As tech companies race to develop facial recognition software for new applications across industry sectors, state legislatures are developing privacy laws to protect individuals’ right to privacy and control over their biometric information. The Illinois Biometric Information Privacy Act is the most stringent biometric privacy law in the U.S. for the following reasons:
- It is the only biometrics privacy statute in the country with a private right of action that provides for liquidated damages for “aggrieved parties” of up to $5,000 per violation.
- The Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp. held that an individual need only prove a technical violation of BIPA and not actual damages to maintain a cause of action under it.
- BIPA mandates that employers comply with collection, retention, disclosure and destruction protections prior to collecting biometric information as follows:
- Notice of the collection, the purpose of retention, and storage of biometric information;
- Acquisition of a written release from individuals to document consent to the collection, storage and use of the biometric information; and
- Publication of document retention and destruction schedules of biometric information.
- BIPA provisions forbid dissemination, trading, leasing, selling or otherwise profiting from biometric information.
- BIPA, enacted in 2008, does not contain a statute of limitations on actions that may be brought.
Article III Standing
In a decision of significant import, the Ninth Circuit in Patel v. Facebook Inc., held that plaintiffs in Illinois who alleged that Facebook’s use of facial recognition technology used in photo tagging violated BIPA had alleged a concrete injury in fact to confer Article III standing.
The Ninth Circuit’s decision concluded that Facebook’s development of face templates using facial recognition technology without consent was the “very substantive harm targeted by BIPA,” that BIPA protected concrete privacy interests, and that plaintiffs alleged a concrete harm sufficient to confer Article III standing.
The Ninth Circuit further refused to decertify the class based on Facebook’s extraterritorially argument. Instead, the appeals court upheld class certification because it concluded it was reasonable to infer from General Assembly statements that the Illinois legislature contemplated application of BIPA to protect privacy interests of individuals located in Illinois, even if some activities occurred in states other than Illinois.
It also stated that if warranted by future circumstances, the district court could decertify the class.
The class alleged that Facebook collected and stored their facial images for tagging without prior notice and consent and without the required retention schedule in violation of BIPA provisions. Facebook moved to dismiss for lack of Article III standing, but a unanimous Ninth Circuit upheld the district court decision that denied Facebook’s motion.
The Ninth Circuit decision is aligned with the Rosenbach decision, which held that the collection of biometric data without consent was sufficient to state a cause of action. These two decisions are indicative of the courts’ continued willingness to uphold the broad mandates of the BIPA statute.
Removal to Federal Court
Subject Matter Jurisdiction and Diversity
In Treadwell v. PowerSolutions, a federal judge refused to remand the case to state court after it was removed to federal court, even though subsequent events resulted in a lack of diversity of jurisdiction between the parties.
In Treadwell, a plaintiff filed a class action complaint in state court alleging violations of BIPA against two defendant corporations. Defendants properly removed the case to federal court based on minimal diversity and satisfaction of the amount in controversy requirement. The plaintiff and the sole out-of-state defendant, NOVAtime, jointly stipulated to voluntary dismissal without prejudice. After dismissal of NOVAtime, the plaintiff filed a motion to remand the case to state court based on lack of subject matter jurisdiction in federal court, as well as the home state or local exception to diversity jurisdiction under the Class Action Fairness Act.
The judge denied plaintiff’s motion. When federal jurisdiction is proper at the time of removal, neither subsequent events nor the local exception affects the federal court’s jurisdiction over the case.
Meaning of “Each Violation” and Effect on Amount in Controversy Requirement
In Peatry v. Bimbo Bakeries USA, the judge refused to narrowly interpret the term “each violation,” which would have deprived the federal court of jurisdiction. In doing so, the judge noted that plaintiff’s “post removal attempt to cabin her damages so as to avoid federal court does not deprive the court of jurisdiction.”
The plaintiff attempted to thwart the defendant’s subsequent removal of the case to federal court by claiming the amount in controversy for her individually and the class fell short of the jurisdictional threshold.
The plaintiff argued the definition of “each violation” was more limited. However, the pleadings indicated that she had scanned her fingerprint each time she clocked in and out of work, and that she was employed for 30 months.
She also sought recovery of statutory damages of either $1,000 for each negligent violation of BIPA or $5,000 for each reckless or intentional violation. Additionally, the class was comprised of about 300 employees.
The judge noted that the term “each violation” is undefined in BIPA and uninterpreted. Under an expansive reading of the statute, recovery of damages in excess of $5 million was plausible, if counting each scan of an individual’s fingerprint. The judge denied plaintiff’s motion to remand to state court because it was conceivable that she exceeded the amount in controversy requirement.
Although this issue remains unresolved, this case represents an indication that the term “each violation” can be defined broadly to refer to each scan and each disclosure to a third-party vendor, rather than to each person whose biometric information was collected and shared. The prospect of a broad interpretation of the term continues to help fuel the filing of class action lawsuits.
Consent Requires Proper Notice
In Rogers v. CSX Intermodal, the judge held Rosenbach established that consent cannot be given by an individual unless there is proper notice that the biometric information will be collected, stored and used as required by the statute.
In Rogers, the plaintiff claimed he was entitled to recovery of damages under BIPA as a result of his employer’s failure to disclose the purpose for which his fingerprint scans were collected, to disclose the length of time the information would be retained, and to obtain his consent to the collection and disclosure of the information to third-party vendors as required by BIPA.
The defendant moved to dismiss the complaint arguing BIPA allowed individuals to withhold consent prior to the collection of the biometric identifiers, asserting that an individual’s right was not violated if individuals voluntarily scanned their fingerprints.
The judge rejected the defendant’s argument because the Illinois Supreme Court had settled this issue in the Rosenbach decision. The judge held that an individual’s right to privacy encompasses the right to give up his biometric information only after receiving proper notice relating to the collection of the biometric identifiers and consenting to its collection. Further, like minors, adult individuals cannot consent voluntarily without receiving proper notice and providing written consent.
Arbitration of BIPA Claims
Existence of a Collective Bargaining Agreement
In the consolidated cases Miller v. Southwest Airlines and Johnson v. United Airlines, the Seventh Circuit held that plaintiffs, who were union workers subject to a collective bargaining agreement, must submit their claims under BIPA to the adjustment board under the Railway Labor Act.
The plaintiffs contended the airlines implemented fingerprint scanning timekeeping systems and collected their fingerprints without their consent, failed to publish a public protocol for retaining and handling biometric data, and unlawfully disclosed the biometric data to third-party vendors. Defendants claimed the plaintiffs, either expressly or through the CBA’s management rights clauses, received notice and consented to the collection and disclosure of the biometric data. Defendants also contended the claims must be submitted for arbitration to the adjustment board under the Railway Labor Act.
The Seventh Circuit affirmed the lower court’s dismissal of Miller v. Southwest Airlines in federal court, because the method by which a union acquires and uses biometric data for timekeeping purposes constitutes a mandatory subject of collective bargaining reserved for resolution by the adjustment board under the Railway Labor Act.
The court similarly vacated and remanded the lower court’s decision in Johnson v. United Airlines with instructions to refer the parties’ dispute to the adjustment board because the complaint concerned a CBA, which is regulated by federal law. Removal was also conceivably warranted under CAFA.
Existence of Mandatory Arbitration Provision in Employment Agreement
In Liu v. Four Seasons Hotels, the employer moved to compel arbitration of a BIPA lawsuit and claimed the lawsuit constituted a wage and hour dispute because the issue was related to timekeeping. The employment agreement compelled arbitration for only four types of employment disputes, including wage and hour claims.
The judge denied the motion because a cause of action under BIPA alleged a violation of privacy rights, not a wage and hour claim, even though hotel employees’ fingerprints were scanned and collected for the purpose of tracking hours worked. As such, the claims were not an arbitrable dispute under the employment agreement.
Claims of Willful or Reckless Violations of BIPA
In Rogers v. CSX Intermodal, the plaintiff alleged the defendant’s actions were willful and wanton because CSX failed to take any steps to comply with BIPA mandates. The judge disagreed.
A plaintiff must plead facts sufficient to support a claim of a willful or reckless violation of BIPA, and conclusory allegations aren’t enough to overcome a motion to dismiss.
Constitutional Defenses Raised
In Gregg Bruhn v. New Albertson’s, a class action suit alleged pharmacists’ use of a fingerprint scanning system to access the pharmacy’s computer system triggered the protections afforded under BIPA.
Defendant filed a motion to dismiss arguing the exclusion of certain financial and government entities from BIPA’s mandates without a rational basis violated the Illinois constitution’s prohibition on special legislation.
Defendants also argued BIPA was unconstitutionally vague because the exclusion related to information collected under the Health Information Portability and Accountability Act (HIPAA) could reasonably be interpreted to apply not only to patient data, but also to biometric information collected from pharmacist-employees.
The Cook County Circuit Court previously held that both interpretations were reasonable, but ruled that the legislature intended the HIPAA exemption to apply only to patient information. A decision on the constitutional issues remains pending.
Insurance Coverage for BIPA Disputes
In Zurich American Insurance Company, et al., v. Omnicell, the insurance company sought declaratory relief that it did not owe a duty to defend or indemnify Omnicell in an underlying BIPA suit. The court granted a motion to stay pending resolution of the underlying case, Mayza v. Northwestern Lake Forest Hospital, et al.
What This Means to You
The number of class action cases filed since the Rosenbach decision continue to mount against companies, including employers who utilize biometric scanners for identity verification purposes. Compliance with the BIPA statute is necessary to avoid significant damages and litigation costs. We recommend that entities that collect biometric information take the following actions:
- Determine whether an exemption from BIPA’s mandates applies.
- Determine whether biometric information from employees, contractors or others is collected, stored or shared.
- Determine the time frame over which liability could be imposed if notice and disclosure requirement have not been implemented for mitigation purposes.
- Develop a written policy available to the employees, contractors and the public regarding retention and destruction schedules for permanently destroying biometric information.
- Prior to collection of biometric information, disclose the intent and purpose for the collection of the biometric information, and obtain a written release consenting to the collection, use and storage of the information and acknowledging receipt of the retention and destruction schedules.