Articles Posted in Privacy Law

A Cook County judge recently granted final approval to a $25 million class-action settlement to end a sweeping class-action lawsuit accusing well-known HR technology and service company, ADP, of violating the Illinois Biometric Information Privacy Act (BIPA) in the way it supplied equipment and support to employers requiring employees to scan their fingerprints when punching the clock at work.

According to class counsel, more than 40,000 people filed claims under the settlement. According to the terms of the settlement, these individuals will receive a prorated portion of the settlement fund equal to about $375 each. The judge approved an award of $8.75 million in attorney’s fees for class counsel or one-third of the total settlement funds.

The litigation resulting in this settlement dates back to 2017 when the first lawsuit was filed against ADP. In 2018, two additional class-action lawsuits were filed against ADP, all centered on nearly identical allegations. The three cases were eventually consolidated into one proceeding before Judge Atkins prior to the settlement. Continue reading ›

As we have previously written about here, here, and here, the Illinois Biometric Information Privacy Act (BIPA) has generated some high profile litigation in recent years. The Illinois Supreme Court’s last opportunity to consider one of the country’s most protective laws concerning biometric data came in 2019 in its decision in Rosenbach v. Six Flags Entertainment Corporation, which we wrote about here. Recently, the Illinois Supreme Court has granted permission to appeal another potentially impactful decision interpreting BIPA.

BIPA was enacted in 2008 to help regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. The BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” It defines “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” The BIPA provides for fines of $1,000 to $5,000 for each violation.

On January 27, 2021, the Illinois Supreme Court granted leave to appeal the Illinois Court of Appeals for the First District’s recent decision in McDonald v. Symphony Bronzeville Park LLC, 2020 IL App (1st) 192398. The McDonald case considered the very specific, yet important, issue of whether the exclusivity provisions of the Illinois Workers’ Compensation Act preempted claims statutory damages under BIPA. In its decision, the First District ruled that the Illinois Workers’ Compensation Act, and specifically its exclusive remedy provisions do not bar claims for statutory damages under BIPA. Continue reading ›

An AI company harvested publicly available photographs from social media sites across the internet and then used those photographs to derive a biometric facial scan of each individual in the photograph. The company sold this database to law enforcement agencies to use in identifying persons of interest or unknown individuals. A woman sued in a class action, arguing that the harvesting of biometric data violated Illinois’ Biometric Information Privacy Act. The company removed the case to federal court, and the federal court ruled that the plaintiffs’ claims lacked standing under Article III. The appellate court agreed with the district court and affirmed, ordering that the case be remanded to state court.

Clearview AI is in the business of facial recognition tools. Users may download an application that gives them access to Clearview’s database. The database is built from a proprietary algorithm that scrapes pictures from social media sites such as Facebook, Twitter, Instagram, LinkedIn, and Venmo. The materials that it uses are all publicly available. Clearview’s software harvests from each scraped photograph the biometric facial scan and associated metadata, which it stores in its database. The database currently contains billions of entries.

Many of Clearview’s clients are law enforcement agencies. The clients primarily use the database to find out more about a person in a photograph, such as to identify an unknown person or confirm the identity of a person of interest. Users upload photographs to Clearview’s app, and Clearview creates a digital facial scan of the person in the photograph and then compares the new facial scan to those in its database. If the program finds a match, it returns a geotagged photograph to the user and informs the user of the source social-media site for the photograph.

In the wake of a New York Times article profiling Clearview, Melissa Thornley filed suit in Illinois state court under the Illinois Biometric Information Privacy Act (BIPA). BIPA provides robust protections for the biometric information of Illinois residents. Thornley’s complaint, filed on behalf of herself and a class, asserted violations of three subsections of BIPA. Clearview removed the case to federal court. Shortly after removal, Thornley voluntarily dismissed the action. Thornley then returned to the Circuit Court of Cook County in May 2020 with a new, significantly narrowed, action against Clearview. The new action alleged only a single violation of BIPA and defined a more modest class. Continue reading ›

Recently, the U.S. Seventh Circuit Court of Appeals held that a putative class action lawsuit alleging a technical violation of the Illinois Biometric Information Privacy Act (BIPA) was sufficient to establish the Article III standing required in order to proceed in federal court, reversing the District Court’s dismissal of the claims. Only time will tell the full impact of this ruling but it does have the potential to be an important precedent that any business operating in Illinois and collecting fingerprints or utilizing facial-recognition technology must be aware of. Beyond its potential impact on Illinois businesses, the ruling is another decision interpreting the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins and the requirements set forth in that opinion for establishing Article III standing, and particularly the injury-in-fact prong of the standing analysis.

The plaintiff, Christine Bryant, worked for a call center in Illinois which had a workplace cafeteria with vending machines operated by the Compass Group. The machines did not accept cash and instead, employees had to scan and use their fingerprints to create user accounts and to purchase items.

Bryant initially filed a putative class action lawsuit in state court in the Circuit Court of Cook County. Her complaint alleged that Compass violated Section 15(b) of BIPA, which contains the requirement to obtain informed consent of individuals, by failing to: (1) inform her in writing that her biometric identifier was being collected or stored; (2) inform her in writing of the specific purpose and length of term for which her fingerprint was being collected, stored, and used; or (3) obtain her written release to collect, store, and use her fingerprint. Bryant’s complaint additionally alleged that Compass had also violated another section of BIPA, Section 15(a), which requires private entities that collect biometric information to make publicly available a data retention schedule and guidelines for permanently destroying the collected biometric identifiers, by failing to make such a written policy available to her or the other putative class members.

Following the filing of Bryant’s complaint in state court, Compass removed the action to federal court under the Class Action Fairness Act, 28 U.S.C. § 1332(d). In a somewhat unusual twist, it was the plaintiff who argued that she lacked Article III standing required to litigate her claims in federal court. Bryant argued that what she alleged in her complaint were bare procedural violations that did not constitute an injury-in-fact under Spokeo. The district court agreed with Bryant and remanded the action to state court. Compass appealed the district court’s ruling to the Seventh Circuit. This set up an odd dynamic on appeal where Compass, the defendant, argued that Bryant’s allegations did constitute an injury-in-fact sufficient to confer subject matter jurisdiction on the federal court.

Compass’s primary argument in favor of standing was that the Illinois legislature, bypassing BIPA, elevated to protectable status an individual’s right to control his or her own biometric identifiers and information. The Court agreed with Compass with regard to Bryant’s claims concerning violations of Section 15(b) of BIPA. Relying on Justice Thomas’s concurrence in Spokeo, the Court focused on whether Bryant’s claims sought to vindicate a private right or a public one, which the Court characterized as “a useful distinction.” The Court reasoned that the disclosure requirements in Section 15(b) of BIPA protect a private right by granting individuals a right to be fully informed as to how their biometric information will be used before deciding to disclose such information. By contrast, the Court held that the public disclosure requirements in Section 15(a) of BIPA protect a public right because Section 15(a) creates an obligation to the public generally. Consequently, the Court only found the injury-in-fact requirement satisfied with regard to Bryant’s Section 15(b) claims but not her Section 15(a) claims.

The Court’s entire opinion is available online here. Continue reading ›

In a 3-0 decision, the U.S. Court of Appeals for the Ninth Circuit ruled that Facebook users in Illinois can move forward with a class-action lawsuit challenging the company’s use of facial recognition technology. Facebook had argued that the court should not let the plaintiffs proceed on a class basis with claims that it violated the Illinois Biometric Information Privacy Act (often referred to a “BIPA”). The Ninth Circuit’s ruling in Patel v. Facebook affirmed the District Court’s decision to certify a class of Illinois Facebook users.

The BIPA is intended to protect the biometric privacy of Illinois citizens by imposing restrictions on the collection and storage of certain biometric information by private companies. One of the protections afforded by the law is the requirement that a company must obtain an individual’s written consent before collecting and storing any such biometric information.

The case stems from a class action complaint filed by three Illinois Facebook users on behalf of all Illinois Facebook users accusing the social media company of unlawfully gathering and storing its users’ biometric information, including through the use of facial recognition technology, without consent. Specifically, the suit targets a feature Facebook launched in 2010 called “Tag Suggestions” which uses facial recognition technology to build a “face template” of an individual from pictures uploaded to the site. The software builds these face templates by analyzing an individual’s face in uploaded photos and measuring various geometric data points on an individual’s face such as the distance between eyes, nose, and ears. Users are able to opt-out of the feature, and Facebook argued that it only builds face templates of Facebook users who have not opted-out and have the feature turned on. Continue reading ›

If you’ve used Facebook at all in the past few years, you’ve probably noticed that every time you post a photo with one of your friends, Facebook automatically suggests you tag that person. While that might seem innocent enough, the facial recognition technology Facebook uses to accomplish that is highly controversial and possibly illegal.

Facial recognition technology is a relatively recent development and it didn’t take long for it to become controversial. With the abundance of cameras all around us, facial recognition technology allows owners of the technology to find us just about everywhere we go, which is why Facebook is now facing a class action consumer lawsuit on behalf of millions of Illinois users.

According to the lawsuit, Facebook used its facial recognition technology to gather and store biometric data on its users without their consent, which violates the Illinois Biometric Information Privacy Act of 2008. Facebook tried to have the class action dismissed and to force each plaintiff to sue them individually, knowing the costs of filing the lawsuit would prohibit most, if not all the plaintiffs from pursuing legal action.

But the court said the class action was the proper format for this particular lawsuit. Facebook appealed that decision, and the appellate court recently upheld the lower court’s ruling, allowing the class action to proceed as is. Continue reading ›

The line between security and privacy has always been a bit blurry and it continues to get blurrier every day as technology advances. One of the latest developments in surveillance technology has been facial recognition software, which is allegedly capable of identifying you with just a quick scan of your face. While this could have far-reaching effects in the crime-solving world, it also eliminates much of our personal privacy in the process.

Brian Hofer is a paralegal in California who has been fighting to ban facial recognition software for the past five years. As soon as he became aware of the technology in 2014, he joined activist groups to try to get the technology banned from his hometown of Oakland. Once that was accomplished, he started working with other local government bodies across California to ban the technology from their streets. Since then, Hofer has drafted 26 different privacy laws for cities and counties all over the state of California, and all 26 have been approved.

While facial recognition technology may have been the catalyst for Hofer to start fighting for each citizen’s right to privacy, it has extended beyond that to include demands that companies and governing bodies be transparent about the kind of technology they’re using for their surveillance efforts. He has also convinced some cities, including Richmond and Berkeley, to cancel their contracts with tech companies like Vigilant Solutions and Amazon – both Richmond and Berkeley have sanctuary policies and both Vigilant Solutions and Amazon share information with ICE, so Hofer successfully argued that maintaining both the sanctuary policies and contracts with those companies constituted a conflict. Continue reading ›

Where a person whose biometric information was collected by a private entity who failed to comply with the requirements of the Illinois Biometric Information Privacy Act was an aggrieved person entitled to sue within the meaning of the act even if they had sustained no further injury beyond the violation of the act itself.

Six Flags Entertainment Corporation and its subsidiary Great America LLC own and operate the Six Flags Great America amusement park in Gurnee, Illinois. As part of this operation, Six Flags sells repeat-entry passes to the park. Since 2014, Six Flags has used a fingerprinting process when issuing those passes. The Six Flags system scans pass holders’ fingerprints, collects, records and stores “biometric” identifiers and information gleaned from the fingerprints, and then stores that data in order to quickly verify customer identities upon visits by pass holders to the park.

In May or June 2014, while the fingerprinting system was in operation, Stacy Rosenbach’s 14-year-old son, Alexander, visited the amusement park on a school field trip. In anticipation of the trip, Rosenbach purchased Alexander a season pass online. Rosenbach paid for the pass and provided personal information about Alexander, but Alexander was required to complete the sign-up process at the amusement park. Alexander was asked to scan his thumb into Six Flags’ biometric data capture system. He was then issued a season pass card. Rosenbach allegedly learned that Alexander’s fingerprints had been taken for the first time when Alexander returned home from the field trip.

Rosenbach eventually filed suit, acting in her capacity as mother and next friend of Alexander, against Six Flags. Continue reading ›

After three dismissals, a class-action consumer lawsuit filed against Barnes & Noble over a 2012 data breach has been sent back to the U.S. District Court for the Northern District of Illinois.

In September of 2012, Barnes & Noble became aware that their credit card scanners had been compromised by “skimmers” which would collect the data from the credit cards that were swiped and transfer them to a third party, which would then sell the information online. Barnes & Noble waited a month before alerting their customers to the data breach, so in addition to allegations that Barnes & Noble failed to properly protect its customers’ data, the class action lawsuit further alleged the bookstore had violated the California Security Breach Notification Act.

Nevertheless, the district court dismissed the case three times. The class of plaintiffs appealed to the Seventh Circuit Court of Appeals, which reversed the decision to dismiss it and sent the case back to the district court.

One plaintiff’s accounts were frozen for three days, meaning she had no access to her own funds in that time period. Another plaintiff had their credit card inactivated for a week, thereby denying them the use of that card. Yet another plaintiff reinstated credit monitoring on their card, which is an additional charge of $17.99 per month. Still another plaintiff was unable to receive the value of their Barnes & Noble’s bargain. Continue reading ›

It was only a matter of time that a backlash would occur against one of the largest social media networks.  This time, it was because of breach of trust issues.  It was the Presidential campaign of Donald Trump that saw the retention of private data of 50 million Facebook users, despite their attempts at claiming to have deleted it. The most recent case has been filed in Cook County, Illinois.  That claim included allegations similar to the other pending lawsuits against Facebook that will be tried in the federal court.  In the complaint, an argument is made that Facebook, Cambridge Analytica, and its corporate parent, SCL Group, violated users’ privacy when they violated Illinois laws against fraud.  In their response, Mark Zuckerburg and other Facebook executives called their actions a “breach of trust.”

The public at large was concerned about the mass data collection encouraged by Facebook, which assisted developers to build on the platform and provide greater insight into market manipulation and user behavior.  It was clearly written in the complaint that, “Facebook is not a social media company; it is the largest data-mining operation in existence.”  On top of that, Cook County is the second-largest county in the USA, behind Los Angeles County.  For that reason, from an international perspective, the case also has the ability to garner a high level of interest. It must be noted that this suit is not the first of technology-based lawsuits when it comes to privacy.

The fact of the matter is simply this: knowledge of your data can make millions, and this is exactly what Facebook did.  Users of Facebook feel violated enough to go ahead and file suit.  Members whose information was collected by Cambridge Analytica, the same firm that worked closely with the Trump campaign.  Facebook had known about the security breaches and did nothing to protect its users is what is alleged in the complaint.  Users also have a higher risk of identity theft as a result.  At the very least, Facebook acted negligently. Moreover, it is not just members of Facebook that are filing.  Investors have also come on board, in the making of “misleading statements” and they failed to disclose details about party access to data which is the reason why Facebook stocks have fallen. The officers of Facebook owed a fiduciary duty to investors to deal truthfully and honestly with them.   Because of the global reach, it is likely that more venues and jurisdictions will be involved.  Out of all, the most direct liability is against Cambridge Analytica.  They have violated city, state and Federal laws. The reputation of both companies is at stake as well. Continue reading ›