There have been approximately 50 class action lawsuits filed in the last year seeking redress for alleged violations of the Illinois Biometric Information Privacy Act (BIPA), one of several state laws regulating the commercial use of biometric data. It will likely take years for these suits to wind their way through the legal system and only then will it be possible to understand the full ramifications of BIPA.
One Prominent Legal Issue in BIPA Suits is “Standing”
There are many open legal questions about the meaning and interpretation of this law, now almost 10 years old. One question undergoing review is how a legal term, known as “standing”, applies to these cases. Article III of the Constitution limits the authority of the federal courts in cases where a plaintiff is unable to show material harm. If a party is unable to demonstrate sufficient evidence of harm to the court, it will rule that the plaintiff “lacks standing” to bring the suit and will dismiss it.
Adding to the complexity of this issue is that Illinois state courts have different principles for establishing standing from federal courts. Many defendants have successfully moved their cases to federal courts because of these differences, hoping for a more favorable decision. However, where the federal courts have dismissed cases for lack of standing, these cases have and will likely continue to be shifted back to the Illinois state courts for further review and litigation. But even among state courts, there could be different decisions with regard to standing.
Here are some of the ways this is being played out in the courts.
Are You Aggrieved?
BIPA permits a person who is “aggrieved” by a violation of the statute to file a lawsuit. The term “aggrieved” has not been specifically defined in the statute. Recently an Illinois Appellate Court (Second District, Rosenback v. Six Flags, Dec. 21, 2017), referenced that an aggrieved person is one who has suffered an actual injury, adverse action, or harm. Vague allegations of harm to privacy are insufficient. However, there is disagreement in the courts regarding what this harm looks like. Some courts have ruled that a plaintiff is required only to show that the defendant violated the statute by failing to obtain consent before collecting the data. In other cases, the courts have determined that to establish standing, a plaintiff must show “concrete harm,” not just claim that the defendant committed a procedural violation.
What constitutes “concrete harm” will likely be what court decisions turn on. The harm done could be relatively minor or might need to be deemed egregious. A low bar of “mental anguish” suffered by an individual might prove to be sufficient. However, indications that the bar might be set higher are evidenced in several recent court decisions. In two notable cases tried in federal courts, Spokeo, Inc. v. Robins and McCollough v. Smarte Carte, Inc., the court held that because the plaintiff was unable to articulate “concrete harm” but only alleged a statutory violation, the BIPA class actions lacked standing and were dismissed. These cases were dismissed without prejudice, though, meaning that they could be refiled in State court for a ruling.
Was Submission Voluntary?
Although BIPA mandates that subjects be informed in writing that a biometric identifier is being collected, defendants argue that class action members voluntarily supplied fingerprints through a clear and unmistakable process. In some cases, the court has ruled that the plaintiffs “undoubtedly understood” that their fingerprint was being retained for future identification purposes and thus have no basis for a claim. In this scenario, unless plaintiffs can show their biometric data was stolen or was at risk of being stolen, a technical failure to obtain consent could be insufficient to assert Article III standing.
On the other hand, a trend is emerging in cases where a plaintiff can show they had no meaningful opportunity to withhold consent for the collection of their biometric data, or that the collection of data was done without their knowledge. In these instances, plaintiffs will likely have a basis to assert standing. This is the case in suits brought against social media companies that surreptitiously capture biometric information for photo tagging.
Were Data Privacy Controls Inadequate or Just Not Disclosed?
In one landmark case, Santana vs. Take-Two Interactive Software, Inc., the Second Circuit rejected the plaintiffs’ allegations that Take-Two had insufficiently safeguarded their biometric data. In response, the court ruled that those plaintiffs would need to state specific allegations how the defendant’s security measures created a material risk, exposing their biometric data to unauthorized access.
There are dozens of BIPA cases pending, with an array of factual, procedural, and jurisdictional differences that will affect their outcome. Whatever the final disposition of these cases, steering clear of BIPA legal entanglements is fairly easy. Under BIPA, before collecting a person’s biometric information you must first:
- Provide the person with a detailed written policy that includes the specific purpose for and how the data will be collected and the length of time for which their biometric information is being stored, retained, used and destroyed;
- Require a signed consent before collecting the data; and
- Document and implement a security protocol to protect the data.
All of these measures being quite straightforward and manageable.
Crossmatch can provide valuable assistance with your compliance program. Click here to see how.
Explore additional blog posts regarding BIPA and similar state regulations:
Chris Trytten has over two decades of technical and managerial experience in systems and security at leading companies in Silicon Valley, including positions with Crossmatch, DigitalPersona, Interlink Networks, Apple, Siemens and Amdahl. In his current position as Market Solutions Manager at Crossmatch, he is using his experience serving the Financial and Retail markets by guiding the product and market teams to address the security needs of these industries. Chris is the author of multiple security white papers and articles.