One of four US biometric privacy cases clearly protect a defendant
Court action in the U.S. state of Illinois continues to chip away at the definition of what constitutes a viable biometric information privacy lawsuit.
Unfortunately, that work overall is not exactly giving businesses shelter from suits. Four cases make that case.
There was a time when it was not clear if the maker of biometric scanners could be sued under the state’s Biometric Information Privacy Act along with, say, an employer who required workers to use the vendor’s hardware and software.
This month, a Cook County, Illinois, court gave final approval to a $3.5 million class-action settlement against Ceridian, maker of automated human resource products including fingerprint-scanning timeclocks.
An employee of Standard Market, a suburban Chicago grocery store, brought the case in 2019.
The legal publication Cook County Record says Ceridian is now in the company of other, similar firms including ADP and Kronos who have been successfully sued when their clients were taken to court for not adhering to BIPA rules.
Ceridian has promised the court that it will get written consent from employees of clients before collecting prints and create and make public biometric information management practices.
In a second case, an Illinois state appeals court has decided that businesses cannot wait to make public their rules for collecting and storing biometric data. The policies must be in place before data is collected, according to reporting by trade publication Law 360.
A former employer of J&M Plating, a metal finisher, filed a putative class action against the company in February 2021 claiming that the firm did not comply with BIPA strictures requiring data management practices.
J&M had initially convinced a judge that the plaintiff’s data was destroyed two weeks after he left the company without harm under BIPA. The Second District court disagreed.
BIPA is diminished as a tool to prevent some data misuse if businesses can delete data after the fact. If nothing else, stolen data is still stolen if it is not used to harm a person and can be used illegally at any point after a theft.
The third case is less of a clear-cut defining decision for BIPA.
In this one, a U.S. circuit court of appeals seems unconvinced that a third-party ID verifier should be governed by the arbitration provision of a car intermediary service. No decision has been made. The judges’ comments came during oral arguments, according to Law 360.
The defendant is facial recognition software maker Mitek Systems. Its attorneys are arguing it should be allowed to arbitrate the proposed class actions brought against it under BIPA.
The plaintiff’s face was scanned to verify his identity and age priory to providing access to Hyrecar, a car-sharing company that enables people to rent vehicles from individual owners so that the customers can then drive the cars for ride-sharing services like Lyft.
Hyrecar is not being sued.
Part of Hyrecar customers’ contracts requires them to arbitrate disagreements, including those with third-party “beneficiaries” like Mitek.
Pharmacy chain CVS, on the other hand, won a dismissal before a U.S. district judge.
The judge found that “the most foundational aspect of a BIPA claim” is absent in the case, according to Law 360. It did not prove that CVS used the plaintiffs’ passport photo scans (a CVS service) to ID them or that they gave the company information that could link them to the biometric data.
According to Law 360 reporting, the judge said that “their complaint contains no specific factual allegations” to make their case. “BIPA does not apply to defendant’s conduct here.”