Test Page - Biometric Privacy Insider

Is Your Business in Compliance with Washington’s New Data Privacy Statute?

Post author By Blank Rome LLP
Post date April 9, 2024

Washington’s new data privacy statute, “My Health, My Data Act” (“MHMD” or the “Act”), officially became fully effective on March 31, 2024, for regulated entities under the Act, while small businesses have until June 30, 2024, to comply. The purpose of MHMD is to protect consumers’ personal health data not otherwise protected by federal regulation, such as HIPAA. Businesses should be familiar with Washington’s preexisting biometric privacy law, RCW 19.375, and recognize MHMD’s coverage is far more expansive. MHMD regulates the collection, sharing, selling, and processing of “consumer health data.” It applies to entities that conduct business in Washington as well as those that provide services or products to Washington.

Notably, the Act does not regulate the collection of employee data like other privacy statutes. However, the scope of MHMD’s regulation expands far beyond traditional health data and biometric data, which has been the focus of many other data privacy statutes throughout the country. Unlike Washinton’s biometric statute, MHMD can be enforced by private parties through a private right of action, in addition to the Attorney General. Consumers can sue for damages and other relief for violations of MHMD, which gives it the potential to spur class action litigation.

Tags health data, MHMD, My Health My Data Act, personal health data, Washington, Washington State

Biometric Privacy Legal Landscape Legislative Developments & Trends

Amendments to the Illinois Biometric Information Privacy Act Would Dramatically Affect Accrual of Damages

Post author By Blank Rome LLP
Post date March 12, 2024

Alex C. Nisenbaum |

Lawmakers introduced a bill to revise the Illinois Biometric Privacy Act (“BIPA”) that would, in part, change the manner in which violations of BIPA accrue.

The Illinois State Supreme Court ruled in Cothron v. White Castle Sys., Inc. “that a claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent” in violation of BIPA.

The proposed bill would change the accrual of violations so that each initial collection of a biometric identifier would amount to one violation, rather than under each scan or transmission. The change would significantly diminish the amount of statutory damages available for BIPA violations. Use of biometric data in the context of employee timekeeping may involve only one initial collection but several scans during a work day to clock in and clock out. Under the new bill, violations would no longer accrue for any of the scans beyond the initial collection. The bill also adds “electronic signature” to the definition of “written release” under the law.

To read more articles from the March 2024 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Tags accrual, BIPA, Illinois Biometric Information Privacy Act

Biometric Privacy Legal Landscape Legislative Developments & Trends

Montana Passes Law Regulating Facial Recognition Use by Police

Post author By Blank Rome LLP
Post date August 7, 2023

Jason C. Hirsch |

Montana recently passed the Facial Recognition for Government Use Act (“FRGUA”), which permits state and local agencies, including law enforcement, to use facial recognition to look for suspects, victims of, or witnesses to serious crimes. However, FRGUA prohibits the use of “continuous” facial recognition and establishes human review and audit procedures to ensure compliance with the technology. FRGUA requires police to obtain a warrant to use facial recognition absent exigent circumstances. It also restricts the state motor vehicle division to set up facial recognition only with prior approval of the legislature.

In terms of disclosure, third-party vendors of facial technology and public agencies must have use and privacy policies for individuals. Finally, FRGUA imposes monetary penalties for negligent violations of the statute and grants the attorney general the authority to initiate enforcement actions.

To read more articles from the August 2023 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Tags facial biometrics, facial recognition, Facial Recognition for Government Use Act, FRGUA, Montana

Biometric Privacy Legal Landscape Legislative Developments & Trends

FTC Adopts Biometric Policy Statement

Post author By Blank Rome LLP
Post date June 12, 2023

Tianmei Ann Huang |

The Federal Trade Commission (“FTC”) issued a policy statement (“Statement”) raising significant concerns about consumer privacy, data security, and the potential for bias and discrimination associated with the increasing use of biometric information and related technologies. The Statement warns that false, misleading, or unsubstantiated statements made about the accuracy of biometric information technologies and/or practices may face enforcement action if the FTC determines such actions to be “deceptive” and “unfair” in violation of Section 5 of the FTC Act.

In making its determination, the FTC will consider factors such as foreseeability of harms, promptness of actions taken, and the adoption of appropriate data practices, including employee training, use of available tools, and evaluation of third-party service providers. According to the FTC’s Bureau of Consumer Protection Director, the Statement “makes clear that companies must comply with the law regardless of the technology they are using.”

To read more articles from the June 2023 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Tags Federal Trade Commission, FTC

Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Legislative Developments & Trends

NYC Introduces Bills to Limit Facial Recognition in Private Sector

Post author By Blank Rome LLP
Post date April 14, 2023

Tianmei Ann Huang |

New York City Council (“Council”) members are expected to formally introduce two Local Laws on April 27, 2023, during the next Council meeting, seeking to regulate private-sector use of facial recognition (or similar surveillance technology) for identification or verification purposes.

The first bill would amend New York City’s administrative code to prohibit businesses and venues from using “biometric identifier information” (e.g., face scans) to identify or verify customers without first obtaining their written consent. These businesses and venues must also develop and make publicly available a retention-and-destruction policy, and must further comply with certain data protection, privacy, and security obligations. The proposal also includes a private right of action for civil damages up to $500 per negligent violation and up to $5,000 per intentional or reckless violation, as well as attorneys’ fees.

The second bill would ban owners of “multiple dwelling” properties (e.g., residential buildings) from installing, activating, or using “biometric recognition technology” to identify tenants or their guests. The legislation, if enacted, would be one of the first laws to place city-wide restrictions on the use of biometric recognition technology in the private sector.

Based on the introduction of these dual bills, companies in NYC that currently collect biometric data, or are considering doing so, are encouraged to contact experienced counsel to provide protective compliance measures—lest they become the target of civil litigation.

Tags facial recognition, New York, New York City, private sector

Biometric Privacy Compliance Tips Case Law Developments Class Action Litigation Defense Strategies

Illinois Supreme Court: Federal Labor Law Preempts Union Employees’ BIPA Claims

Post author By Blank Rome LLP
Post date March 31, 2023

Tianmei Ann Huang |

The Illinois Supreme Court in Walton v. Roosevelt University, 2023 IL 128338 (Mar. 23, 2023), unanimously affirmed dismissal of the putative class action arising under the Illinois Biometric Privacy Information Act, 740 ILCS 14/1 (“BIPA”), concluding that federal labor law preempted BIPA claims brought by unionized employees covered by a collective bargaining agreement (“CBA”). Consistent with Seventh Circuit federal court decisions in support of federal preemption, the Walton high court’s ruling specifically provides that Section 301 of the federal Labor Management Relations Act (“LMRA”), 29 U.S.C. § 185, preempts BIPA claims asserted by union employees (or bargaining unit employees) covered by a CBA in Illinois state courts. Therefore, the federal preemption defense may be used to foreclose these unionized employees from bringing BIPA claims in state and federal courts, including on a class action basis.

In Walton, the representative plaintiff was a member of a union subject to a CBA, which included a broad management-rights clause, during his employment with Roosevelt University. The putative class alleged that Roosevelt University used scanning devices to enroll employees’ hand geometry scans for timekeeping purposes, but Roosevelt University failed to fulfill BIPA’s Section 15 requirements. However, under the LMRA, the provisions of the CBA should govern, and even if “biometric” data is not expressly discussed within the CBA, a broad management-rights clause along with provisions regarding employee timekeeping and grievance resolution procedures may be sufficient to preclude BIPA litigation.

Overall, the Walton decision offers a measure of relief to defendants involved in BIPA disputes brought by union employees, particularly following the liability-expanding Illinois Supreme Court decisions in Cothron and Tims, as previously discussed. To avoid future litigation, employers should carefully exercise their exclusive rights to direct the employees covered by a CBA or other contract.

Tags BIPA, federal labor law, Illinois, Illinois Biometric Information Privacy Act, Illinois Supreme Court, labor law, union employees

Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Case Law Developments

Illinois Supreme Court Dramatically Expands Liability by Ruling Each Scan of a Biometric Identifier Is a Separate Violation

Post author By Blank Rome LLP
Post date February 22, 2023

Amanda M. Noonan |

In a 4-3 split, the Illinois Supreme Court ruled earlier this month that claims under Sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act (“BIPA”) accrue each time a private entity scans a person’s biometric identifier and/or submits such scan to a third party—rather than only upon first collection. Cothron v. White Castle System, Inc., 2023 IL 128004 (Feb. 17, 2023). This decision—which dramatically expands the scope of potential liability for BIPA defendants—comes just weeks after the Illinois Supreme Court held a five-year statute of limitations applies to all BIPA causes of action in Tims v. Blackhorse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023).

The impact of Cothron on claim accrual, coupled with Tims’ resolution of the statute of limitations, will have an immense and immediate impact on BIPA class-action lawsuits—many of which had been stayed pending these decisions.

For many businesses that implement biometric time clocks, which scan biometric identifiers to track employee time/attendance, this means each time an employee scans in-and-out of work, a new BIPA violation accrues. Together with the five-year statute of limitations period, BIPA defendants may now be facing hundreds—if not thousands—of independent BIPA violations for a single complainant.

Tags accrual, BIPA, damages, Illinois, Illinois Biometric Information Privacy Act

Biometric Privacy Legal Landscape Case Law Developments Class Action Litigation Defense Strategies

Illinois Supreme Court Holds Five-Year Statute of Limitations Applies to All Biometric Information Privacy Act Claims

Post author By Blank Rome LLP
Post date February 8, 2023

Amanda M. Noonan |

In a highly anticipated decision, the Illinois Supreme Court in Tims v. Blackhorse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023), recently resolved longstanding uncertainty about the statute of limitations under the Illinois Biometric Information Privacy Act (“BIPA”). The Court held all claims arising under BIPA are governed by the five-year “catch-all” statute of limitations period provided by section 13-205 of the Illinois Code of Civil Procedure. See 735 ILCS 5/13-205. In so holding, the Court adopted the most expansive of the two limitations periods at issue. And it rejected Defendant’s—and the broader defense bar’s—contention that Illinois’ one-year limitations period, as applied to certain privacy/defamation actions, should extend to all BIPA actions.

Notably, the Supreme Court reversed, in part, the First District Illinois Appellate Court’s decision that incongruently applied a one-year limitations period to claims arising under Sections 15(c), and 15(d)—but a five-year limitations period for BIPA actions accruing under Sections 15(a), 15(b), and 15(e). Under the Appellate Court’s reasoning, Sections 15(c) and 15(d) included elements of publication analogous to certain common law privacy torts, and, for that reason, required application of Illinois’ one-year statute of limitations for “actions for slander, libel or for publication of matter violating the right of privacy” 735 ILCS 5/13-201. At the same time, the Appellate Court applied the “catch all” five-year statute of limitations period to claims under Sections 15(a), 15(b), and 15(e), reasoning no publication element was involved. 735 ILCS 5/13-205.

Tags BIPA, Illinois, Illinois Biometric Information Privacy Act, statute of limitations

Biometric Privacy Legal Landscape Case Law Developments Class Action Litigation Defense Strategies

First Biometric Privacy Jury Trial Results in Massive $228 Million Dollar Verdict

Post author By Blank Rome LLP
Post date October 19, 2022

Amanda M. Noonan |

A federal district court in the Northern District of Illinois conducted the first-ever jury trial in an Illinois Biometric Information Privacy Act (“BIPA”) case. On October 12, 2022, the jury returned a verdict for the plaintiff—and more than 45,000 class members—regarding defendant BNSF Railway’s (“BNSF”) reckless violations of BIPA. See Rogers v. BNSF Railway Co., No. 1:19-cv-03083 (N.D. Ill. Oct. 12, 2022). Plaintiffs’ claims centered on BNSF’s collection of fingerprints to verify their identities and allow access to BNSF’s facilities without obtaining their written consent, as required under BIPA Section 15(b).

After a five-day trial—and only an hour of deliberations—the jury found BNSF not only violated BIPA 46,500 times, but did so intentionally or recklessly under 735 ILCS 14/20(2). The jury’s finding on that issue quintupled plaintiff’s damages award to $5,000 per violation, as opposed to $1,000 per negligent violation. As a result, District Judge Matthew Kennelly entered a $228 million dollar damages award in plaintiffs’ favor following the verdict. BNSF has stated it intends to appeal.

The implications of the verdict loom large. On the plaintiff’s side, counsel will likely increase the already large-scale BIPA filings and push for higher settlement amounts, using the prospect of a successful jury trial as a bargaining chip. Given the stakes, BIPA defendants may be more inclined to seek early resolution once named in a BIPA class action to avoid a bet-the-company litigation at all costs.

Considering the verdict, early compliance efforts by companies implementing biometric technology are even more crucial to avoid BIPA litigation in the first instance. Significantly, companies using any technology that could arguably constitute biometrics—regardless of the sophistication—may be targeted by zealous plaintiff’s attorneys seeking to join the ever-increasing cascade of BIPA class action filings. Biometrics privacy counsel should thus be consulted to address compliance strategies to protect against the catastrophic risks of a BIPA verdict at the earliest possible opportunity.

Tags Biometric Information Privacy Act, BIPA, fingerprints, Illinois Biometric Information Privacy Act