More suits allege illegal biometrics collection under BIPA as states consider action
A series of new lawsuits have been filed under Illinois’ Biometric Information Privacy Act (BIPA), and the clarification of the criteria for legal standing under the statute provided by a recent ruling against Facebook likely blocks a line of defense previously thought available. Legislatures in dozens of other states have made efforts meanwhile to advance new biometric laws. LexisNexis reports that at least 26 states have considered bills relating to the collection, retention, and use of biometric data this year.
New BIPA suits have been filed against hotel, restaurant, and gas station owner Lakhani Hospitality Inc., metalwork company Metal Impact and its corporate parent Thunderbird, Whole Foods, car brake maker Power Stop, and office furniture vendor Office Furniture, all for implementing biometric time and attendance control systems without obtaining informed consent from employees. This particular complaint makes up many, if not most BIPA lawsuits. The Whole Foods suit is reported by Law360, and the rest by the Cooke County Record, and in each case indicate that the suit is a potential class action. Driver’s education company eDriving has been hit with a similar suit, the Cook County Record reports, but for collecting voice biometrics from people registering for its services without following the required procedure. The eDriving suit also stands out for taking the unusual step of naming not only the employer who used the system and the biometrics provider, Vocalect Biometric Solutions, but also web host Liquid Web and call center technology provider Aspect Software.
An article in Young Lawyers Journal points out that for time and attendance suits, each collection without informed consent can be considered a violation, meaning two new violations per workday. This would set the minimum damages at $2,000 per day per employee, and along with legal fees could bankrupt many companies.
In each case, the standing of the plaintiff would potentially be open to a challenge, but the recent ruling against Facebook in its class-action BIPA suit by an appeals court settles that argument, unless it is quashed on appeal. A panel of three judges from the U.S. Court of Appeals for the Ninth Circuit ruled that violations of procedures required by BIPA create legal standing.
Facebook is reported to be preparing to appeal the ruling to the full appellate court.
The criteria for legal standing are not applied the same way in federal court as in state court, but as Young Lawyers Journal explains, issues such as whether biometric data has been transferred to a third party have been ruled grounds for standing. Further, federal courts can simply dismiss claims without prejudice, enabling plaintiffs to refile the suit at the state level.
While LexisNexis acknowledges that new data privacy laws have not been passed in numerous states, as was anticipated following the passage of California’s new statute, data privacy and biometrics concerns may be converging at the legislative level. New laws or amendments to data breach protections have been introduced in at least 24 states, plus federal Congress.
Prior to 2019, only Texas, Washington, and Illinois had comprehensive biometrics laws, according to LexisNexis, but Arkansas, New York, and Washington have passed legislation already this year, and bills are pending in California, Minnesota, New Hampshire, Massachusetts, New York, New Jersey, Washington and Rhode Island.
The Electronic Frontier Foundation (EFF) points out in a blog post the importance of the Facebook ruling to the application of the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robins (2016), in which the high court ruled that a person whose procedural rights under a legal statute are violated by a company does not automatically have legal standing to sue the company. The standing depends on either the establishment of a real injury, and the specifics of the statutory interest violated, and this was the question decided at the state level by the Illinois Supreme Court in Rosenbach v. Six Flags earlier this year.
The threat of state legislation that includes the right of private action or stringent rules are also motivating tech companies to urge federal legislation, the EFF says, that would supersede state laws with weaker requirements.
Meanwhile, as Young Lawyers Journal points out, “(w)ith the collection of biometric data, employers should ask for permission first, not forgiveness, because BIPA forgiveness comes with a hefty price tag.”