2021 was another record setting year for biometric litigation, with class action plaintiffs bringing new AI-based consumer privacy claims and a continuing trend of employment-based disputes. Read on for CPW’s highlights of the year’s most significant events concerning biometric litigation, as well as our predictions for what 2022 may bring.
Overview of 2021 BIPA Litigations: What Do the Numbers Show?
One of the most critical consumer privacy statutes for biometric litigation has been Illinois’ Biometric Information Privacy Act (“BIPA”), which regulates the collection, processing, disclosure, and security of the biometric information of Illinois residents.
BIPA protects the “biometric information” of Illinois residents, which is any information based on “biometric identifiers” that identifies a specific person—regardless of how it is captured, converted, stored, or shared. 740 ILCS 14/10. Biometric identifiers are “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Id. (collectively, with “biometric information,” “biometric data”). BIPA has found itself to be one of the most frequent targets for class actions, as it includes a private right of action with liquidated statutory damages, unlike many other data privacy statutes. Plaintiffs bringing suit under BIPA may seek actual damages or liquidated damages of either $1,000 per violation for negligent violations or $5,000 per violation for intentional or reckless violations.
The number of complaints filed under BIPA held steady in 2021, with heavy case volume cited as one of the reasons that comprehensive privacy legislation with a private right of action failed to be enacted by the Florida legislature. In 2021, at least 89 court rulings referenced BIPA. This is more than a four-fold increase from 2019. While the overwhelming majority of these rulings came from federal courts within the Seventh Circuit, BIPA decisions were also issued by Illinois state courts and federal courts within the Third, Fourth and Ninth Circuits.
Settlement activity under BIPA was also consistent with these other litigation trends. 2021 saw multiple BIPA settlements. Although the largest settlement ($650 million) was announced early in the year with a technology company, there were numerous others (with significant variation in settlement amounts).
To list just a few examples, in April a Cook County judge granted final approval to a $25 million class-action settlement to end a putative class-action brought against technology company ADP concerning its provision of biometric scanning technology to employers for timekeeping purposes. Later, in June the parties to the seminal Six Flags litigation (where the Illinois Supreme Court held a plaintiff could recover even for technical violations of BIPA in the absence of actual harm) received preliminary approval for a proposed class action settlement with an anticipated value of $36 million. This fall Compass Group USA Inc. and a retail technology company agreed to pay $6.8 million as part of a settlement to resolve claims alleging they collected fingerprint data from vending machine users without proper notice and consent as required under BIPA. That was not the only BIPA settlement end of the year, as in October a federal court in Illinois granted preliminary approval to a $92 million settlement reached in the TikTok multidistrict litigation, over objections that had been raised in March concerning the basis and terms of settlement.
Article III Standing Continues to be a Strategic Pressure Point
As shown by the large number of BIPA cases decided by federal courts in the Seventh Circuit, defendants have shown a preference to remove BIPA litigations to federal court. In response, plaintiffs this year sought in several cases to strategically limit their claims in an effort to avoid the imposition of Article III standing and preclude removal. The foundation for this strategy was laid in 2020 and early 2021 with several rulings from the Seventh Circuit.
In Bryant v. Compass Group USA, Inc., the Seventh Circuit addressed standing to sue for two BIPA claims: (1) a violation of Section 15(b), the Act’s informed-consent provision; and (2) a violation of one part of Section 15(a)—namely, the duty to publicly disclose a data-retention policy. The Court held that the plaintiff had standing to pursue the Section 15(b) claim. However, the Court’s view of the Section 15(a) claim was different, as the plaintiff in Bryant had not alleged any concrete and particularized harm from the defendant’s failure to publicly disclose a data-retention policy. As such, the Seventh Circuit held that the Bryant plaintiff lacked standing on that claim. The Court cautioned, however, that its latter holding was confined to the narrow violation the plaintiff alleged (the Court did not address standing requirements for claims under other parts of Section 15(a)).
In Fox v. Dakkota Integrated Sys., the Court addressed this issue head on. 980 F.3d 1146 (7th Cir. 2020), The Fox Plaintiff made several claims under BIPA, including section 15(a), premised on the allegations that the defendant collected and disclosed plaintiff’s biometric identifiers without prior consent. The plaintiff also alleged that the defendant failed to develop, publicly disclose, and implement a data retention schedule for destruction of employee biometric identifiers, and failed to destroy the plaintiff’s biometric data when she left the company. The Court distinguished the “mere procedural failure” in Bryant when holding that the Fox Plaintiff had sufficiently alleged facts to satisfy Article III standing. Specifically, the Court noted that the plaintiff “allege[d] a concrete and particularized invasion of her privacy interest in her biometric data stemming from [defendant’s] violation of the full panoply of its Section 15(a) duties [] resulting in the wrongful retention of her biometric data after her employment ended.”
In a January 2021 decision the Seventh Circuit further acknowledged that Section 15(c) BIPA claims (prohibiting entities from selling or otherwise profiting from biometric data) could also be pled to avoid Article III standing. In holding the named plaintiffs lacked standing to litigate their claims in federal court, the Seventh Circuit observed that “[i]t is no secret to anyone that[plaintiffs] took care in their allegations, and especially in the scope of the proposed class they would like to represent, to steer clear of federal court. But in general, plaintiffs may do this.”
Some Attempts to Push BIPA Litigation Into Arbitration Rejected
Companies facing BIPA lawsuits have several lines of attack, including on grounds of personal jurisdiction, statute of limitations, constitutionality of the statute itself, preemption by other state/federal laws, and various statutory defenses. And, some companies have able to avoid class actions by invoking arbitration clauses. This year, for example, an Illinois federal court set aside claims that Southwest Airline violated the BIPA by requiring employees to clock in and out by scanning their fingerprints, holding that employees had to pursue their claims as individuals in arbitration, not as a class in federal court.
However, not all efforts to compel arbitration were successful. When these motions were denied in 2021, it was on the basis that the plain language of the agreement to arbitrate did not extend to the parties or claims involved in the underlying BIPA litigation.
Ambiguity Remains Over BIPA Damages Accrual, But Clarity Provided on Statute of Limitations
Notable BIPA litigations in 2021 addressed two critical issues under the statute: the applicable statute of limitations for BIPA claims and when claims accrue (when data regulated in the statute is collected in the first instance, or whether a defendant can commit reoccurring violations of the statute—such as whenever an employee clocks in or clocks out—with liquidated statutory damages available with each independent collection).
No overview of BIPA litigation in 2021 would be complete without Cothron v. White Castle, No. 20-3202 (7th Cir.). Plaintiff had begun working at White Castle in 2004, and consented to the collection of her biometric data in 2007, after White Castle began using an optional finger-scan system for employees. The employee brought suit 11 years later in 2018 for purported BIPA violations, alleging that White Castle had not obtained consent to collect or disclose her fingerprints at the first instance the collection occurred because BIPA did not exist in 2007—the law was enacted in 2008. Plaintiff alleged that each collection of her fingerprints was a separate BIPA violation.
Most recently, White Castle was appealed to the Seventh Circuit, which heard oral argument in September 2021. On December 21, 2021, the Seventh Circuit certified the accrual question to the Illinois Supreme Court, finding that “[w]hether a claim accrues only once or repeatedly is an important and recurring question of Illinois law implicating state accrual principles as applied to this novel state statute. It requires authoritative guidance that only the state’s highest court can provide.”
And on the statute of limitations front, in September a panel for the Illinois Court of Appeals addressed whether BIPA claims are potentially subject to a one-, two-, or five-year statute of limitations. Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (Sep. 17, 2021). The Court held Illinois Code Section 13-201 (the one-year limitations period) governs BIPA actions under Section 15(c) and (d) while Illinois Code Section 13-205 (the five-year limitations period) governs BIPA actions under Sections 15(a), (b), and (e).
BIPA Preemption Issues Continue
Another line of attack favored by defendants in BIPA litigation have been assertions of federal preemption. Through 2021, defendants have explored a number of arguments that plaintiff’s claims were precluded by federal law.
Such was the case in Fleury v. Union Pac. R.R. Co., No. 20-cv-00390, 2021 U.S. Dist. LEXIS 55766 (N.D. Ill. Mar. 24, 2021), when the railroad moved to dismiss a truck driver’s lawsuit. The truck driver claimed he was required to “scan” his biometric information when he visited the defendant’s facilities without his consent, in violation of BIPA. The defendant answered suggesting that two federal statutes, addressing railroad safety and security, prevent state law from encroaching on the matter. The court ruled that there was not yet enough information on the record to properly assess the argument, and denied the motion as premature. In another preemption opinion this year, a federal court granted a motion to dismiss, finding that the plaintiff’s BIPA claims were preempted by the Labor Management Relations Act. Barton v. Swan Surfaces, LLC, No. 20-cv-499, 2021 U.S. Dist. LEXIS 38464 (S.D. Ill. Mar. 2, 2021), The Court agreed with the defendant employer that the plaintiff’s BIPA claims would require the interpretation of the plaintiff’s Collective Bargaining Agreement.
AI-Based BIPA Cases Increase In Frequency In 2021
BIPA Fingerprint cases (both for timekeeping purposes and otherwise) continue to be the most frequent target in BIPA litigation. However, in 2021 there was a developing trend with an increasing number of cases filed over a defendant’s use of AI technology.
Biometric identifiers under BIPA are “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Although the statute itself does not define “scan of facial geometry” or “faceprint,” case law historically at least has treated these terms as referring to the measurements of distances between various facial features to generate a unique numerical representation of an individual face. There were a number of cases filed this year where plaintiffs targeted AI algorithms that purportedly used facial recognition to enhance the customer experience. By way of example, several beauty companies were sued over virtual makeup apps that allowed customers to “try on” products prior to purchase. In these cases, should they survive past the pleadings stage liability under BIPA will hinge upon how the technology at issue functions and what data is collected and used.
Similarly, several “voiceprint” lawsuits were also filed under BIPA this year, including in the context of AI. One notable putative class action was Carpenter v. McDonald’s Corporation, Case No. 1:21-cv-02906 (N.D. Ill.), which alleged that defendant McDonald’s had failed to comply with BIPA’s requirements in implementing a new AI voice assistant in its drive through locations. Most recently, Plaintiff’s BIPA claims were remanded to state court.
Other Legislative Developments to Key an Eye on in 2022
CPW regulars should find it no surprise that BIPA dominated the world of biometric data privacy litigation. That said, 2021 was a significant year for biometric data, even outside of Illinois.
New York Biometric Data Laws
Although a number of states have made moves to enact biometric laws, new regulations and laws in New York were a standout in 2021.
In August 2021, the Tenant Data Privacy Act (“TDPA”) took effect, though the Act will not be enforceable until 2023. Owners of “smart access buildings” are now required to obtain express consent to collect biometric data for use in the smart access systems. The owner must also create a written privacy policy for the tenants that informs them of a number of aspects of the data collection. On top of all this, the TDPA limits how the data can be retained or sold, placing substantial restrictions on the time the data may be stored, and all but eliminating disclosure to a third party without express written consent. Perhaps most notably, the TDPA has a private right of action to ensure the building owner properly protects the users’ data, allowing individuals to bring suit against landlords who allegedly violate the TDPA.
Meanwhile, New York City also made an amendment to its Administrative Code, establishing new standards for commercial use of customer’s biometric data. Any commercial establishment that collects, retains, converts, stores, or shares “biometric identifier information” must now erect clear and conspicuous notice of such at all customer entrances. The establishments are also barred from profiting from the transaction of the information in any way. As with the TDPA, this is enforced via a private right of action that could subject businesses to substantial penalties.
FTC Notice of Rulemaking
In December the FTC issued a notice (“Notice”) that it was “considering initiating a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”
There are a range of privacy, cybersecurity and AI issues that the FTC may seek to regulate as previewed by its Notice. For instance, as seen in an April 2021 release the FTC has increasingly cautioned that AI may be utilized and “inadvertently introduce[e] bias or other unfair outcomes” to medicine, finance, business operations, media, and other sectors. In addition, the FTC declared algorithmic and biometric bias as a focus of enforcement in resolutions passed this Fall. The Notice builds upon this focus, with its reference to “unlawful discrimination” likely signaling rulemaking directed at AI.
Regardless of what 2022 brings, it will undoubtedly be another busy year in the realm of biometric litigation and enforcement. Not to worry, CPW will be there to keep you informed every step of the way. Stay tuned.