Category: Case Law Developments

Categories
Biometric Privacy Legal Landscape Case Law Developments Legislative Developments & Trends

Colorado Attorney General Announces Adoption of Amendments to Colorado Privacy Act Rules + Attorneys General Oppose Clearview AI Biometric Data Privacy Settlement

Colorado Adopts Amendments to CPA Rules

The Colorado Attorney General announced the adoption of amendments to the Colorado Privacy Act (“CPA”) rules. The rules will become effective on January 30, 2025. The rules provide enhanced protections for the processing of biometric data as well as the processing of the online activities of minors. Specifically, companies must develop and implement a written biometric data policy, implement appropriate security measures regarding biometric data, provide notice of the collection and processing of biometric data, obtain employee consent for the processing of biometric data, and provide a right of access to such data. In the context of minors, the amendment requires that entities obtain consent prior to using any system design feature designed to significantly increase the use of an online service of a known minor and to update the Data Protection Assessments to address processing that presents heightened risks to minors. Entities already subject to the CPA should carefully review whether they may have heightened obligations for the processing of employee biometric data, a category of data previously exempt from the scope of the CPA.


Attorneys General Oppose Clearview AI Biometric Data Privacy Settlement

A proposed settlement in the Clearview AI Illinois Biometric Information Privacy Act (“BIPA”) litigation is facing opposition from 22 states and the District of Columbia. The Attorneys General of each state argue that the settlement, which received preliminary approval in June 2024, lacks meaningful injunctive relief and offers an unusual financial stake in Clearview AI to plaintiffs. The settlement would grant the class of consumers a 23 percent stake in Clearview AI, potentially worth $52 million, based on a September 2023 valuation. Alternatively, the class could opt for 17 percent of the company’s revenue through September 2027. The AGs contend the settlement doesn’t adequately address consumer privacy concerns and the proposed 39 percent attorney fee award is excessive. Clearview AI has filed a motion to dismiss the states’ opposition, arguing it was submitted after the deadline for objections. A judge will consider granting final approval for the settlement at a hearing scheduled on January 30, 2025. 

To read more articles from the January 2025 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Categories
Biometric Privacy Legal Landscape Case Law Developments Legislative Developments & Trends

Proposed Amendments to Colorado Privacy Act Rules + Landmark Ruling on Retroactive Application of BIPA Amendments

Colorado AG Releases Revisions to Draft Colorado Privacy Act Rules

The Colorado Attorney General’s Office released the second version of its proposed amendments to the Colorado Privacy Act rules. This round of revisions seeks to take into account concerns expressed through public input to the first draft of the amendments. The rules address two laws amending the Colorado Privacy Act that heightened protections for biometric data and children’s data that were signed into law in 2024. The amendments to the Colorado Privacy Act require businesses operating in Colorado to keep written policies on how they handle and dispose of biometric data and to provide consumers with notice of the collection of biometric information take effect July 1, 2025. The draft rules define the notice and consent requirements for biometric data, including notice and consent requirements for employees, contractors, and subcontractors. Amendments to the Colorado Privacy Act relating to children’s data take effect on October 1, 2025, and will require companies to use “reasonable care” to avoid harms to a consumer they know is under 18 and limit use and collection of minors’ data.


Blank Rome Secures Landmark Ruling on Retroactive Application of BIPA Amendments

A Blank Rome team representing DNJ Intermodal Services LLC prevailed in striking the complainant’s prayer for relief, which sought $1,000 or $5,000 for each of the thousands of times six plaintiffs allegedly had their hands scanned at work. Will County Judge Roger D. Rickmon found—perhaps the first among Illinois state judges—that a recent amendment to the Biometric Information Privacy Act (“BIPA” or “the Act”), which stipulates that a business collecting identical biometric data multiple times from the same person in violation of the law is liable for only a single violation, applies retroactively to claims that arose and were filed prior to August 2, 2024, the effective date of the Act. This landmark ruling shaves potential BIPA damages for most pending cases from astronomical damages of millions (or hundreds of millions) of dollars to $1,000 or $5,000 per person. The question of whether BIPA’s amendment applies retroactively is simmering in courts throughout the state of Illinois and is expected to eventually make its way up to Illinois’ Courts of Appeals and perhaps the Illinois Supreme Court. The Blank Rome team representing DNJ Intermodal Services LLC included Daniel SaeediRachel SchallerJeffrey N. Rosenthal, Amanda Noonan, and Gabrielle Ganze

To read more articles from the December 2024 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Categories
Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Case Law Developments Class Action Litigation Defense Strategies

Texas Attorney General Reaches Largest-Ever Biometrics Settlement with Meta

Amanda M. Noonan |

On July 30, 2024, a Texas state court issued an Order finalizing the largest-ever biometrics settlement, between the Texas Attorney General and Meta for a staggering $1.4 billion. The settlement resolves a longstanding civil action brought by the Texas Attorney General in 2022 asserting violations under Texas’s Capture or Use of Biometric Identifier Act (“CUBI”).

Continue reading “Texas Attorney General Reaches Largest-Ever Biometrics Settlement with Meta”
Categories
Biometric Privacy Legal Landscape Case Law Developments Legislative Developments & Trends

Illinois Governor Signs the First Amendment to BIPA Since Its Passage 16 Years Ago

Daniel R. Saeedi, Rachel L. Schaller, and Gabrielle N. Ganze |

An amendment to Illinois’ biometric privacy law, the Illinois Biometric Information Privacy Act (“BIPA”) has finally become law. And, this amendment implements major changes to how damages accrue under BIPA.

Continue reading “Illinois Governor Signs the First Amendment to BIPA Since Its Passage 16 Years Ago”
Categories
Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Case Law Developments

Northern District of Illinois Weighs in on Employment-Related Examinations under Illinois’ GIPA

Gabrielle N. Ganze |

In an important privacy law development, United States District Court for the Northern District of Illinois, Judge Sharon Johnson Coleman, has issued two of the first federal decisions applying a substantive analysis to provisions of the Illinois Genetic Information Privacy Act, 410 ILCS 513/1 et seq. (“GIPA”) as it relates to employment-related examinations.

Continue reading “Northern District of Illinois Weighs in on Employment-Related Examinations under Illinois’ GIPA”
Categories
Biometric Privacy Legal Landscape Case Law Developments The Lighter Side of Biometrics

Monthly BIPA Filings: April 2024

Daniel R. Saeedi |

Biometric Information Privacy Act (“BIPA”) filings continue to occur in the Illinois courts. April saw 53 new BIPA complaints filed in Illinois, the vast majority of which were brought in Cook County. 

  • Facial geometry cases continue to rise, with eight explicit face scan cases being filed, and an additional twelve cases that hint at facial recognition technology. 
  • The transportation industry continues to be the sector seeing the most BIPA complaints filed against it (18), with the food, health, and beauty sectors also being hit with multiple BIPA claims.

Companies using any form of biometric technology in Illinois should be aware of this highly litigious environment and make sure that such use is in compliance with the law. This is especially true for businesses operating in the transportation, trucking, and logistics sectors, given the above trends.

Categories
Biometric Privacy Legal Landscape Case Law Developments

$228M Damages Award Vacated in First BIPA Trial

Karen H. Shin |

The U.S. District Court of the Northern District of Illinois vacated a $228 million damages award in Rogers v. BNSF Railway Co., the first case tried to a verdict under the Illinois Biometric Information Privacy Act (“BIPA”). In Rogers v. BNSF Railway Co., rail workers alleged that BNSF Railway Co. (“BNSF”) collected their biometric information without informed consent. The jury found that BNSF had recklessly or intentionally violated BIPA 45,600 times (one violation per class member). BIPA provides that intentional or reckless violations of BIPA may result in liquidated damages of $5,000 or actual damages, whichever is greater.

The prior award resulted from multiplying the number of BIPA violations by $5,000 to arrive at $228 million. While the court upheld the verdict that the company violated the BIPA, it held that damages were discretionary under BIPA (due to the term “may”) and ordered a new trial limited to the question of damages.

To read more articles from the August 2023 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Categories
Biometric Privacy Compliance Tips Case Law Developments Class Action Litigation Defense Strategies

Illinois Supreme Court: Federal Labor Law Preempts Union Employees’ BIPA Claims

Tianmei Ann Huang |

The Illinois Supreme Court in Walton v. Roosevelt University, 2023 IL 128338 (Mar. 23, 2023), unanimously affirmed dismissal of the putative class action arising under the Illinois Biometric Privacy Information Act, 740 ILCS 14/1 (“BIPA”), concluding that federal labor law preempted BIPA claims brought by unionized employees covered by a collective bargaining agreement (“CBA”). Consistent with Seventh Circuit federal court decisions in support of federal preemption, the Walton high court’s ruling specifically provides that Section 301 of the federal Labor Management Relations Act (“LMRA”), 29 U.S.C. § 185, preempts BIPA claims asserted by union employees (or bargaining unit employees) covered by a CBA in Illinois state courts. Therefore, the federal preemption defense may be used to foreclose these unionized employees from bringing BIPA claims in state and federal courts, including on a class action basis.

In Walton, the representative plaintiff was a member of a union subject to a CBA, which included a broad management-rights clause, during his employment with Roosevelt University. The putative class alleged that Roosevelt University used scanning devices to enroll employees’ hand geometry scans for timekeeping purposes, but Roosevelt University failed to fulfill BIPA’s Section 15 requirements. However, under the LMRA, the provisions of the CBA should govern, and even if “biometric” data is not expressly discussed within the CBA, a broad management-rights clause along with provisions regarding employee timekeeping and grievance resolution procedures may be sufficient to preclude BIPA litigation.

Overall, the Walton decision offers a measure of relief to defendants involved in BIPA disputes brought by union employees, particularly following the liability-expanding Illinois Supreme Court decisions in Cothron and Tims, as previously discussed. To avoid future litigation, employers should carefully exercise their exclusive rights to direct the employees covered by a CBA or other contract.

Categories
Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Case Law Developments

Illinois Supreme Court Dramatically Expands Liability by Ruling Each Scan of a Biometric Identifier Is a Separate Violation

Amanda M. Noonan |

In a 4-3 split, the Illinois Supreme Court ruled earlier this month that claims under Sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act (“BIPA”) accrue each time a private entity scans a person’s biometric identifier and/or submits such scan to a third party—rather than only upon first collection. Cothron v. White Castle System, Inc., 2023 IL 128004 (Feb. 17, 2023). This decision—which dramatically expands the scope of potential liability for BIPA defendants—comes just weeks after the Illinois Supreme Court held a five-year statute of limitations applies to all BIPA causes of action in Tims v. Blackhorse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023).

The impact of Cothron on claim accrual, coupled with Tims’ resolution of the statute of limitations, will have an immense and immediate impact on BIPA class-action lawsuits—many of which had been stayed pending these decisions.

For many businesses that implement biometric time clocks, which scan biometric identifiers to track employee time/attendance, this means each time an employee scans in-and-out of work, a new BIPA violation accrues. Together with the five-year statute of limitations period, BIPA defendants may now be facing hundreds—if not thousands—of independent BIPA violations for a single complainant.

Continue reading “Illinois Supreme Court Dramatically Expands Liability by Ruling Each Scan of a Biometric Identifier Is a Separate Violation”
Categories
Biometric Privacy Legal Landscape Case Law Developments Class Action Litigation Defense Strategies

Illinois Supreme Court Holds Five-Year Statute of Limitations Applies to All Biometric Information Privacy Act Claims

Amanda M. Noonan |

In a highly anticipated decision, the Illinois Supreme Court in Tims v. Blackhorse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023), recently resolved longstanding uncertainty about the statute of limitations under the Illinois Biometric Information Privacy Act (“BIPA”). The Court held all claims arising under BIPA are governed by the five-year “catch-all” statute of limitations period provided by section 13-205 of the Illinois Code of Civil Procedure. See 735 ILCS 5/13-205. In so holding, the Court adopted the most expansive of the two limitations periods at issue. And it rejected Defendant’s—and the broader defense bar’s—contention that Illinois’ one-year limitations period, as applied to certain privacy/defamation actions, should extend to all BIPA actions.

Notably, the Supreme Court reversed, in part, the First District Illinois Appellate Court’s decision that incongruently applied a one-year limitations period to claims arising under Sections 15(c), and 15(d)—but a five-year limitations period for BIPA actions accruing under Sections 15(a), 15(b), and 15(e). Under the Appellate Court’s reasoning, Sections 15(c) and 15(d) included elements of publication analogous to certain common law privacy torts, and, for that reason, required application of Illinois’ one-year statute of limitations for “actions for slander, libel or for publication of matter violating the right of privacy” 735 ILCS 5/13-201. At the same time, the Appellate Court applied the “catch all” five-year statute of limitations period to claims under Sections 15(a), 15(b), and 15(e), reasoning no publication element was involved. 735 ILCS 5/13-205.

Continue reading “Illinois Supreme Court Holds Five-Year Statute of Limitations Applies to All Biometric Information Privacy Act Claims”