Biometric Data Security

On September 5, 2019, the federal district court for the Northern District of Illinois issued an order that denied a motion to dismiss a class action brought under the Illinois Biometric Information Privacy Act (“BIPA”). Although the claims in Rogers v. CSX Intermodal Terminals, No. 19-2937, 2019 U.S. Dist. LEXIS 151135 (N.D. Ill. Sept. 5, 2019) largely survived a motion to dismiss, the district court did hand the defense bar a small—but potentially significant—victory.

The plaintiff in Rogers is a former truck driver.  His duties included visiting CSX facilities to pick up and deliver freight. The plaintiff was required to scan his fingerprints to gain entrance to the facility. The plaintiff filed a BIPA class action based on CSX’s failure to provide the required disclosures before collecting his fingerprints and to maintain a publicly available policy on CSX’s retention of biometric data. The complaint also alleged that CSX’s violations were intentional and reckless, an allegation which if proven would result in a $5,000 per violation penalty. 
Continue Reading A BIPA Defense Victory—If You Squint

After the Illinois Supreme Court’s decision in January holding that a plaintiff need not show actual harm to be an “aggrieved person” under the Illinois Biometric Information Privacy Act (“BIPA”), parties litigating under BIPA have been testing other defenses. One of those defenses is whether BIPA matters can be compelled to arbitration pursuant to an arbitration provision set forth in the parties’ agreement.

On Tuesday, April 9, the First District Appellate Court of Illinois issued its decision in Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1st) 182645, holding that a BIPA claim could not be compelled to arbitration based on the language of the employment agreement at issue. Specifically, the employment agreement provided that a dispute was subject to mandatory, binding arbitration if it “is based on one of the following types of claims as defined by law:  (a) employment discrimination; (b) harassment as it relates to my employment; (c) a wage or hour violation; (d) or termination of my employment from the Hotel.” Defendant argued that plaintiffs’ BIPA claim was a “wage or hour” dispute because the scans of plaintiffs’ fingerprints were used to track the hours the plaintiffs worked and therefore, it was an “hour” violation claim. The appellate court disagreed. 
Continue Reading Arbitration Clauses & BIPA: The Broader the Better

Data privacy litigation is not a new frontier. The Illinois Biometric Information Privacy Act (“BIPA”) has provided a private right of action for the improper collection of biometric information from Illinois citizens without consent since 2008. Even so, employers and businesses alike were caught off-guard when plaintiffs began filing class actions complaints alleging BIPA violations in 2015. Defendants scored early victories in these cases, as evidenced in the Second District Appellate Court opinion finding that actual harm, and not merely a procedural violation, must be alleged to state a claim under the Act. That ruling placed the viability of private suits under BIPA in serious doubt—because actual harm from an improper collection of biometric information is not easily pled. But then in January 2019, the Illinois Supreme Court reversed the defendant-friendly intermediate appellate ruling and held that mere procedural violations of BIPA standing alone were sufficient to withstand a motion to dismiss. That ruling breathed new life into this pattern litigation, as recent docket filings show. 
Continue Reading Is the Illinois Legislature Rethinking BIPA?

The fallout from the Illinois Supreme Court’s January 25, 2019, opinion in Rosenbach v. Six Flags Entertainment Corp., 19 IL 12316, continues. Rosenbach settled the dispute of who qualifies as an “aggrieved person” under the Illinois Biometric Information Privacy Act (“BIPA”), and in doing so opened the floodgates for this litigation to proliferate. The immediate result was a sharp increase in the filing of BIPA class actions as well as the lifting of stays of the numerous cases pending that were awaiting the Rosenbach ruling. 
Continue Reading All Stop: Ruling on the Applicability of Exclusion to BIPA Claims Delayed

On January 19, 2019, federal Magistrate Judge Kandis Westmore of the Northern District of California denied the Government’s application for a search warrant that sought:

  1. “all digital devices” present at a California residence; (Order at 3), and
  2. “any individual present at the time of the search to press a finger (including thumb) or utilize other biometric features…for the purposes of unlocking the digital devices found in order to permit a search of the contents,” (Order at 1).

The request for the “use of biometrics” was stunning. Magistrate Judge Westmore denied the Government’s initial request, but invited the Government to submit a new search warrant. A day later when the Government submitted an amended application, it omitted the request to use biometrics. The court granted that amended application. Since the Government’s application named only two suspects in its affidavit, the Government’s request to compel any other individual present at the time of the execution of the search warrant to unlock their digital device(s) was too expansive.

Continue Reading Biometrics and Search Warrants: The Intersection of Your iPhone and the Fourth and Fifth Amendments

Last Friday, the Illinois Supreme Court delivered the highly anticipated Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, opinion. Businesses and consumers alike watched for the Court’s opinion regarding whether mere technical violations of the Illinois Biometric Information Privacy Act (“BIPA”) gave plaintiffs the requisite standing to seek damages under the statute. The Court heard the case after the Second District Appellate Court of Illinois ruled that an individual was not a “person aggrieved” by a technical violation and several other courts, both state and federal were split over the issue.  Rosenbach v. Six Flags Entertainment, 2017 IL App (2d) 170317.  In a fairly short opinion, focusing on statutory construction and the common meaning of the word “aggrieved,” the Illinois Supreme Court reversed the Appellate Court.  2019 IL 123186, ¶ 1. The Illinois Supreme Court held that an individual was in fact an “aggrieved person” under the statute where they are unable to show actual damage, but there has been a violation of the statute. The Court held, where there is no actual harm, the individual is entitled to statutory relief for each violation. In short, a technical violation is a violation.  The Illinois Supreme Court took a strong stance in that individuals should not have to wait for actual harm with respect to their biometric information and that businesses would lack the requisite motivation to comply with statutes like BIPA without such an interpretation. 
Continue Reading Illinois Supreme Court’s Rosenbach Ruling Likely to Expand BIPA Litigation

Over the last several years, the emphasis on privacy and data protection has grown significantly. With the amount of data collected by companies and technology skyrocketing, the need to protect personal information has been at the forefront of states’ legislative agendas. While all 50 states now have breach notification statutes, states are now taking a closer look at issues such as tracking online behavior and the use of biometric data. What used to be futuristic props in sci-fi media, face and fingerprint scanners, are now part of everyday life and consumer transactions. Despite the increase in the use of biometric data, only three states, Washington, Texas and Illinois have passed legislation addressing biometric data.
Continue Reading Illinois’ BIPA’s Rollercoaster Ride to the Illinois Supreme Court