Categories
Case Law Developments Class Action Litigation Defense Strategies

Designing a BIPA Defense: Biometric Manufacturer & Vendor Litigation Strategies

Amanda M. Noonan |

Class action litigation against biometric technology manufacturers and vendors is on the rise. Several courts have recognized the viability of such claims and held manufacturers/vendors may be subject to liability under Sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act (“BIPA”). 740 ILCS 14/15(b) & (d); Figueroa v. Kronos Inc., 454 F. Supp. 3d 772, 784-86 (N.D. Ill. 2020). The merits of these BIPA claims are yet undetermined. But the risk of having to defend such claims in state and federal courts is real and ongoing.

As the saying goes, the best defense is good offense. Rather than face uncertain liability, or incur exorbitant litigation defense costs, potential BIPA defendants often turn to arbitration provisions. For manufacturers/vendors of biometric technology, however, this approach may not be that simple.

Categories
Uncategorized

Practical Compliance Tips: New York City “Commercial Establishments” Biometric Privacy Law

David J. Oberly |

New York City (“NYC”) has quickly become one of the newest hotbeds of biometric privacy legislative activity, having enacted several laws since the start of 2021 that directly govern the collection and use of biometric data.

In addition to the New York City Tenant Data Privacy Act (“TDPA”), which regulates the use of biometric data by owners and operators of “smart access buildings,” New York City Council also enacted the nation’s first municipal-level biometric privacy law regulating “commercial establishments” (the “NYC Biometrics Ordinance”), which went into effect on July 9, 2021.

Because the NYC Biometrics Ordinance will almost certainly not be the last of its kind, commercial establishments that utilize biometric data in their business operations—even those located beyond the borders of the Big Apple—should take proactive steps to implement robust biometric privacy compliance programs to ensure continued compliance with current and anticipated biometrics laws to mitigate potential liability exposure.

Overview

  • Scope/Applicability: The NYC Biometrics Ordinance applies to the collection and use of “biometric identifier information” by “commercial establishments.”
  • “Biometric Identifier Information”: Biometric identifier information is defined in broad terms as any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”
  • “Commercial Establishment”: Commercial establishment is broadly defined to mean “a place of entertainment, a retail store, or a food and drink establishment.”
Categories
Case Law Developments

Illinois Appellate Court Clarifies Applicable Limitations Period in BIPA Class Action Litigation

David J. Oberly |

On September 17, 2021, the Illinois Appellate Court First District delivered its much-anticipated decision in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (1st Dist. Sep. 17, 2021), addressing the applicable statute of limitations for causes of action asserted under the Illinois Biometric Information Privacy Act (“BIPA”).

The court held that claims brought under Sections 15(a), (b), and (e)—pertaining to the law’s privacy policy/data destruction, notice/consent, and data security requirements—are subject to a five-year statute of limitations. Conversely, claims asserted under Sections 15(c) and (d)—relating to the law’s ban on profiting from biometric data and disclosure limitations—are subject to a one-year limitations period.

Importantly, in finding that BIPA’s two most commonly asserted provisions, Sections 15(a) and (b), are subject to the longer five-year limitations period, the opinion ensures that the tsunami of class action BIPA filings will continue to flood the courts for the foreseeable future.

Categories
The Lighter Side of Biometrics

Welcome to Biometric Privacy Insider!

Jeffrey N. Rosenthal |

Welcome to the inaugural blog post of the Biometric Privacy Insider!

Authored by Blank Rome LLP’s dedicated Biometric Privacy Team—seasoned privacy, cybersecurity, artificial intelligence, and class action attorneys from around the country—the Biometric Privacy Insider is a one-stop destination for all things biometrics. Readers can expect the same in-depth analysis that has become the hallmark of our scholarship and speaking engagements, but in more bite-sized tidbits designed for regular consumption. Our goal is to help readers stay abreast of legal trends, technological developments, compliance options, legislative action, and strategies to avoid certain pitfalls when using or implementing biometrics. But that is not to say there isn’t room for some levity now and again too!

At its core, biometrics is the use of immutable human characteristics—such as a person’s voice, fingerprint, handprint, facial geometry, iris, etc.—for purposes of identification and/or authentication. And while recent technological advancements in the field of biometrics have changed the way we travel, pay for goods and services, access sensitive data, and protect our identities online, the use of biometrics also comes with legal risks as lawmakers across the country pass laws regulating this technology. To date, several states have enacted targeted biometrics laws, including the well-known Illinois Biometric Information Privacy Act. Others have ramped up efforts to enact similar laws of their own. While still other states are encompassing biometric data within their new, broader consumer privacy statutes and/or amending data breach notification statutes to make existing laws applicable to biometrics. As a result, the commercial use of biometric data has led to a significant wave of class action litigation for alleged technical missteps—a trend that will continue, if not increase, during the foreseeable future.

The recent advancement of technology and artificial intelligence, coupled with the growing utilization of biometric data, has forced clients to address and minimize the risks associated with biometric privacy regulatory compliance, enforcement, and litigation. This blog will examine these emerging issues and provide practical guidance for businesses seeking to navigate the myriad biometric privacy laws. Our team is thrilled to use this platform to share our perspectives on timely topics, including compliance best practices, emerging legal trends involving biometrics laws and technology around the country and the world, risk mitigation, and litigation strategy.

Whether you’re looking for a welcome distraction, or a call to action; an industry trend, or what the case law portends; compliance advice, or insight on a new biometric device; a discussion of some new technology, or just some folly, the Biometric Privacy Insider has you covered! We invite you to join us as we navigate the myriad opportunities and challenges associated with the ever-expanding and fascinating world of biometrics!

Categories
Uncategorized

Practical Compliance Tips: Texas Capture or Use Biometric Identifier Act (“CUBI”)

David J. Oberly |

For some time now, the well-known Illinois Biometric Information Privacy Act (“BIPA”)—discussed in this previous blog post—has garnered much of the spotlight in the area of biometric privacy. What many are unaware of, however, is that several similar state-level biometric privacy laws are also currently in effect in other parts of the country. One of those laws is Texas’ Capture or Use of Biometric Identifier Act, Tex. Bus. & Comm. § 503.001 (“CUBI”). While not as threatening to businesses that use biometrics in their operations as its Illinois counterpart, CUBI nonetheless poses substantial liability exposure risk for noncompliance.

Overview

  • Scope of Applicability to Businesses: CUBI applies to the collection of “biometric identifiers” for a “commercial purpose.”
  • “Biometric Identifier”: Biometric identifier means a “retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.”
  • “Commercial Purpose”: “Commercial purpose” is defined by the statute. In the absence of additional guidance, companies should assume a commercial purpose includes any business purpose or related purpose tied to company operations.
Categories
Uncategorized

Practical Compliance Tips: Illinois Biometric information Privacy Act (“BIPA”)

Jeffrey N. Rosenthal |

Of all the targeted state biometric laws currently on the books, none poses more of an existential threat to companies than the Illinois Biometric Information Privacy Act (“BIPA”). BIPA has recently become the darling of the plaintiffs’ bar and the preferred statute under which bet-the-company class actions are being filed. If you have a presence in Illinois and use biometrics in your operations, chances are reasonably good you will be facing down a BIPA complaint at some point. But don’t despair! There are several proactive compliance steps to mitigate or, ideally, avoid such liability. And even after a case has been filed, there are several established (and even more developing) defenses available to minimize liability or obtain an outright dismissal. For example, having an enforceable arbitration agreement can be one of the most effective ways to mitigate the ever-increasing scope of biometric privacy exposure.

At their core, biometric systems analyze unique physical/behavioral human characteristics to identify and verify the identities of individuals. In our personal lives, this means using our faces to unlock our phones, or our eyes to unlock our homes. In our professional lives, companies may be verifying customer identities via facial scans or voice recognition software, or using employee fingerprints to track time and attendance, just to name a few.