Our federal system and the often dysfunctional nature of Congress can be vexing for cutting-edge manufacturers. Emerging technologies are rarely addressed at the federal level, leaving states to pass piecemeal regulations that can frustrate even the most attentive compliance officers. If you’re bringing a product to market nationwide, you need to be aware of which states have the most stringent regulations. When it comes to biometrics, Illinois tops that list.
The Illinois Biometric Information Protection Act (BIPA) generally is considered the most stringent in the United States, and lawmakers in Florida and New York City are currently working on passing similar measures. So just what is the current state of biometric data privacy in Illinois? The answer lies in three rather unexpected topics: roller coasters, robot dogs, and pizza.
Illinois passed BIPA (740 ILCS 14/1 et seq. (West 2016)) in 2008. Under the law, companies that collect biometric data, such as retina scans, fingerprints, and facial markers, are required to inform individuals that such data is being collected, let them know why the data is being collected, indicate how and for how long the data will be stored, and obtain a written release to acquire such data. While other states such as Texas and Washington have biometric privacy laws, the Illinois law is unique because it establishes a private right of action for violations of the statute.
Even though BIPA has been on the books for more than a decade, it’s only been over the past year or so that we’ve seen a sharp uptick in cases filed. Why is that? Well, it all started when a young man named Alexander Rosenbach decided to purchase a season pass to the Six Flags Great America amusement park. To obtain his season pass, Mr. Rosenbach had to provide fingerprints. The bedrock principle of BIPA is that you can’t collect biometric data from somebody without their permission, and Mr. Rosenbach alleged he never gave such permission, nor could he find any written policy regarding the storage of his biometric data. At first blush it would seem like a fairly straightforward case.
While liability may have been straightforward damages were another story. Mr. Rosenbach filed a class action on behalf of all similarly situated purchasers of season passes, and specifically sought “the maximum statutory or actual damages provided under the [Act],” which is $5,000 per violation. However, he did not allege any specific economic losses. With this in mind, Six Flags moved to dismiss, arguing that any right of action under BIPA is limited to a “person aggrieved,” and that the plaintiffs had not alleged an actual injury. Unfortunately for Six Flags, and ultimately product manufacturers, the Illinois Supreme Court ruled that having your biometric data misappropriated is a harm sufficient to support a claim. Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186 (January 25, 2019).
As you might guess, this ruling opened the door to all sorts of claims under BIPA, and Illinois plaintiffs’ attorneys did not disappoint. In the past year, we’ve seen a dramatic increase in lawsuits alleging violations of the BIPA. Most of these have been class actions alleging that employers have improperly collected biometric data from employees. But it’s not just employers and employees who have reacted to the Six Flags ruling─product manufacturers have taken note as well.
Let’s say you have young kids who are bugging you to get a dog, but you know full well that their promise to clean up after it will last all of two weeks. If you’re like me, you get your kid a cockatiel instead. But I can tell you from personal experience that birds can be plenty messy themselves, so if you’re tech savvy (and happen to have $3,000) you can actually buy your family a robotic dog. Unfortunately, if you’re in Illinois, you’re stuck with the cockatiel thanks to BIPA.
Sony happens to sell a robotic dog named Aibo that is able to recognize specific “owners” using facial recognition technology and react accordingly. However, the technology would require the dog to recognize and store biometric markers for multiple users beyond the owner, and getting permission from every person who encounters the dog would be difficult if not impossible. So with that in mind, Sony simply has chosen not to sell the robot dog in Illinois. Per their support page: “This facial-recognition data may constitute ‘biometric information’ under the law of Illinois, which places specific obligations on parties collecting biometric information. Thus, we decided to prohibit purchase and use of Aibo by residents of Illinois.”
Other tech products that use biometric data, such as cameras embedded with facial recognition software, have chosen to disable specific portions of their technology for Illinois users. Certainly this gives them greater flexibility in marketing the product across the United States, but it also creates new challenges regarding developing software that can recognize where the device is being employed and adjust to operating without the relevant biometric features. And if other states adopt measures similar to BIPA, developing products that can operate with and without biometric data may become the new norm.
When the Six Flags case ruled that a violation of data privacy is its own harm, it also made it easier for the certification of class actions since multiple plaintiffs can assert a common injury. Indeed, that’s what happened in a case currently pending in Illinois courts.
The plaintiffs in Lenoir v. Little Caesar Enterprises Inc., Case No. 1:19-cv-01575 (N.D. Ill.) are all employees of the Michigan-based pizza chain who were required to clock in and out of work using fingerprints. The plaintiffs object that this biometric data was collected without their written permission. However, Little Caesars has filed a motion to dismiss, arguing in part that their software obtained electronic permission to have biometric data collected every time an employee logged on.
The briefing in Lenoir suggests that the next factor for Illinois courts to determine is whether permission to acquire biometric data must be explicitly in writing. If electronic permission is ruled insufficient, this will prove yet another hurdle for manufacturers of products that use biometric data—particularly when it comes to users who did not actually purchase the product.
In the meantime, some Illinois lawmakers are attempting to quell the wave of BIPA litigation by introducing State Bill 2134, which would strip the statute of its private right to action. This is not the first attempt to amend BIPA, and time will tell if the effort is successful. We also will have to wait to see what approach other states take as they consider biometric data privacy laws.
Ultimately, the continued litigation and application of BIPA is worth monitoring regardless of whether you market products with biometric data in Illinois or elsewhere. For those selling in the Land of Lincoln, the importance of understanding BIPA is obvious. But for anybody else developing products that collect biometric data, the evolution of the Illinois BIPA could shed light on the future of biometric privacy laws in the United States.