Biometric Data: Liability Beyond BIPA
Biometric data, such as fingerprint and retina scanning, offers significant utility for companies to make their operations efficient and secure. As companies have increasingly adopted the use of such technology, Plaintiffs’ attorneys have filed a flood of class-action lawsuits pursuant to the Illinois Biometric Information Privacy Act (BIPA) based on the companies’ purported failure to obtain valid BIPA consent from their employees, contractors, and customers in Illinois, resulting in unrestrained verdicts and settlements.
While Texas and Washington have their own biometric statutes, BIPA is unique due to its private right of action, statutory damages, and a provision that allows for liability to accrue each time biometric data is collected. Other states are currently considering biometric and state privacy laws. Until then, Plaintiffs’ attorneys are probing state laws to discover legal theories that may support lawsuits based on the collection and use of biometric data. For example, in several recent cases based on privacy torts and the California Unfair Competition Law (UCL), the courts did not summarily dismiss the causes of action.
In Renderos v. Clearview AI, Inc., the Superior Court of California held that biometric analysis of photographs caused Plaintiffs to experience a “loss of money or property” and allowed the claims to proceed based on the right to privacy under the California Constitution and the UCL. In the case of In re Clearview AI, Inc., Consumer Privacy Litig., the Northern District of Illinois similarly held that biometric information is “by its very nature. . . sensitive and confidential,” and a California subclass had an expectation of privacy for their biometrics under California law. Continuing the trend, in Kellman v. Spokeo, Inc., the Northern District of California held that the California Consumer Privacy Act (CCPA) cannot be used as a defense for California privacy torts or UCL claims even where the data is publicly available and the CCPA allows its use without notice. Thus, a company’s collection or use of biometric data without notice or consent may be a valid basis for a class-action lawsuit under California law.
Compliance with BIPA in Illinois is paramount, given its high liability risk. If recent results in California are the start of a trend, then more lawsuits may be filed under other state laws. As such, businesses should consider obtaining consent for all biometric data collection to minimize risk.
A quarterly newsletter of legal news for the clients and friends of Scopelitis, Garvin, Light, Hanson & Feary
News from Scopelitis is intended as a report to our clients and friends on developments affecting the transportation industry. The published material does not constitute an exhaustive legal study and should not be regarded or relied upon as individual legal advice or opinion.
Biometric Data: Liability Beyond BIPA
Biometric data, such as fingerprint and retina scanning, offers significant utility for companies to make their operations efficient and secure. As companies have increasingly adopted the use of such technology, Plaintiffs’ attorneys have filed a flood of class-action lawsuits pursuant to the Illinois Biometric Information Privacy Act (BIPA) based on the companies’ purported failure to obtain valid BIPA consent from their employees, contractors, and customers in Illinois, resulting in unrestrained verdicts and settlements.
While Texas and Washington have their own biometric statutes, BIPA is unique due to its private right of action, statutory damages, and a provision that allows for liability to accrue each time biometric data is collected. Other states are currently considering biometric and state privacy laws. Until then, Plaintiffs’ attorneys are probing state laws to discover legal theories that may support lawsuits based on the collection and use of biometric data. For example, in several recent cases based on privacy torts and the California Unfair Competition Law (UCL), the courts did not summarily dismiss the causes of action.
In Renderos v. Clearview AI, Inc., the Superior Court of California held that biometric analysis of photographs caused Plaintiffs to experience a “loss of money or property” and allowed the claims to proceed based on the right to privacy under the California Constitution and the UCL. In the case of In re Clearview AI, Inc., Consumer Privacy Litig., the Northern District of Illinois similarly held that biometric information is “by its very nature. . . sensitive and confidential,” and a California subclass had an expectation of privacy for their biometrics under California law. Continuing the trend, in Kellman v. Spokeo, Inc., the Northern District of California held that the California Consumer Privacy Act (CCPA) cannot be used as a defense for California privacy torts or UCL claims even where the data is publicly available and the CCPA allows its use without notice. Thus, a company’s collection or use of biometric data without notice or consent may be a valid basis for a class-action lawsuit under California law.
Compliance with BIPA in Illinois is paramount, given its high liability risk. If recent results in California are the start of a trend, then more lawsuits may be filed under other state laws. As such, businesses should consider obtaining consent for all biometric data collection to minimize risk.
News from Scopelitis is intended as a report to our clients and friends on developments affecting the transportation industry. The published material does not constitute an exhaustive legal study and should not be regarded or relied upon as individual legal advice or opinion.