Biometrics vendors increasingly targeted by data privacy act plaintiffs, and other defendants too

A proposed class action lawsuit has been filed against fingerprint and background check service provider Biometric Impressions for allegedly failing to meet the informed consent requirements of Illinois’ Biometric Information Privacy Act (BIPA), Top Class Actions reports.

The plaintiff, Paul Sayas, alleges he was directed to have a background check conducted by Biometric Impressions, for which the company was paid $35. Sayas claims he was not informed that his biometric data would be stored, let alone how long it would be stored for, and no written notification was provided. Both the notification and consent requirements were therefore not met, according to the plaintiff.

“Biometric Impressions knew or should have known the requirements of BIPA. Biometric Impressions’ violations of BIPA were reckless or in the alternative, negligent,” the suit, which was filed with Cook County Circuit Court, claims.

Hyatt Hotels Corporation, meanwhile, is attempting to bring biometric time and attendance system vendor Kronos into its potential class action suit, countersuing Kronos as the actual defendant and party which violated BIPA, according to Loop North News.

The hotel chain claims that under the terms of its contract with Kronos, the biometrics vendor is the one performing all the actions that BIPA applies to, like collecting, storing, and transmitting fingerprint data. It’s suit says that Kronos declined to assist it in the defence against its former employee’s lawsuit, and accuses Kronos of breaching its contract. Hyatt seeks a court declaration that Kronos “did not perform its obligations in compliance with applicable laws, including BIPA,” and bears a responsibility to assist Hyatt in the class action case.

Kronos has until January 24 to respond to the counterclaim.

Dylan’s Candybar has also been sued for improper collection under BIPA of fingerprint data for time and attendance tracking.

Target is the latest major retailer to be sued under BIPA, following cases recently filed against The Home Depot and Lowes. Greensfelder, Hemker & Gale Attorney Dawn Johnson tells Franchise Times that each of multiple scans by facial recognition cameras will be considered a separate violation under the data protection law, meaning a single visit to the store could create liability of $5,000 times the number of scans.

“With statutory damages up to $5,000 per violation, you can see how this can get very expensive and probably bankrupt some companies (similar to what the TCPA has done),” writes Johnson in reference to the Telephone Consumer Protection Act.

“Target is only the latest big-box retailer to be sued. This reinforces the importance of making sure you comply with laws before installing these types of systems for whatever purpose you are using them.”

Johnson says the increase in BIPA cases has been huge, to the point of roughly one new one each day.

Franchise attorneys likewise see a similar increase as likely to be caused by the new California Consumer Privacy Act.

In a review of the year in biometric privacy for Mondaq, Kimberley J. Gold and other attorneys from the firm Reed Smith concurs with that forecast for the CCPA, which took effect on January 1.

More than 200 class actions were filed under BIPA in 2018 and 2019 alone, according to the article, and with the Rosenbach decision early in the year that standing is created by statutory violations of BIPA is noted as a major event.

New York’s SHIELD Act is also pointed out, as it expands the state’s data breach notification law to specifically include biometric data among “private information” that triggers notification and disclosure obligations. Alaska is also working on similar legislation to that of Illinois’, according to the report, while Massachusetts like CCPA includes biometric data in a broader definition of personal data, but also includes a private right of action for statutory failures without the need to establish standing by proving harm.

Other states, such as Arkansas, adopted or changed data breach laws to specifically address biometrics. The number of states extending biometric privacy rights to consumers and employees is also expected to increase in 2020, making it ever more important for organizations to be aware of their obligations in terms of proactive measures, such as obtaining consent, and reactive measures, such as breach notification requirements. Policies should be drawn up or updated to avoid costly litigation or regulatory action.

Article Topics

biometric data  |  biometrics  |  data protection  |  fingerprint identification  |  legislation  |  privacy  |  time and attendance