Articles Posted in Privacy Law

The Supreme Court recently issued its first ever opinion interpreting the Computer Fraud and Abuse Act, 18 U.S.C. §1030. In issuing its opinion, the Court limited the scope of the Computer Fraud and Abuse Act and resolved a circuit split on the meaning of “exceeds authorized access” found in the statute. In a 6-3 opinion, Justice Amy Coney Barrett, in her first signed majority opinion, said the Court would not turn “millions of otherwise law-abiding citizens” into criminals if they violated their employer’s computer-use policies at work by using their computers to send personal e-mails, do online shopping, or plan a vacation.

At issue, the Court said, were so-called “inside hackers” who have legal access to a computer but exceed their authorized authority by using the information for unauthorized purposes. Adopting the government’s “breathtaking” interpretation of the phrase “exceeds authorized access,” the Court explained, would turn every violation of a computer-use policy into a criminal act.

The immediate beneficiary of the Court’s ruling was a former Georgia police sergeant, Nathan Van Buren. Van Buren was authorized to use the Georgia Crime Information Center database to check license plates as part of his job. He unwittingly found himself caught up in an FBI sting when he took a $5,000 payment from a man who claimed that he wanted to learn about a stripper he had just met. After using his official computer to perform the requested search, Van Buren was charged and convicted of violating the Computer Fraud and Abuse Act for exceeding his “authorized access.”

The Computer Fraud and Abuse Act was enacted in 1986, during the early stages of the internet. The statute imposes criminal or civil liability on any person who “intentionally accesses a computer without authorization” or “exceeds authorized access” and, in doing so, obtains information from a “protected computer.” The statute does not define the term “without authorization” but does define the term “exceeds authorized access” in a rather opaque way. Pleading a claim under the statute requires a plaintiff to allege that the defendant (i) intentionally accessed a computer, (ii) lacked authority to access the computer or exceeded authorized access to the computer, (iii) obtained data from the computer, and (iv) caused a loss of $5,000 or more during a one-year period. Continue reading ›

A Cook County judge recently granted final approval to a $25 million class-action settlement to end a sweeping class-action lawsuit accusing well-known HR technology and service company, ADP, of violating the Illinois Biometric Information Privacy Act (BIPA) in the way it supplied equipment and support to employers requiring employees to scan their fingerprints when punching the clock at work.

According to class counsel, more than 40,000 people filed claims under the settlement. According to the terms of the settlement, these individuals will receive a prorated portion of the settlement fund equal to about $375 each. The judge approved an award of $8.75 million in attorney’s fees for class counsel or one-third of the total settlement funds.

The litigation resulting in this settlement dates back to 2017 when the first lawsuit was filed against ADP. In 2018, two additional class-action lawsuits were filed against ADP, all centered on nearly identical allegations. The three cases were eventually consolidated into one proceeding before Judge Atkins prior to the settlement. Continue reading ›

As we have previously written about here, here, and here, the Illinois Biometric Information Privacy Act (BIPA) has generated some high profile litigation in recent years. The Illinois Supreme Court’s last opportunity to consider one of the country’s most protective laws concerning biometric data came in 2019 in its decision in Rosenbach v. Six Flags Entertainment Corporation, which we wrote about here. Recently, the Illinois Supreme Court has granted permission to appeal another potentially impactful decision interpreting BIPA.

BIPA was enacted in 2008 to help regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. The BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” It defines “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” The BIPA provides for fines of $1,000 to $5,000 for each violation.

On January 27, 2021, the Illinois Supreme Court granted leave to appeal the Illinois Court of Appeals for the First District’s recent decision in McDonald v. Symphony Bronzeville Park LLC, 2020 IL App (1st) 192398. The McDonald case considered the very specific, yet important, issue of whether the exclusivity provisions of the Illinois Workers’ Compensation Act preempted claims statutory damages under BIPA. In its decision, the First District ruled that the Illinois Workers’ Compensation Act, and specifically its exclusive remedy provisions do not bar claims for statutory damages under BIPA. Continue reading ›

An AI company harvested publicly available photographs from social media sites across the internet and then used those photographs to derive a biometric facial scan of each individual in the photograph. The company sold this database to law enforcement agencies to use in identifying persons of interest or unknown individuals. A woman sued in a class action, arguing that the harvesting of biometric data violated Illinois’ Biometric Information Privacy Act. The company removed the case to federal court, and the federal court ruled that the plaintiffs’ claims lacked standing under Article III. The appellate court agreed with the district court and affirmed, ordering that the case be remanded to state court.

Clearview AI is in the business of facial recognition tools. Users may download an application that gives them access to Clearview’s database. The database is built from a proprietary algorithm that scrapes pictures from social media sites such as Facebook, Twitter, Instagram, LinkedIn, and Venmo. The materials that it uses are all publicly available. Clearview’s software harvests from each scraped photograph the biometric facial scan and associated metadata, which it stores in its database. The database currently contains billions of entries.

Many of Clearview’s clients are law enforcement agencies. The clients primarily use the database to find out more about a person in a photograph, such as to identify an unknown person or confirm the identity of a person of interest. Users upload photographs to Clearview’s app, and Clearview creates a digital facial scan of the person in the photograph and then compares the new facial scan to those in its database. If the program finds a match, it returns a geotagged photograph to the user and informs the user of the source social-media site for the photograph.

In the wake of a New York Times article profiling Clearview, Melissa Thornley filed suit in Illinois state court under the Illinois Biometric Information Privacy Act (BIPA). BIPA provides robust protections for the biometric information of Illinois residents. Thornley’s complaint, filed on behalf of herself and a class, asserted violations of three subsections of BIPA. Clearview removed the case to federal court. Shortly after removal, Thornley voluntarily dismissed the action. Thornley then returned to the Circuit Court of Cook County in May 2020 with a new, significantly narrowed, action against Clearview. The new action alleged only a single violation of BIPA and defined a more modest class. Continue reading ›

Recently, the U.S. Seventh Circuit Court of Appeals held that a putative class action lawsuit alleging a technical violation of the Illinois Biometric Information Privacy Act (BIPA) was sufficient to establish the Article III standing required in order to proceed in federal court, reversing the District Court’s dismissal of the claims. Only time will tell the full impact of this ruling but it does have the potential to be an important precedent that any business operating in Illinois and collecting fingerprints or utilizing facial-recognition technology must be aware of. Beyond its potential impact on Illinois businesses, the ruling is another decision interpreting the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins and the requirements set forth in that opinion for establishing Article III standing, and particularly the injury-in-fact prong of the standing analysis.

The plaintiff, Christine Bryant, worked for a call center in Illinois which had a workplace cafeteria with vending machines operated by the Compass Group. The machines did not accept cash and instead, employees had to scan and use their fingerprints to create user accounts and to purchase items.

Bryant initially filed a putative class action lawsuit in state court in the Circuit Court of Cook County. Her complaint alleged that Compass violated Section 15(b) of BIPA, which contains the requirement to obtain informed consent of individuals, by failing to: (1) inform her in writing that her biometric identifier was being collected or stored; (2) inform her in writing of the specific purpose and length of term for which her fingerprint was being collected, stored, and used; or (3) obtain her written release to collect, store, and use her fingerprint. Bryant’s complaint additionally alleged that Compass had also violated another section of BIPA, Section 15(a), which requires private entities that collect biometric information to make publicly available a data retention schedule and guidelines for permanently destroying the collected biometric identifiers, by failing to make such a written policy available to her or the other putative class members.

Following the filing of Bryant’s complaint in state court, Compass removed the action to federal court under the Class Action Fairness Act, 28 U.S.C. § 1332(d). In a somewhat unusual twist, it was the plaintiff who argued that she lacked Article III standing required to litigate her claims in federal court. Bryant argued that what she alleged in her complaint were bare procedural violations that did not constitute an injury-in-fact under Spokeo. The district court agreed with Bryant and remanded the action to state court. Compass appealed the district court’s ruling to the Seventh Circuit. This set up an odd dynamic on appeal where Compass, the defendant, argued that Bryant’s allegations did constitute an injury-in-fact sufficient to confer subject matter jurisdiction on the federal court.

Compass’s primary argument in favor of standing was that the Illinois legislature, bypassing BIPA, elevated to protectable status an individual’s right to control his or her own biometric identifiers and information. The Court agreed with Compass with regard to Bryant’s claims concerning violations of Section 15(b) of BIPA. Relying on Justice Thomas’s concurrence in Spokeo, the Court focused on whether Bryant’s claims sought to vindicate a private right or a public one, which the Court characterized as “a useful distinction.” The Court reasoned that the disclosure requirements in Section 15(b) of BIPA protect a private right by granting individuals a right to be fully informed as to how their biometric information will be used before deciding to disclose such information. By contrast, the Court held that the public disclosure requirements in Section 15(a) of BIPA protect a public right because Section 15(a) creates an obligation to the public generally. Consequently, the Court only found the injury-in-fact requirement satisfied with regard to Bryant’s Section 15(b) claims but not her Section 15(a) claims.

The Court’s entire opinion is available online here. Continue reading ›

In a 3-0 decision, the U.S. Court of Appeals for the Ninth Circuit ruled that Facebook users in Illinois can move forward with a class-action lawsuit challenging the company’s use of facial recognition technology. Facebook had argued that the court should not let the plaintiffs proceed on a class basis with claims that it violated the Illinois Biometric Information Privacy Act (often referred to a “BIPA”). The Ninth Circuit’s ruling in Patel v. Facebook affirmed the District Court’s decision to certify a class of Illinois Facebook users.

The BIPA is intended to protect the biometric privacy of Illinois citizens by imposing restrictions on the collection and storage of certain biometric information by private companies. One of the protections afforded by the law is the requirement that a company must obtain an individual’s written consent before collecting and storing any such biometric information.

The case stems from a class action complaint filed by three Illinois Facebook users on behalf of all Illinois Facebook users accusing the social media company of unlawfully gathering and storing its users’ biometric information, including through the use of facial recognition technology, without consent. Specifically, the suit targets a feature Facebook launched in 2010 called “Tag Suggestions” which uses facial recognition technology to build a “face template” of an individual from pictures uploaded to the site. The software builds these face templates by analyzing an individual’s face in uploaded photos and measuring various geometric data points on an individual’s face such as the distance between eyes, nose, and ears. Users are able to opt-out of the feature, and Facebook argued that it only builds face templates of Facebook users who have not opted-out and have the feature turned on. Continue reading ›

If you’ve used Facebook at all in the past few years, you’ve probably noticed that every time you post a photo with one of your friends, Facebook automatically suggests you tag that person. While that might seem innocent enough, the facial recognition technology Facebook uses to accomplish that is highly controversial and possibly illegal.

Facial recognition technology is a relatively recent development and it didn’t take long for it to become controversial. With the abundance of cameras all around us, facial recognition technology allows owners of the technology to find us just about everywhere we go, which is why Facebook is now facing a class action consumer lawsuit on behalf of millions of Illinois users.

According to the lawsuit, Facebook used its facial recognition technology to gather and store biometric data on its users without their consent, which violates the Illinois Biometric Information Privacy Act of 2008. Facebook tried to have the class action dismissed and to force each plaintiff to sue them individually, knowing the costs of filing the lawsuit would prohibit most, if not all the plaintiffs from pursuing legal action.

But the court said the class action was the proper format for this particular lawsuit. Facebook appealed that decision, and the appellate court recently upheld the lower court’s ruling, allowing the class action to proceed as is. Continue reading ›

The line between security and privacy has always been a bit blurry and it continues to get blurrier every day as technology advances. One of the latest developments in surveillance technology has been facial recognition software, which is allegedly capable of identifying you with just a quick scan of your face. While this could have far-reaching effects in the crime-solving world, it also eliminates much of our personal privacy in the process.

Brian Hofer is a paralegal in California who has been fighting to ban facial recognition software for the past five years. As soon as he became aware of the technology in 2014, he joined activist groups to try to get the technology banned from his hometown of Oakland. Once that was accomplished, he started working with other local government bodies across California to ban the technology from their streets. Since then, Hofer has drafted 26 different privacy laws for cities and counties all over the state of California, and all 26 have been approved.

While facial recognition technology may have been the catalyst for Hofer to start fighting for each citizen’s right to privacy, it has extended beyond that to include demands that companies and governing bodies be transparent about the kind of technology they’re using for their surveillance efforts. He has also convinced some cities, including Richmond and Berkeley, to cancel their contracts with tech companies like Vigilant Solutions and Amazon – both Richmond and Berkeley have sanctuary policies and both Vigilant Solutions and Amazon share information with ICE, so Hofer successfully argued that maintaining both the sanctuary policies and contracts with those companies constituted a conflict. Continue reading ›

Where a person whose biometric information was collected by a private entity who failed to comply with the requirements of the Illinois Biometric Information Privacy Act was an aggrieved person entitled to sue within the meaning of the act even if they had sustained no further injury beyond the violation of the act itself.

Six Flags Entertainment Corporation and its subsidiary Great America LLC own and operate the Six Flags Great America amusement park in Gurnee, Illinois. As part of this operation, Six Flags sells repeat-entry passes to the park. Since 2014, Six Flags has used a fingerprinting process when issuing those passes. The Six Flags system scans pass holders’ fingerprints, collects, records and stores “biometric” identifiers and information gleaned from the fingerprints, and then stores that data in order to quickly verify customer identities upon visits by pass holders to the park.

In May or June 2014, while the fingerprinting system was in operation, Stacy Rosenbach’s 14-year-old son, Alexander, visited the amusement park on a school field trip. In anticipation of the trip, Rosenbach purchased Alexander a season pass online. Rosenbach paid for the pass and provided personal information about Alexander, but Alexander was required to complete the sign-up process at the amusement park. Alexander was asked to scan his thumb into Six Flags’ biometric data capture system. He was then issued a season pass card. Rosenbach allegedly learned that Alexander’s fingerprints had been taken for the first time when Alexander returned home from the field trip.

Rosenbach eventually filed suit, acting in her capacity as mother and next friend of Alexander, against Six Flags. Continue reading ›

After three dismissals, a class-action consumer lawsuit filed against Barnes & Noble over a 2012 data breach has been sent back to the U.S. District Court for the Northern District of Illinois.

In September of 2012, Barnes & Noble became aware that their credit card scanners had been compromised by “skimmers” which would collect the data from the credit cards that were swiped and transfer them to a third party, which would then sell the information online. Barnes & Noble waited a month before alerting their customers to the data breach, so in addition to allegations that Barnes & Noble failed to properly protect its customers’ data, the class action lawsuit further alleged the bookstore had violated the California Security Breach Notification Act.

Nevertheless, the district court dismissed the case three times. The class of plaintiffs appealed to the Seventh Circuit Court of Appeals, which reversed the decision to dismiss it and sent the case back to the district court.

One plaintiff’s accounts were frozen for three days, meaning she had no access to her own funds in that time period. Another plaintiff had their credit card inactivated for a week, thereby denying them the use of that card. Yet another plaintiff reinstated credit monitoring on their card, which is an additional charge of $17.99 per month. Still another plaintiff was unable to receive the value of their Barnes & Noble’s bargain. Continue reading ›

Contact Information