CHICAGO – A recent settlement of a class-action lawsuit over customer fingerprints raises questions about the security of biometric information.
Earlier in December, the class action lawsuit Klaudia Sekura v. L.A. Tan in the Circuit Court of Cook County was approved by a court for $1.5 million settlement. Class members had alleged that L.A. Tan violated Illinois Biometric Information Privacy Act by collecting members’ fingerprints without complying with BIPA’s privacy notification provisions. Most fitness or tanning facilities use a membership card for check-in purposes, but L.A. Tan sold members on the idea of a fingerprint scan being foolproof and easy,, the suit says.
What L.A. Tan allegedly failed to do was disclose to members that their fingerprints were being used by a third-party vendor out of state, Sun Lync.
The original complaint also alleged that L.A. Tan failed to comply with the written data retention policy. Under BIPA, a biometric identifier cannot be captured unless the company doing it first: "(1) informs the subject in writing that a biometric identifier is being collected; (2) informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject," wrote Jeffrey Neuburger, partner at the Proskauer firm, co-head of the Technology, Media & Telecommunications Group, a member of the Privacy & Cybersecurity Group and editor of the firm’s New Media and Technology Law blog.
The L.A. Tan has focused attention on a new area of law but it hasn’t set precedent.
“When a case like this settles, I don’t think it has an effect one way or another because there is no precedent set when a case settles,” Neuburger told the Cook County Record.
However, Neuburger said that the L.A. Tan case is significant because it touches on a new area of law, biometric information of customers.
“This case is a little different because it involves fingerprints," he said. "The other cases were more focused on facial images. This is a bit more of a local case. There are some factual differences but there was no analysis and the factual differences weren’t scrutinized closely.”
He added that destruction of confidential personal information is a big concern for all large companies, and biometric information is a big new concern in the business world for a number of reasons.
“It touches on HIPAA because it definitely could affect health information. It’s a pretty significant development,” he said.
Neuburger told the Cook County Record some recommendations for what businesses should take away from this settlement and the L.A. Tan case, in general.
“I think it’s definitely a law that people using biometrics should be aware of," he said. "There are ways of complying with the law. In some cases it’s practical and in some cases it’s not. Businesses using biometrics should look at the law and see if they comply with it. The other question is how they use biometrics. Every business using biometrics in Illinois should be aware -- even if they’re not in Illinois but they have customers in Illinois.”
What does the future hold in Illinois?
“The Illinois legislature at some point last year was looking at changing the law to make it less onerous, but that didn’t happen, but that may happen at some point in the future,” he said.
Many companies in America do business all over the country and it makes regulating privacy tricky.
“So much of privacy is regulated on a state level," he said. "So, much of privacy is a state law issue and it’s difficult for a company that’s doing business across state boundaries to comply with the laws everywhere. There have been attempts to try to create a federal privacy law -- many attempts over the years -- but they’ve generally been unsuccessful. It’s hard to get a meeting of minds if everybody looks at an issue differently."