Privacy Concerns Featuring: The Battle Over BIPA Claims

“Digital freedom stops where that of users begins…Nowadays, digital evolution must no longer be a customer trade-off between privacy and security. Privacy is not to sell, it’s a valuable asset to protect.” ― Stephane Nappo

Privacy-related litigation has found fame in the wake of Biometric Information Privacy Act claims. Ten years ago Illinois passed the Biometric Information Privacy Act, commonly known as “BIPA”. The statute provides a right of action against entities that violate provisions of the Act.[1] BIPA defines biometric information as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”[2] BIPA limits biometric identifiers to “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”[3] The statute protects individuals by requiring private entities to implement written policies with retention schedules and use a reasonable standard of care to protect, store, and transmit biometric data.[4] Private entities are also prohibited from collecting, storing, or profiting off of biometric information or identifiers without obtaining informed consent.[5]

In the late 1970’s biometric data was commonly used by the CIA and Department of Defense.[6] Today, more and more companies are collecting biometric data for authentication purposes because of its technological convenience and efficiency. For example, some companies are forgoing the use of employee IDs in exchange for retina or fingerprint scans. With the use of an individual’s unique biometrics, however, comes a price to pay from resulting privacy issues.

Over the last several years, there has been a wave of putative class actions alleging violations of the statute. Ten complaints were filed in the Illinois circuit court in 2017 alone.[7] Notably, BIPA has affected industries across the board—from hospitals to video game developers, hotels to airlines, and social media platforms to restaurant chains.

In April of this year, employees of Holiday Inn in downtown Chicago sued, alleging that the use of workers’ fingerprints to log employee hours violated BIPA by failing to obtain  employee consent to collect and store biometric information.[8] In March of this year, a putative class action was filed against Illinois’ Northshore University Health System for allegedly violating BIPA by requiring employees to scan their fingerprints or retinas to enter restricted hospital areas and access stored materials.[9] In September of last year, restaurant chain Wow Bao, Crunch Fitness, and Speedway, Inc. were also sued for alleged BIPA violations.[10]

In addition, video game developer Take-Two was sued last year over videogames NBA 2K15 and NBA 2K16, which allowed gamers to create customized basketball players by obtaining 3D facial scans.[11] XBOX and PS4 consoles required gamers to agree to terms and conditions before the console’s camera scanned gamers’ heads.[12] Take-Two’s motion to dismiss was ultimately granted after determining that plaintiffs’ claims lacked Article III standing.[13]

Facebook has also faced a series of BIPA suits. Class action plaintiffs have alleged that Facebook’s “tag suggestion” feature, which allows users to identify and tag friends in photos violates BIPA.[14] Facebook moved for summary judgment, but U.S. District Judge James Donato found too many factual disputes to let the social media giant off the hook, expressing that this would be a matter for a jury to decide.[15] The merits of the litigation will hinge on how Facebook’s software processes and stores scans of face geometries for its tag suggestions, and in turn, whether its facial recognition technology runs afoul of BIPA’s protections.[16] The court significantly reminded Facebook, and other companies wishing to use biometric data, that BIPA protects information derived from photographs.[17] Facebook’s trial date is set for July 9, 2018 and with 200 million plus Facebook users in the United States, this could be a multi-billion-dollar privacy invasion if plaintiffs prevail.[18]

Lesson learned? The battle over BIPA claims is sure to continue. An overarching concern of plaintiffs is a fear over what might happen to their personal data if compromised. “Unlike ID badges or access cards – which can be changed or replaced if stolen or compromised – retinas and fingerprints are unique, permanent biometric identifiers . . .”[19] Considering how broadly BIPA’s protections reach, businesses that operate within, market, and/or sell to individuals in Illinois should assess their use of biometric data. In other words, companies must remain compliant with the statute’s notice, consent, and retention provisions, or get ready to face a potentially costly battle against BIPA.

[1] See 740 Ill. Comp. Stat. Ann. 14/20 (West 2016) (granting prevailing parties liquidated damages of $1,000 for negligent violations of the Act or liquidated damages of $5,000 for intentional/reckless violations of the Act, or actual damages, whichever is greater).

[2] 740 Ill. Comp. Stat. Ann. 14/10 (West 2016).

[3] Id.

[4] Sharon Roberg-Perez, The Future Is Now: Biometric Information and Data Privacy, 31 Antitrust 60, 62 (2017).

[5] Id.

[6] George Lawton, Biometrics: A New Era in Security, 31 IEEE Computer Society 16 (1998).

[7] Alexis Kramer, Restaurant Chain Sued Over Alleged Use of Facial Recognition Data, BNA News (Sept. 5, 2017), https://www.bna.com/restaurant-chain-sued-n57982087963/.

[8] Diana Novak Jones, Holiday Inn Workers Hit Co. With Biometrics Suit, Law 360 (Apr. 23, 2018, 8:15 PM), https://www.law360.com/articles/1036430/holiday-inn-workers-hit-co-with-biometrics-suit.

[9] Hannah Meisel, Biometric Scans Violate Privacy Law, Hospital Workers Say, Law 360 (March 21, 2018, 9:06 PM), https://www.law360.com/articles/1024396/biometric-scans-violate-privacy-law-hospital-workers-say.

[10] See Morris v. Wow Bao LLC, No. 2017-CH-12029 (Ill. Cir. Ct. filed Sept. 5, 2017) (alleging Wow Bao’s self-check-out service that collected and stored face prints of customers to authenticate future orders violated BIPA); Knobloch v. Chicago Fit Ventures LLC, No. 2017-CH-12266 (Ill. Cir. Ct. filed Sept. 8, 2017) (alleging Crunch Fitness failed to give notice and obtain permission before obtaining plaintiffs’ fingerprints); Howe v. Speedway LLC, No. 2017-CH-11992 (Ill. Cir. Ct. filed Sept. 1, 2017) (alleging Speedway failed to notify and obtain plaintiffs’ consent before providing their biometric data to an out-of-state vendor).

[11] Gretchen Ramos and Zerina Curevac, Biometrics, Gaming & Privacy Laws, Squire Patton Boggs Global IP & Technology Law Blog (Feb. 3, 2017), https://www.iptechblog.com/2017/02/biometrics-gaming-privacy-laws/; see also Vigil v. Take-Two Interactive Software, Inc., 2017 BL 25907 (S.D.N.Y., No. 15-CV-8211, 1/30/17).

[12] Id.

[13] Id.

[14] See e.g., In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016); Patel v. Facebook Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018); In re Facebook Biometric Info. Privacy Litig., No. 3:15-CV-03747-JD, 2018 WL 1794295 (N.D. Cal. Apr. 16, 2018) (certifying Illinois Facebook user class).

[15] In re Facebook Biometric Info. Privacy Litig., No. 15-03747, 2018 WL 2197546, at *8 (N.D. Cal. May 14, 2018).

[16] Id. at *8-12.

[17] Id. at *15.

[18] Brittany Levine, Privacy Settings May Not Protect Your Privacy from Facebook, ABA Section of Litigation (May 30, 2018), https://www.americanbar.org/groups/litigation/committees/trial-practice/practice/2018/in-re-facebook-biometric-information-privacy-litigation.html.

[19] Meisel, supra note 9, at ¶10.