Biometric Information Protection: The Stage is Set for Expansion of Claims

By: Torsten M. Kracht, Michael J. Mueller, Lisa J. Sotto, and Daniella Sterns Hunton & Williams LLP

Litigation alleging the improper collection and storage of biometric data is being driven by the Illinois Biometric Information Protection Act (BIPA). The authors of this article discuss two headline-grabbing cases and which technologies and jurisdictions are next.

ALTHOUGH SEVERAL STATES HAVE ENACTED OR PROPOSED laws protecting individuals’ biometric data, Illinois is the only state with an act on the books that currently permits a private cause of action for the unlawful capture and storage of biometric data. Thus, BIPA¹ is the national engine driving litigation alleging the improper collection and storage of biometric data. Dozens of new putative class actions have been filed under the law in the last six months alone, both inside and outside Illinois, with class lawyers lured by visions of penalties ranging up to $5,000 for each willful violation and $1,000 for each negligent violation.²

Headline-Grabbing BIPA Cases

The most headline-grabbing cases under BIPA were waged early on against tech giants Shutterfly, SnapChat, Google, and Facebook for their purportedly unauthorized application of facial-recognition technologies to static photos, but the majority of cases have been filed against companies that use ubiquitous fingerprint-capture technology in connection with access control and employee timekeeping systems. For example, grocery retailer Marianos, health club operator Life Time Fitness, Four Seasons Hotels, and United Airlines have all been sued for collecting employee fingerprints to track work hours. Restaurant operator Superossa Restaurant Group has been sued for using fingerprint scans to track cash register use, and tanning salon operator LA Tan and daycare provider Crème de la Crème have been sued for using fingerprint capture for customer access control.

Although one case reportedly settled for $1.5 million in late 2016 and others³ have been dismissed for lack of standing, most private claims under the law are relatively new, and there is not yet a good track record of success or failure on which to accurately assess risk. But, if activity earlier this year in the headline-grabbing cases is any indicator, no silver bullet for eliminating the cases has appeared yet.

Shutterfly

In September, an Illinois federal judge denied a motion to dismiss the putative class action accusing Shutterfly of violating BIPA by collecting and storing without the plaintiff's consent facial recognition data from pictures uploaded to the Shutterfly website.⁴ Shutterfly’s motion to dismiss argued that (1) BIPA does not apply to scans of biometric data derived from photographs, (2) application of BIPA to the complaint would give it extraterritorial effect in violation of the Dormant Commerce Clause, and (3) the plaintiff failed to allege actual damages resulting from Shutterfly’s conduct. The court rejected all three arguments.

First, while recognizing that the statute expressly excludes photographs from the definition of biometric identifier, the court determined that data obtained from a photograph may nevertheless constitute a biometric identifier. Second, the court found that although the plaintiff is a resident of Florida, it would be inappropriate to conclude that the lawsuit requires extraterritorial application of BIPA or violates the Dormant Commerce Clause at the dismissal motion stage, given that the complaint alleges that the photo was uploaded to Shutterfly’s website from a device located in Illinois by a citizen of Illinois and the circumstances surrounding the claim are not fully known. Lastly, the court held that a showing of actual damages was not necessary to state a claim under BIPA, analogizing to other consumer protection statutes with statutory damages provisions such as the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Truth in Lending Act. In a footnote, the court also found that the plaintiff sufficiently alleged an injury-in-fact for Article III and Spokeo, Inc. v. Robins⁵ purposes by alleging a violation of his right to privacy.

Google, Inc.

In February 2017, another Illinois federal judge denied a motion to dismiss two complaints brought by individuals who alleged Google captured biometric data from facial scans of images taken with Google Droid devices in Illinois without the plaintiffs’ consent in violation of BIPA.⁶ And in May 2016, a California federal judge denied a motion to dismiss a putative class action of Illinois residents who alleged Facebook scanned and captured their biometric data from images uploaded to Facebook without their consent in violation of BIPA.⁷ Like Shutterfly, both Google and Facebook argued that BIPA does not apply to scans of photographs, and Google also argued that the application of BIPA to the plaintiff’s claims would give the statute extraterritorial effect and violate the Dormant Commerce Clause. The courts in both cases rejected these arguments and permitted the cases to move forward.

Which Technologies are Next?

While we will almost certainly see a large number of suits continue along the technology lines of the existing litigation (in particular for fingerprint scans used to control access or monitor timekeepers and cashiers), we are also likely to see class cases being filed against companies using more sophisticated methods of biometric capture for other marketing and security purposes. For example:

• Brick-and-mortar operators that use facial recognition to identify and track the movement of shoppers in their stores
• Retailers that use facial recognition to identify returning shoplifters
• App providers that use fingerprint or facial recognition for secured or streamlined access to their app

Which Jurisdictions are Next?

Although Illinois is the only state that currently permits a private right of action for violations of its biometric data privacy laws, other states have similar laws pending, including:

• Michigan, 2017 Bill Text MI H.B. 5019. This bill provides a private cause of action with statutory damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations
• New Hampshire, 2017 Bill Text NH H.B. 523. This bill provides a private cause of action with statutory damages of $1,000 for negligent violations and $5,000 for reckless or intentional violations.
• Alaska, 2017 Bill Text AK H.B. 72. This bill provides a private cause of action only for intentional violations of the statute. The statutory damages are $1,000 for intentional violations and $5,000 for intentional violations that result in profit or monetary gain.
• Montana, 2017 Bill Text MT H.B. 518. This bill provides a private cause of action with statutory damages of $1,000 for purposeful or knowing violations and $5,000 for violations that result in profit or monetary gain. (Note, however, that no action has been taken on the bill since April 28, 2017, and it may have died in Standing Committee.)

Although the Texas and Washington laws mentioned above do not provide private causes of action, they also need to be considered when establishing policies and procedures for complying with biometric data privacy laws. If, for example, a private Illinois action was to succeed at trial or result in a large settlement, the defendant might be a soft target for a follow-on action pursued by a state attorney general.

Conclusion

It is crucial that retailers ensure that their policies and procedures regarding the capture, retention, and disposal of biometric data comply with the various notice and consent requirements outlined in BIPA as well as the Texas and Washington laws. Retailers should also track the development of similar proposed legislation in other states to ensure the continued lawfulness of such policies and procedures.

Torsten M. Kracht (tkracht@hunton.com) is a partner at Hunton & Williams LLP representing clients from the United States and abroad in complex commercial litigation and arbitration. Michael J. Mueller (mmueller@hunton.com) is a partner at the firm handling class actions and other complex cases. Lisa J. Sotto (lsotto@hunton.com) is the managing partner of the firm’s New York office and chair of its global privacy and cybersecurity practice. Daniella Sterns (dsterns@ hunton.com) is a litigation associate at the firm.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Privacy & Data Security Compliance > Articles

Related Content

1. 740 Ill. Comp. Stat. 14/1-14/99. 2. Texas (the Texas Statute on the Capture or Use of Biometric Identifier, Tex. Bus. & Com. Code Ann. § 503.001) and Washington (2017 Bill Text WA H.B. 1493) are the only other states that have statutes addressing the collection of biometric information by private businesses. 3. See McCollough v. Smarte Carte, Inc., 2016 U.S. Dist. LEXIS 100404 (N.D. Ill. Aug. 1, 2016); Vigil v. Take-Two Interactive Software, Inc., 235 F. Supp. 3d 499 (S.D.N.Y. 2017). 4. Monroy v. Shutterfly, Inc., 2017 U.S. Dist. LEXIS 149604 (N.D. Ill. Sept. 15, 2017). 5. 136 S. Ct. 1540 (2016). 6. Rivera v. Google, Inc., 238 F. Supp. 3d 1088 (N.D. Ill. 2017). 7. In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016).