log in and out of work.  This latest wave of cases does not present the situation, as other BIPA cases have, where biometric information is being collected without the data subject’s knowledge.

The complaints also allege that the plaintiffs were not provided a policy explaining the use of their information. If we assume first that the plaintiffs would have read these policies (because we all read policies provided to us during the onboarding process), then what would those policies have told the employees?  Anyone familiar with the technology will tell you that the policies would say that the company does not actually collect fingerprint images at all, that there isn’t a database of employee fingerprints somewhere, that to the extent the company has access to numerical representations of their fingerprints those representations are useless to anyone else because they can’t be reverse-engineered, and the information is not shared with third parties (primarily because it serves no use).

The complaints are also significant in what they do NOT allege.  They do not allege, for example, that unauthorized third parties (like hackers) accessed the information.  Nor do the complaints allege that the employers shared the information with any authorized third parties.  So again, what is the harm suffered?

For these reasons, most courts that have addressed the lack of harm argument in the BIPA context have dismissed the lawsuits.  See, e.g., McCollough v. Smarte Carte, Inc. (N.D. Ill. Aug. 1, 2016); Vigil v. Take-Two Interactive Software, Inc. (S.D.N.Y. Jan. 27, 2017).  Those courts concluded that even if there was a technical violation of BIPA, the plaintiffs were not “aggrieved by those violations.”

What Can Companies Do To Minimize These Risks?

First, determine whether BIPA even applies to you.  This may require consulting with counsel knowledgeable in the requirements of BIPA and the underlying technology.  Even if you are not currently collecting biometric information from Illinois residents, could you in the future?  Additionally, while Illinois is currently the only state that creates a private right of action for violation of its biometric information privacy statute, other states have similar laws enforced by their respective Attorneys General.

Second, if BIPA applies, use experienced counsel to ensure that you comply with BIPA – draft a BIPA retention policy, prepare and obtain written releases, and evaluate the security and use of the information.  This process may require coordination with your information technology staff and the vendor you use for your authentication devices.

Finally, if your company has already been sued, there are strategies that counsel should immediately bring to your attention that will lower the cost of litigation, increase the likelihood of success, and help you identify traps for the unwary.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Shook, Hardy & Bacon L.L.P. | Attorney Advertising

Written by:

Shook, Hardy & Bacon L.L.P.
Contact
more
less

Shook, Hardy & Bacon L.L.P. on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.