Kronos wins reduction of biometric data privacy suit scope amid shifting legal landscape

Biometrics vendors have notched another victory in the tsunami of lawsuits filed under Illinois’ Biometric Information Privacy Act (BIPA), as Bloomberg Law reports Kronos has had its inclusion in a suit by employees of a senior living facility partially dismissed in a ruling by the court for the Northern District of Illinois.

The District Court ruled that the plaintiff had failed to provide viable claims that Kronos violated BIPA’s disclosure and collection rules, though claims that it violated the data retention requirements of the Act can still be pursued.

“Plaintiffs will have a tougher time going after time management companies because compliance by those companies is relatively straight forward,” Holland & Knight LLP Labor and Privacy Partner Phillip Schreiber explained to Bloomberg Law, because a third party in possession of biometric data it has not collected “will comply with BIPA merely by having the required policy.”

Plaintiff Aisha Namuwonge alleges that Kronos did not disclose that it shares fingerprints with other third parties and failed to provide a written data retention and deletion policy. The judge ruled that Kronos’ possession of the data and failure to develop a retention schedule in compliance with BIPA were viably claimed, but not the claim that the company had shared data.

The judge also sided with Kronos in dismissing claims that any violations were reckless or intentional, citing a lack of “substantive details” in the allegation. That ruling limits damages to $1,000 per violation, rather than $5,000.

Edelson PC Founder Jay Edelson told Bloomberg Law that he expects major court battles in the coming months over the criteria for “reckless or willful” violations.

Court records show Brookdale was voluntarily dismissed from the suit this past May.

Legal landscape surveyed

Companies must heighten their awareness of current and anticipated laws protecting biometric data privacy to minimize their risk, according to an editorial by Natalie A. Prescott of Mintz Levin for Law.com.

Over 200 lawsuits have been filed under BIPA in 2018 and 2019, and while the five other states (Texas, Washington, California, New York, and Arkansas) that have passed biometrics laws or amended existing laws to include them, they do not grant a private right of action. State attorneys general have right of action instead, and seem rather less inclined to exercise it than private Illinois residents.

New Illinois law

The legal landscape in Illinois is also evolving, as the National Law Review reports that the Artificial Intelligence Video Interview Act, which is set to take effect on January 1, 2020, applies similar informed consent rules to the use of AI in video interviews as currently apply to biometrics use.

Employers will be required to inform applicants that AI may be used to evaluate their interviews, provide an explanation in writing for how the system works, what traits will be reviewed and analyzed, and what characteristics the AI uses for evaluation, and finally to obtain applicants’ consent to the assessment. Videos must not be shared, except with experts for evaluation purposes, and employers must destroy the videos within 30 days if requested to by the applicant.

The article recommends businesses test their security systems to ensure they can comply with the above requirements before implementing AI technology for interviews.

New suit looks like old suits

PersonalizationMall.com, a subsidiary of Bed Bath & Beyond, is being taken to court for alleged BIPA violations of the usual fingerprint time-and-attendance tracking without the proper written notice and consent variety, according to a separate report from Bloomberg Law.

The suit is filed in Cook County Circuit Court, alleging the company has no biometric data policy.

Article Topics

biometrics  |  BIPA  |  data collection  |  Kronos  |  lawsuit  |  legislation  |  privacy  |  time and attendance