BIPA and other Privacy Law Updates

introduction

Despite being passed in 2008, class actions for alleged violations of the Illinois Biometric Information Privacy Act (BIPA) have grown significantly in recent years, and the comparative numbers can be quite high. For example, in February 2021, a federal court approved the proposed settlement of a $ 650 million BIPA class action lawsuit against Facebook.

The BIPA requires private institutions that receive biometric information or identifiers to first inform the data subject in writing that their information is being collected and stored, to inform the data subject of the specific purpose and the deadline for the collection and storage and a obtain written approval from the person concerned. The BIPA also prohibits the disclosure of biometric information without the consent of the subject, unless an exception is made. Neither can private companies sell, lease, trade, or benefit from a person’s biometric information. In addition, the BIPA requires a private entity in possession of biometric identifiers and information to develop a publicly available written policy that defines a retention plan and provides guidelines for the permanent destruction of the information.

Any person harmed by a BIPA violation may bring an action for damages of $ 1,000 for each negligent violation or $ 5,000 for any willful or negligent violation plus reasonable attorney fees and expenses. Actual damage is not required to determine the legal status and only procedural violations are sufficient.

Status of Current BIPA Cases in Illinois

Despite the increase in litigation, there are limited scrutiny precedents in state courts to rely on, with federal litigation bringing its unique considerations to the parties. For example, BIPA does not have a statute of limitations, which is an important issue that is (still) being negotiated by subordinate courts with no predominant input from appellate courts. As of this writing, there are also two pending appeals court cases pending on important issues for companies and employers facing BIPA claims.

The Illinois Supreme Court is due to determine whether the Illinois Workers’ Compensation Act’s exclusive remedies exclude claims for damages under BIPA if an employee alleges that an employer has violated the worker’s statutory privacy rights under BIPA. In McDonald v. Symphony Bronzeville Park, LLC, No. 1-19-2398 – Highly Anticipated Case As Ruling Will Affect Hundreds Of BIPA Cases – Defendant-Former Employer Is Attempting To Deny Plaintiff-Employee Claims For Injuries He Is has suffered fingerprints during scanning for stamping in and out. The defendant-complainant filed its opening letter on April 30, 2021, and the plaintiff’s response is in preparation. A decision in favor of the defendant will have far-reaching implications for current and future BIPA cases in the work environment, which typically involve the alleged collection of biometric information for time and attendance purposes and access to computer systems.

Pending before the Seventh Circuit is a dispute over the Northern District of Illinois decision that two independent and enforceable BIPA violations have occurred and accrued each time the plaintiff uses the defendant’s fingerscan system without notice and consent (i.e., at access to both work computers) as well as weekly pay slips). In Cothron v. White Castle System, Inc., No. 20-3202, the Defendant and Amicus Curiae argue that potentially debilitating harm can result if every employee is entitled to one or more statutory damages every time an employee uses biometric technology. If the lower court’s reasoning holds up, the conservative estimates of damage for the plaintiff alone are estimated at more than $ 3 million and the class at slightly more than $ 1 billion.

In response to the spate of BIPA litigation, the Illinois House of Representatives is considering House Bill 559, designed to curb the impact of BIPA claims on businesses of all sizes in the state. Illinois House Bill 559 introduces several changes to BIPA: (1) Narrowing the definition of biometric information by exempting “information derived from biometric information that cannot be used to restore the original biometric identifier” [e.g., a numerical identifier converted from a finger scan]”; (2) Workers must provide employers with written notice and an opportunity to remedy a BIPA violation 30 days prior to filing a lawsuit; (3) a one year statute of limitations to file a BIPA lawsuit; (4) Eliminate US $ 1,000 or US $ 5,000 legal penalties “for each violation” and limit recovery to actual damage and attorney’s fees; (5) except for actions brought by employees who are subject to a collective agreement; and (6) allowing electronic consent rather than requiring “written clearance”.

Current and planned biometric data protection laws in other countries

Several states have followed Illinois in enacting laws that regulate the use and disclosure of biometric information; However, Illinois is currently the only state whose statute includes a private right of action. Laws regulating biometric information range from comprehensive biometric information laws similar to BIPA, to data protection laws that include biometric information in the definition of “personal information”, to violations of the law, including biometric information under “Personal Information Covered.” “.

Currently, only two other states have comprehensive laws regulating biometric information: Texas and Washington. Tex. Bus. & Com. Code §503.001 stipulates that a person must not collect a biometric identifier without prior consent, must not sell biometric data without consent or, if this is legally permissible, must exercise reasonable care in storage and destroy the biometric identifier within a reasonable period of time . Likewise wash. Rev. Code Ann. Section 19.375.020 prohibits any company or person from entering biometric data “for commercial purposes into a database without first giving notification, obtaining consent or providing a mechanism to prevent the later use of a biometric identifier for a commercial purpose “. Although both laws have similar requirements to BIPA, neither include a private right of action and both empower their respective attorney general to enforce the laws.

Other states have proposed sweeping laws that have not been passed, with Maryland and New York being the last to consider enacting sweeping law to protect biometric information. New York Assembly Bill 27 would require written consent to collect biometric information and would prohibit the sale of that information. Maryland House Bill 218 would impose similar restrictions. Both laws would have a private right of action that distinguishes them from the Washington and Texas statutes.

The California Consumer Privacy Act includes biometric information within the definition of personal information. The law provides for consumer rights to control their personal data, which extend to biometric data defined as “physiological, biological or behavioral traits, including … DNA”[,] that can be used … to establish an individual’s identity ”, including“ images of the iris, retina, fingerprint, face, hand, palm, vein patterns and voice recordings from which an identification template, such as a face print, a minutiae template, or a voiceprint is extracted , as well as key press patterns or rhythms, gait patterns or rhythms as well as sleep, health or training data that contain identifying information. “Cal. no. Civil. Code § 1798.140 (b).

New York and Arkansas both have laws for responding to biometric violations. In New York in particular, the Stop Hacks and Improve Electronic Data Security (SHIELD) law of 2019 includes “biometric information” in the definition of “private information”. The law requires that individuals be notified when unauthorized access to their private data is discovered. And Arkansas Security Breach Response Act, Arkansas Code §4-110-103 (7), now includes “Fingerprints; Facial print; a retinal or iris scan; Hand geometry; Voice print analysis; Deoxyribonucleic acid (DNA); or other unique biological characteristics ”as biometric data as part of the definition of the collected personal data. Arkansas law also requires individuals to be notified if a personal information breach is discovered.

Congress interest in biometric data protection laws

The federal legislature has also shown interest in legislation on biometric information. The National Biometric Information Privacy Act of 2020 was introduced in August 2020 and would require companies concerned to obtain consent before collecting biometric data and also impose retention, disclosure and destruction requirements. The proposed federal law, which is currently still under consideration in the US Senate, would also provide for a private right to sue.

While the future of any federal law regulating biometric information remains to be seen, it is clear that the regulatory landscape for biometric information is constantly evolving and institutions handling biometric information need to be vigilant of their obligations under current and future laws, especially as enforcement increases and private litigation shows no signs of slowing down where permissible.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XI, Number 148

Comments are closed.