Biometric data privacy battles continue with Shutterfly settlement, university sued
Shutterfly has reached a preliminary agreement to settle a biometric privacy lawsuit filed against it under Illinois’ Biometric Information Privacy Act (BIPA), Law360 reports.
One of two named plaintiffs had been ordered to address the complaint in arbitration in a ruling last May, as her continued use of the service constituted consent to revised terms of service. The other named plaintiff did not have a Shutterfly account, and therefore never consented to the terms. The settlement agreement applies to both plaintiffs.
The parties reached the agreement over damages for alleged biometric data collection, storage and processing without the required consent of the data subjects after private mediation, but the terms of the settlement were not disclosed.
Northwestern sued by student over online proctoring
Illinois’ Northwestern University has been sued by a student, who alleges the school violated BIPA by using biometric technology for online proctoring, according to The Daily Northwestern.
The student claims Northwestern did not provide the necessary information to collect or use biometric data, and also failed to provide “meaningful choice” be requiring online test-takers to use the online proctoring systems.
Suit documents review the backlash that online proctoring systems have caused around the U.S.
New data regulations coming
BIPA-style regulation may be coming to more states, with Virginia, Maryland, and Washington State again considering legislation. The Wall Street Journal suggests the various state actions are creating a patchwork of rules, in the absence of a federal statute.
Virginia’s House and Senate have passed a proposed Consumer Data Protection Act (CDPA), which GovTech suggests is similar to Washington State’s latest attempt to enshrine online privacy, with near-unanimous support.
The CDPA would apply to business collecting or processing personal data from 100,000 or more consumers in a year, with a broad definition of personal data, though de-identified data is excluded. A private right of action is not included. If signed into law by the governor, it will go into effect on January 1, 2023.
A proposed update of Washington State’s Privacy Act would limit biometric data collection and the use of facial recognition in public spaces. A competing bill with a private right of action has also been introduced, the Journal reports.
Washington State partially enacted a law setting limitations to and guidelines for facial recognition use by law enforcement and private entities in 2020.
A Maryland House Delegate tabled the ‘Biometric Identifiers and Biometric Information Privacy Act,’ which The National Law Review writes draws substantially on BIPA, including a private right of action.
Minor differences from BIPA include no requirement that information on a biometric system that only applies to employees be publicly available.
The Review points out that it is not known how similarly Maryland courts will interpret its law to the way Illinois courts treat BIPA, even if the law is enacted. If passed, the Act would go into force on January 1, 2022.