Grounds for lawsuits based on biometric data retention in Illinois clarified by Appeals Court
A ruling by the U.S. Seventh Circuit Court of Appeals has clarified the criteria for standing according to Article III of Illinois’ Biometric Information Privacy Act, and possibly also expanded it, according to an editorial in Law360. Article III is the clause that deals with the biometric data retention information that companies are obliged to provide to people they collect biometrics from.
In Fox v. Dakkota Integrated Systems LLC, as in what seems to be the majority of BIPA cases so far, the informed consent rules are alleged to have been broken by an employee time and attendance system.
The precedence for standing established in Bryant v. Compass was not based on an ‘injury in fact’ under Article III. Article III standing requires that an injury be particularized to the individual and concrete, though intangible injuries can be considered ‘concrete’ if the claimed harm is close enough to a traditional basis for a common law suit.
The court also referred to Miller v. Southwest Airlines Co. in reaching its decision.
The difference between the two cases is that between a private trespass action, as in Bryant, and a public nuisance one, as in Fox, Orrick Herrington & Sutcliffe LLP Partners Doug Meal and Michelle Visser and Managing Associate Nicole Gelsomini write. They suggest the precedence will make it easier for defendants to have BIPA claims heard in federal court.
The article goes on to review the extent of agreement among various courts on the matter of standing based on intangible injuries or mere statutory violations.
Customer suit filed against electronics recycling kiosk vendor
Electronics-recycling kiosk provider EcoATM, meanwhile, has been accused of violating BIPA’s consent rules with its face biometric scans, according to a separate Law360 article.
The self-service kiosks are found at retailers like Walmart and Kroger, and the potential class action alleges EcoATM did not meet the informed consent requirements of BIPA, despite requiring at least two scans of face biometrics to access its services. The kiosks also scan customer identity documents, and retain customer biometric data.
According to the suit, the company failed to inform the plaintiff of the “specific limited purpose” for the data collection, or share any information about its data retention and destruction policies.