Biometric Technologies Create Big Liabilities
Biometric data is fascinating and frightening. Fingerprints, iris imaging, hand scans, and face geometry are no longer reserved for special agents. Employers use fingerprints to track employees’ hours, amusement parks collect thumbprints to prevent the sharing of passes, social media sites capture facial images to “tag” people in photographs, retail stores implement similar facial scans to ban troublesome customers, and premier office buildings offer “wave of hand” biometric security access. Even Taylor Swift’s security team recently scanned concertgoers’ faces, without notice or consent, to identify threats. Biometric data offers many benefits, including enhanced security, convenience, and efficiency; its use is becoming pervasive, commonplace, and socially acceptable.
Its use, however, brings significant legal risk, especially in Illinois. Nearly a decade before last year’s congressional hearings and public backlash against U.S. technology giants, like Facebook, regarding the mishandling of user data and inadequate privacy policies, the Illinois legislature took action to protect biometric data. The legislature recognized unforeseeable future uses and abuses of biometric technology and concluded that biometric data must be protected because, unlike other sensitive information such as bank account PINs, biometric data cannot be changed when compromised. In 2008, Illinois adopted the strongest biometric data privacy law in the United States — the Biometric Information Privacy Act (BIPA), 740 ILCS 14/1, et seq. BIPA creates a private right of action. Claims can readily be combined in class actions, exponentially increasing financial risk. As a result, many businesses have been surprised to find themselves facing hundreds of millions of dollars in legal exposure. Companies that interact with Illinois residents should take time to develop an appropriate biometric data policy and obtain meaningful releases from all participants whose biometric data may be collected before implementing biometric technologies.
BIPA governs the collection, retention, disclosure, storage, transfer, and deletion of biometric data, including retina scans, iris scans, hand scans, face geometry, fingerprints, and voiceprints. See740 ILCS 14/10. BIPA requires that companies collecting or possessing biometric data develop a written policy, made available to the public, that establishes a retention schedule and policy for deleting the biometric data. See 740 ILCS 14/15. Companies must provide any person whose data will be captured with written notice (1) that his or her biometric data is being collected or stored and (2) of the specific purpose and length of time for which the biometric data will be collected, stored, and used. 740 ILCS 14/15(b)(1) – 14/15(b)(3). The company must also obtain a written release from everyone whose biometric data will be collected, captured, stored, or used. Id. The data must be securely stored and protected in a manner that is the same as or more secure than the manner in which other confidential information (such as passwords) is stored. 740 ILCS 14/15(e). Also, a company may not sell, lease, trade, or otherwise profit from anyone’s biometric data. The permissible disclosure of biometric data is very limited, generally requiring the written consent of the person or a valid warrant or subpoena.740 ILCS 14/15(c) – 14/15(d).
The most significant threat of a BIPA violation arises from the law’s statutory damages provision. Anyone whose biometric data is collected or stored in violation of BIPA may sue for at least $1,000 per violation — without regard for whether the violation was intentional — and the claim may be brought as a class action. See740 ILCS 14/20(2).
No-Injury Class Actions
Anyone “aggrieved” by a BIPA violation may file a lawsuit; if an individual establishes a violation, he or she is entitled to recover the greater of $1,000 in statutory damages or actual damages for an unintentional violation. Id. Statutory damages are an amount that the legislature establishes as a damage award, with no requirement that the plaintiff prove his or her harm. If a plaintiff establishes that the BIPA violation was intentional, the statutory damages increase to $5,000 per violation. Id. BIPA also awards a winning plaintiff his or her attorneys’ fees and costs, including expert witness fees and other litigation expenses. Id.
In the past two years, people claiming to be “aggrieved” under BIPA have filed more than two hundred class action complaints in Illinois. BIPA claims are attractive to plaintiffs’ counsel as class actions because BIPA violations lend themselves to uniform treatment of all class members. The facts concerning whether a violation occurred are usually the same for all class members, and the statutory damage provision relieves the court of determining questions of individual harm. Thus, a court can resolve hundreds, or even thousands, of claimed violations in a single ruling. Barriers to recovery are greatly reduced because plaintiffs’ counsel ordinarily advance litigation expenses for the class action representative and then collect a share of any recovery.
Despite BIPA’s ten-year existence, few courts have issued decisions interpreting it, possibly because the law’s legal exposure drives defendants to settlement. In fact, as of this article, no court has explained exactly how a BIPA violation accrues. The most logical reading of the law is that a company’s failure to provide notice to or obtain consent from a person constitutes a single violation. Some class action complaints, however, seek much more in damages by claiming that every time a company captures biometric data — such as an employee using a thumbprint on a lock or time clock — counts as a separate violation, each with a minimum penalty of $1,000.
The statutory damages accumulate quickly. In the employment context, a full-time employee will use the employer’s biometric time clock at least four times a day, five days a week, arguably resulting in at least twenty violations per week, per employee — i.e., $20,000 per week per employee. BIPA also prohibits the unauthorized storage of biometric data after the “purpose” for the biometric data has been satisfied. 740 ILCS 14/15. Likewise, the law does not explain how to count violations for failure to delete biometric data; in other words, does storing data in violation of the law lead to a separate violation every day it is stored? The uncertainty in calculating the financial risk for BIPA violations contributes to the law’s in terrorem effect. Accordingly, companies would be wise to avoid a violation by establishing an appropriate policy and obtaining written consent.
BIPA’s Broad Reach
Although BIPA is an Illinois law, BIPA litigation has not been limited to Illinois. In April 2018, a California federal court certified a class of individuals for Facebook’s alleged BIPA violations. In re Facebook Biometric Information Privacy Litigation, 185 F.Supp.3d 1155 (N.D.Cal. 2016). Representative plaintiffs sued Facebook based on Facebook’s scanning uploaded photos and creating a digital template of each face in the photos, including the faces of non-Facebook users. Facebook uses these digital templates to allow users to “tag” people in uploaded photos. Facebook also uses the scanned biometric information to identify those individuals in other photos. Plaintiffs contend Facebook violated BIPA’s notice and consent requirements. The certified class includes all Facebook users located in Illinois whose facial template has been created and stored by Facebook. This class includes more than a million members and the recovery could exceed one billion dollars in statutory damages.
The Illinois Supreme Court Recently Determined No Actual Harm Is Required To Pursue a BIPA Claim
BIPA gives a private right of action to any person who is “aggrieved” by a violation of the Act, but it does not explain whether a person must articulate some sort of injury, even a minor one, to proceed with a claim. 740 ILCS 14/20. Illinois’ intermediate appellate courts reached conflicting holdings on this question. One of the appellate courts found that a person is “aggrieved” only if he or she alleges some actual injury resulting from the violation of BIPA. Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317. Within the same year, another appellate court reached the opposite conclusion, that any technical BIPA violation is enough to satisfy the “aggrieved” requirement to have statutory standing to sue, regardless of actual harm. Sekura v. Kirshna Schaumburg Tan, Inc., 2018 IL App (1st) 180175, 115 N.E.3d 1080, 426 Ill.Dec. 158. The Illinois Supreme Court recently settled the issue in a landmark BIPA case by ruling that technical and procedural violations qualify a plaintiff as “aggrieved” under the Act. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186. A technical violation, even a harmless one, allows a plaintiff to sue. This decision will result in hundreds of companies paying significant statutory damages for failing to properly notify and obtain consent from individuals before collecting their biometric data.
Split in Whether BIPA Violations Result in Sufficient Injury for Federal “Article III” Standing
Independent of whether BIPA requires a showing of actual harm to win a claim, any plaintiff must establish some injury to be permitted to sue in federal court (as opposed to state court) because of the U.S. Constitution’s “case or controversy” requirement. Illinois’ federal courts have heard several challenges to whether a technical violation of BIPA presents a “case or controversy” sufficient to invoke the federal courts’ jurisdiction, and they have reached confusing results. In Goings v. UGN, Inc., No. 17-cv-9340, 2018 WL 2966970 (N.D.Ill. June 13, 2018), when Judge Bucklo remanded a BIPA case, Chicago’s federal court held that it lacked jurisdiction because the plaintiff failed to identify any concrete harm from his employer’s requirement that employees use fingerprint and handprint scans to clock into work, noting that the plaintiff did not allege that his biometric data had been shared with any third-party. In contrast, in Dixon v. Washington & Jane Smith Community — Beverly, Case No. 17 C 8033, 2018 WL 2445292 (N.D.Ill. May 31, 2018), Judge Kennelly declined to dismiss claims against a senior living center and its time clock vendor relating to the scanning of employee fingerprints. Judge Kennelly held that the senior center had shared information with the time clock vendor without informing the employees. The court distinguished the case from the Second District’s decision in Rosenbach, supra, noting: “In this case, in addition to alleging what might accurately be characterized as ‘bare procedural violations’ of BIPA, Dixon also has alleged that Smith disclosed her fingerprint data to Kronos without her knowledge and that the defendants violated her right to privacy in her biometric information — the very right that the drafters of BIPA sought to protect.” 2018 WL 2445292 at *9 (Illinois Supreme Court had not yet issued its decision).
Generally, judges in the Northern District of Illinois found concrete injury for Article III standing when the complaint alleged either (1) the defendant disclosed the plaintiffs’ biometric data to third parties without the plaintiffs’ consent or (2) the defendant collected and stored plaintiffs’ biometric data without their knowledge. However, on December 29, 2018, Judge Chang cited a lack of “concrete injuries” and dismissed Rivera v. Google, Inc., No. 16 C 02714, 2018 WL 6830332, *3 (N.D.Ill. Dec. 29, 2018), for lack of Article III standing under Spokeo, Inc. v. Robins, ___ U.S. ___, 194 L.Ed.2d 635, 136 S.Ct. 1540 (2016), even though Google collected plaintiffs’ biometric data without their knowledge or consent. The court found that it lacked jurisdiction to hear a claim that Google’s face recognition technology violated BIPA because, unlike retina or fingerprint scans, “there is no evidence of a substantial risk that the face templates will result in identity theft.” 2018 WL 6830332 at *8. The court did not address the fact that BIPA specifically includes face geometry as protected biometric data.
Although the BIPA landscape is uncertain and can present great risk, businesses can take steps to protect themselves when using biometric data. First, prevention is the best antidote; complying with BIPA is usually fairly simple. A company must (1) have a publically available written policy explaining the purpose for which biometric data will be collected and used, the retention schedule, and guidelines for destroying biometric data; (2) obtain written consent from all participants before collecting biometric data or disclosing it to a third-party; and (3) protect the biometric data in the same manner in which the business would protect other confidential information.
Companies can further mitigate their risk with carefully crafted contracts. They should explore opportunities to assign risk to someone else, especially if the risk is better controlled elsewhere. For example, if a company contracts with a third-party vendor for biometric technology, like a time clock vendor, it can include contribution and indemnification provisions in the service agreement with the vendor. Contracts can also limit exposure to class action litigation. For example, when an opportunity exists to contract with the people who will have their biometric data collected — such as employees or customers — companies can include a prominent and conspicuous class action waiver in the employment or purchase contracts.
If a company does face a BIPA complaint, it should consider making an insurance claim. Among other things, a BIPA violation arguably constitutes an invasion of privacy, which is often covered in commercial general liability policies as “bodily injury.” And, of course, whether a company is just exploring opportunities to implement biometric technologies for the first time or is already using them, it should consult with counsel familiar with BIPA compliance to ensure that it understands its exposure and mitigates its risk.
The assistance of Jacquan Williams, a summer associate for Hahn Loeser & Parks LLP, in research for this article is gratefully acknowledged. For more information about employment law, see CAUSES OF ACTION (ILLINOIS): EMPLOYMENT ACTIONS — 2017 EDITION. Online Library subscribers can view it for free by clicking here. If you don’t currently subscribe to the Online Library, visit www.iicle.com/subscriptions.