Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court refuses to enforce choice-of-law provision, allows individual state data privacy claims to proceed
On March 18, the U.S. District Court for the Northern District of Illinois denied a retailer’s motion to certify for interlocutory appeal the court’s earlier ruling denying, in part, the retailer’s motion to dismiss. This multi-district litigation involves allegations that the retailer used a database containing photographs of individuals and other information to identify people whose images appeared in its surveillance cameras, in violation of the Illinois Biometric Information Privacy Act (BIPA), and California and New York laws. In denying the request for interlocutory appeal, the district court held that its earlier ruling had faithfully applied U.S. Court of Appeals for the Seventh Circuit precedent regarding standing of those who allege invasions of their personal privacy, and that the Supreme Court’s decision in TransUnion v. Ramirez (covered by InfoBytes here) did not undermine that precedent. It also held that the retailer’s disagreement with its prior application of the alleged facts to BIPA and its prior ruling that the plaintiffs had stated claims under California and New York laws did not warrant interlocutory review.
On February 18, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a workplace management software company (defendant) violated the Illinois Biometric Information Privacy Act (BIPA) by collecting data without providing the requisite disclosures or obtaining informed written consent. According to the plaintiff’s motion for preliminary approval, the settlement class is comprised of nearly 172,000 Illinois employees who used the defendant’s biometric timekeeping devices at work and whose finger-scan data “was hosted” by the defendant. The defendant denied any violation of BIPA. Under the settlement agreement, the defendant will pay approximately $15 million into a non-reversionary settlement fund, and settlement class members, who need to file a valid claim to receive payment, are expected to receive between $290 and $580 each.
On February 3, the Illinois Supreme Court unanimously ruled that the Illinois Workers’ Compensation Act (Compensation Act) does not bar claims for statutory damages under the state’s Biometric Information Privacy Act (BIPA). According to the opinion, the plaintiff sued the defendant and several other long-term care facilities in 2017 for violations of BIPA, alleging their timekeeping systems scanned her fingerprints without first notifying her and seeking her consent. The defendant countered that the Compensation Act preempted the plaintiff’s claims, but in 2020 the Illinois Appellate Court, First District, held that it failed to see how the plaintiff’s claim for liquidated damages under BIPA “fits within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury.” As such, the appellate panel concluded that the Compensation Act’s exclusivity provisions “do not bar a claim for statutory, liquidated damages, where an employer is alleged to have violated an employee’s statutory privacy rights under the Privacy Act, as such a claim is simply not compensable under the Compensation Act.”
In affirming the appellate panel’s decision, the Illinois Supreme Court agreed that the “personal and societal injuries caused by violating [BIPA’s] prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act. [BIPA] involves prophylactic measures to prevent compromise of an individual’s biometrics.” Additionally, the Illinois Supreme Court held that the plain language of BIPA supports a conclusion that the state legislature did not intend for it to be preempted by the Compensation Act’s exclusivity provisions. Noting that it is aware of the consequences the legislature intended as a result of BIPA violations, the Illinois Supreme Court wrote that the “General Assembly has tried to head off such problems before they occur by imposing safeguards to ensure that the individuals’ privacy rights in their biometric identifiers and biometric information are properly protected before they can be compromised and by subjecting private entities who fail to follow the statute’s requirements to substantial potential liability . . . whether or not actual damages, beyond violation of the law’s provisions, can be shown.” Moreover, if a “different balance should be struck under [BIPA] given the category of injury,” that is “a question more appropriately addressed to the legislature.”
On January 24, the U.S. District Court for the Northern District of Illinois granted final approval to a nearly $877,000 class action settlement to resolve allegations that a food manufacturer’s fingerprint-based timekeeping system violated Illinois’ Biometric Information Privacy Act (BIPA). Class members (both direct employees and temporary staffing workers who worked for the defendant between June 2015 and the date of preliminary approval) alleged that the defendant (i) collected biometric fingerprint identifiers and information without receiving informed written consent from employees; (ii) processed these identifiers and information “without establishing and following a publicly available data retention schedule and destruction policy”; and (iii) disclosed the employees’ identifiers and information to its timekeeping vendor without consent. The defendant contended that since 2020 it has maintained BIPA consents and compliance policies, and “does not retain any finger scan data for separated Illinois employees.” While denying all liability and wrongdoing, the defendant has agreed to pay $876,750 to cover class member payments, attorney fees and costs, settlement administrator costs, and the class representative’s service award.
On November 4, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims that a plasma donation center (defendant) unlawfully collected and stored the fingerprints of blood plasma donors. According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, the plaintiff filed the proposed class action in 2019, alleging the defendant violated the Illinois Biometric Information Privacy Act (BIPA) by collecting thousands of fingerprints through a finger-scanning donor identification system without providing proper disclosures or obtaining informed written consent. The plaintiff further alleged that the defendant required her (and thousands of Illinois blood plasma donors) to provide a fingerprint to donate plasma, which was later used for identification on subsequent visits. The plaintiff alleged that by not requiring her informed consent and by disclosing her information to a third party, the defendant’s practice violated BIPA. According to the plaintiff’s motion, the settlement (if approved) would establish a settlement class of 76,826 Illinois blood plasma donors who were required to scan their finger at the defendant’s Illinois facilities prior to donating plasma. The settlement would provide payouts of approximately $400 to $800 per class member, assuming a claims rate of 10 percent to 20 percent, and permit class counsel to file for up to 35 percent of the settlement fund for attorney fees.
On October 28, the U.S. District Court for the Northern District of Illinois denied a Delaware-based technology management service defendant’s motion to dismiss a putative class action that alleged it stored and collected biometric data from employees of companies that utilized the defendant’s timekeeping services. The court also granted the plaintiff’s motion to remand two of her three claims to state court because the plaintiff had not alleged an injury in fact sufficient to establish Article III standing in federal court for those claims.
The plaintiff alleged that the defendant violated the Illinois’ Biometric Information Privacy Act (BIPA) by selling time and attendance solutions to Illinois employers, including biometric-enabled hardware such as fingerprint and facial recognition scanners that collected and stored employee biometrics data. The plaintiff alleged that the defendant violated Section 15(a) of BIPA by failing to publish a retention schedule for the biometric data, violated Section 15(b) of BIPA by obtaining the plaintiff’s biometric data without first providing written disclosures and obtaining written consent, and violated section 15(c) of BIPA, by participating in the dissemination of her biometric data among servers. According to the district court, the plaintiff lacked standing regarding the Section 15(a) claim because the harm resulting from the defendant’s failure to publish a retention policy was not sufficiently particularized and the plaintiff had not otherwise alleged a concrete injury resulting from the violation. The district court concluded that the plaintiff’s Section 15(c) claim also lacked standing because, though she alleged that the defendant profits off its biometric data collection practices by marketing its biometric time clocks that utilize the software as “superior options” and “gains a competitive advantage”, the “complaint doesn't allege an injury in fact stemming from [the defendant’s] profiting off of [the plaintiff’s] biometric data.”
With regard to the Section 15(b) claim, the district court rejected the defendant’s argument that the requirement to inform clients regarding its biometric data collection and receiving written consent did not apply, noting that the defendant is right that it “doesn’t penalize mere possession of biometric information.” However, that does not help the defendant “because the complaint alleges that defendant did more than possess [the plaintiff’s] biometric information: it says that [the defendant] collected and obtained it.” Additionally, the district court rejected the defendant’s argument that it is not liable as a third-party vendor who lacks the power to obtain the required written releases from its clients’ employees. The district court stated that “while it’s probably true that [the defendant] wasn’t in a position to impose a condition of employment on its clients’ employees, the statutory definition of a written waiver doesn’t excuse vendors like [the defendant] from securing their own waivers before obtaining a person’s data.”
On October 13, the U.S. District Court for the Northern District of Illinois granted final approval to a $2.6 million class action settlement between a sports entertainment chain (defendant) and a class of former employees, resolving allegations that the defendant was responsible for improperly collecting and storing employees’ data in violation of Illinois’ Biometric Information Privacy Act (BIPA). According to the final settlement (which was preliminarily approved in June by the court), plaintiffs alleged that the defendant violated BIPA by collecting and disclosing Illinois employees’ biometric data through a finger-scan timekeeping system without following BIPA’s written disclosure and consent requirements. The gross settlement fund is approximately $2.6 million, with $22,000 awarded to the settlement administrator, approximately $865,000 allocated for attorney fees, and nearly $35,000 designated for litigation costs.
On September 30, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving claims that a China-based technology company and its subsidiaries (collectively, “defendants”) violated Illinois’ Biometric Information Privacy Act (BIPA), among other things, by defying state and federal privacy laws through a social media platform and entertainment application (app). The first of the 21 putative class actions comprising this multidistrict litigation were filed in 2019, and the other 20 putative class actions were filed in 2020 in separate federal districts. Class members, comprised of U.S. residents who used the app prior to preliminary approval, and an Illinois subclass of all Illinois residents who used the app to create videos before preliminary approval, filed a consolidated amended class action complaint in 2020, claiming that the defendants harvested and profited from users’ private information, including their biometric data, geolocation information, personally identifiable information, and unpublished digital recordings. The defendants argued, among other things, that the class members consented to the alleged misconduct by accepting the app’s terms of service.
Under the terms of the preliminarily approved settlement, the defendants must pay “$92 million in monetary relief and an array of injunctive relief for the putative settlement class.” The settlement also requires the defendants to, among other things: (i) refrain from using the app to collect or store certain U.S. user data, including biometric data and geolocation information, without making the necessary disclosures; (ii) delete all pre-uploaded user-generated content collected from U.S. users who did not “save” or “post” the content; and (iii) require a new, yearly training program for the defendants’ employees and contractors regarding compliance with data privacy laws.
On September 17, the First District Appellate Court of Illinois held that different limitation periods should be applied to the Biometric Information Privacy Act (BIPA), concluding that while Section 15 imposes various duties that all concern privacy, “each duty is separate and distinct.” Specifically, the panel stated that claims related to “[a]ctions for slander, libel or for publication of matter violating the right of privacy” have a one-year limitation period, while “all civil actions not otherwise provided for” carry a five-year limit. Plaintiffs filed a class action complaint alleging violations of BIPA Sections 15(a), 15(b), and 15(d), claiming the defendant collected, stored, used, and disseminated individuals’ biometric data obtained through fingerprint scans without, among other things, (i) informing plaintiffs of the purpose and length of the storage and use of their data; (ii) receiving written release from plaintiffs; (iii) providing a retention schedule and guidelines for destroying the data; or (iv) obtaining consent from plaintiffs and other employees to disseminate their data to third parties. The defendant moved to dismiss, arguing that the claims were filed outside the limitation period, noting that while BIPA itself has no limitation provision, “the one-year limitation period for privacy actions under Code section 13-201 applies to causes of action under [BIPA] because [BIPA’s] purpose is privacy protection.” A state trial court denied the defendant’s motion to dismiss, ruling that the plaintiffs’ claims were subject to Illinois’ “catchall” five-year limitation provision rather than the state’s one-year privacy claim limitation period, since the plaintiffs were alleging specific BIPA violations rather than a general privacy invasion.
On appeal, the appellate court considered the limitations question and determined, among other things, that since Illinois’ one-year statute of limitations applies only to published privacy violations, it can only govern BIPA claims filed under section 15(c)’s profit restrictions and section 15(d)’s disclosure/dissemination prohibitions. As such, plaintiffs suing under BIPA’s section 15(a)’s retention requirements, section 15(b) informed consent, and section 15(e) data safeguarding requirements have five years to bring such claims since these duties “have absolutely no element of publication or dissemination.”
- Steven vonBerg to speak at closing “super session“ on compliance topics at MBA Legal Issues and Regulatory Compliance Conference
- Buckley Webcast: Fifth Circuit muddles CFPB’s plans to use in-house judges in enforcement proceedings
- Jeffrey P. Naimon to discuss “Understanding the ESG impact on compliance” at the ABA’s Regulatory Compliance Conference