February 7, 2019
By Ana Tagvoryan, Justin M. Brandt, and Harrison M. Brown
In the summer of 2017, a supermarket chain owned by Kroger was hit with a putative class-action lawsuit for allegedly violating a law protecting individuals’ biometric data and information. This is illustrative of a growing trend of lawsuits over the collection, use, and protection of biometric data and information. In this still-pending case, the Kroger subsidiary utilized a timecard system for clocking employees in and out of work by scanning their fingerprints, which is a form of biometric data. The plaintiffs allege that the time card system violates Illinois law because, among other things, employees never gave written consent to the grocer to store their biometric data in the form of fingerprints.
The suit highlights the growing body of law around the country regarding the collection, use, and protection of biometric information. As this article explains, Illinois has led the charge to protect biometric information, and businesses around the country should learn from Illinois law regarding how to safeguard biometric information and shield themselves from liability stemming from its collection and use.
Broadly speaking, biometric information and data are measurements of a person’s physical characteristics, including fingerprints, iris or retina scans, facial scans, and even voiceprints. In recent years, technology has made collection and usage of these markers easier, and the unique nature of biometric information makes it a powerful security feature for anything from signing into your phone to authenticating your identity when calling a financial institution.
However, the unique nature of biometric information also makes it vulnerable to corruption. Unlike a password or PIN, biometric information cannot be changed. If a password or PIN is compromised, it can be reset; once compromised, biometric information is compromised forever. Lawmakers around the country have taken notice of the special need to protect biometric information and are taking steps to regulate its collection, use, and protection.
Illinois Biometric Information Privacy Act
In 2008, Illinois became the first state to enact a law regarding biometric identifiers and information. Illinois’ law has since served as a model for other states’ laws and proposed legislation. Texas and Washington followed Illinois’ example by passing laws aimed at protecting biometric information. As additional states grapple with how best to protect biometric information, lawmakers will likely look to Illinois as a model.
The Illinois Biometric Information Privacy Act (“BIPA”) was the first state law to specifically address businesses’ collection, use, and protection of biometric data. The law defines biometric information and establishes the legal requirements for its collection, use, and protection. BIPA’s definition of biometric data and information is relativity broad, including a retina or iris scan, fingerprint, voiceprint, or scan of hand of face geometry. See 740 Ill. Comp. Stat. Ann. 14/10. This definition was broadened by a 2017 decision in the U.S. District Court for the Northern District of Illinois holding that face-scan measurements derived from user-uploaded photographs qualify as a biometric information under BIPA. See Rivera v. Google, Inc., 238 F. Supp. 3d 1088 (N.D. Ill. 2017). Whether a business collects face-scan measurements from a consumer or a photograph, that information arguably may fall within the ambit of BIPA. The law’s application may be limited in the employment context, however, if the relationship between the parties is governed by a collective bargaining agreement, whereby a BIPA claim may be preempted by federal labor law. See Johnson v. United Air Lines, Inc., No. 1:17-cv-00858, 2018 WL 3636556 (N.D. Ill. July 31, 2018).
The Illinois law sets out the legal requirements for biometric data’s collection, use, and protection. The law can be broken up into five primary categories. First, it prohibits businesses from collecting or receiving biometric information without first informing the individual in writing and receiving a written release from the individual. Second, entities in possession of biometric information must develop public, written policies establishing a retention schedule and guidelines for permanently destroying the information once it is no longer needed. Third, it limits an entity’s right to disclose biometric information. Fourth, it requires entities to exercise reasonable care within the industry to store, transmit, and protect from disclosure all biometric information. Fifth, it prohibits entities in possession of biometric information to sell, lease, trade, or otherwise profit from the information.
Violation of these requirements can be expensive for businesses because BIPA creates a private right of action for any person damaged by a violation, entitling plaintiffs to actual damages or liquidated damages up to $5,000 in addition to attorney’s fees and costs.
Recent News in BIPA Litigation
- On January 25, 2019, the Illinois Supreme Court ruled unanimously in Stacy Rosenbach v. Six Flags Entertainment Corp. et al. that plaintiffs do not need to show actual harm to have standing as an “aggrieved person” under BIPA. This ruling resolved an appellate split within the state on this issue that had developed in recent years, and likely will increase the pace of new BIPA filings and the risk to companies who collect biometric information.
- Despite BIPA being a state statute, Illinois state and federal courts are not the only venues that have hosted BIPA lawsuits. Class action lawsuits under BIPA against Facebook relating to its facial recognition software were consolidated in In re Facebook Biometric Information Privacy Litigation in the Northern District of California. After a class of Illinois residents was certified in April 2018, the case is currently stayed pending a Ninth Circuit appeal relating to the standing issue—i.e., whether an alleged statutory violation is sufficient to show that consumers were actually “aggrieved.”
Other States Following Illinois’ Lead
In May 2017, Washington enacted its own law covering the collection, retention, and use of biometric information. Like Illinois and Texas, Washington requires notice to consumers, affirmative consent, and protective measures to safeguard biometric information. Although Washington’s law excludes a private right of action, noncompliance is classified as a violation of Washington’s consumer protection law. Other state legislatures have taken first steps in proposing biometric data-related bills, including Alaska, Connecticut, Massachusetts, Montana, and New Hampshire. As the collection and use of biometric information increases, states and other regulatory bodies will continue to develop laws to protect it.
How Businesses Can Safeguard Consumer Information
Using existing law as a guide, as well as best practices promulgated by the Federal Trade Commission, business can take affirmative steps to safeguard consumer biometric information and stay ahead of legislation and regulation.
First, businesses should obtain express consent from consumers before collecting biometric information. Second, businesses should establish clear and robust policies for protecting biometric information once collected. The FTC recommends that businesses using biometric information design their services with privacy in mind; this includes maintaining reasonable security protections for consumers’ biometric information and establishing appropriate retention and disposal practices. Third, businesses should not disseminate or sell their consumers’ biometric information. With safeguards like these in place, businesses can protect the privacy of their consumers and stay ahead of legal requirements for the protection of biometric information.
Ana Tagvoryan is a partner at Blank Rome LLP. She serves as co-chair of the Firm’s Class Action Defense group and vice chair of the Corporate Litigation group. Her complex corporate litigation practice concentrates on consumer fraud, data privacy, online and telephone marketing, false advertising, pricing, e-commerce, and regulatory and statutory compliance issues. She can be reached at firstname.lastname@example.org.
Harrison Brown is an associate at Blank Rome LLP. His practice encompasses a wide range of business litigation and class action defense, with an emphasis on consumer fraud and privacy claims. He can be reached at email@example.com.
Justin Brandt is an associate at Blank Rome LLP. His practice focuses on class action defense and compliance relating to consumer protection and privacy laws and regulations at the state and federal level. He can reached at firstname.lastname@example.org.