We Get Privacy for Work — Episode 9: The Explosion in BIPA Litigation

Transcript

Introduction

From timekeeping technologies to dash cams, the Illinois Biometric Information Privacy Act (BIPA) is now being used to challenge a number and variety of time-saving programs and tools. 

On this episode of We get privacy for work, we discuss the factors leading to the rise in BIPA cases. 

Today's hosts are co-leaders of the Privacy, AI and Cybersecurity Group. 

Damon Silver and Joe Lazzarotti, principals, respectively, in the New York City and Tampa offices of Jackson Lewis. They are joined by Jody Mason and Jason Selvey, principals in the Chicago office.  

Damon, Joe, Jody, and Jason, the question on everyone’s mind today is: What BIPA compliance risks should you consider before adopting new technologies, and how will that impact my organization? 

Content  

Joseph Lazzarotti

Principal, Tampa

Welcome to the We get privacy podcast. I'm Joe Lazzarotti, and I'm joined by my co-host, Damon Silver. Damon and I co-lead the Privacy, Data, and Cybersecurity Group at Jackson-Lewis. In that role, we receive a variety of questions every day from our clients, all of which boil down to the core question of how do we handle our data safely? In other words, how do we leverage all the great things data can do for our organizations without running headfirst into a wall of legal risk, and how can we manage that risk without unnecessarily hindering our business operations?

Damon Silver

Principal, New York City

On each episode of the podcast, Joe and I talk through a common question that we're getting from our clients. We talk it through in the same way that we would with our clients, meaning with a focus on the practical. What are the legal risks? What options are available to manage those risks, and what should we be mindful of from an execution perspective? 

Our question today is what's going on with all this BIPA litigation? To answer that question, we're bringing on two special guests, Jody Mason and Jason Selvey, who sit in the firm's Chicago office and spearhead our group's BIPA litigation practice.

Jody, welcome to the podcast. To get us started, could you just share a little background about BIPA? How did we get to where we are today with all these claims?

Jody Mason

Principal, Chicago

I am actually going to punt that one to Jason. Jason, if you want to give us background and an intro about the statute.

Jason Selvey

Principal, Chicago

First of all, thanks for having me. How did we get here? Bad luck. Let's start with that. Let's say the Illinois legislature is not doing us any favors. Really, the statute is actually a number of years old – 17 years old. About seven or so years ago, some enterprising plaintiff's attorneys all of a sudden looked at the statutes and said, this looks like a good statute to use, since it's amenable to class actions. All of a sudden, we were the envy of the nation with a tidal wave of class actions. There have been thousands of them. There have only been a couple that have gone to trial, but at the same time, it's been quite a few. That's how we are where we are today. 

Things are still developing even now. We can talk more about it, but there are still cases that are defining the law and defining what the covered data is. We're still on the road here, so to speak. That's how we got to where we are today.

Silver

Thanks, Jason. We're level setting for the audience, so that's a helpful recap of what BIPA is, how the statute has evolved and seized down by the plaintiff's bar. 

When we're talking about biometric information that is covered by the statute, what are we talking about? Can we get into some of the specifics around the types of data that might trigger the application of the law?

Mason

BIPA actually regulates two different types of data. These are both terms of art under the statute – it covers biometric identifiers and biometric information. They sound similar, but they're actually two different things. Biometric identifiers are based on a body part. It's a retina or iris scan, fingerprint, voice print, or a scan of hand or face geometry. Biometric information is data that's derived from a biometric identifier; regardless of how it's captured, converted, stored, or shared, it is used to identify an individual. That's really the key part that we see a lot of litigation about – used to identify an individual. What does that mean? As you can imagine, there's been a fair amount of litigation over that issue. There continues to be a lot of litigation about what that means and about the terms themselves. The statute doesn't define voice print, scan of hand or face geometry, so what does that mean? The courts are still grappling with those issues. We expect that it will continue to be the subject of litigation as these cases continue to progress.

Lazzarotti

Jody, what kinds of use cases are you seeing that the litigation that you are handling is coming from? I imagine there are a lot of similar types of uses of what is generally referred to as biometric data information. What are you guys seeing in terms of use cases?

Mason

There are a lot of different types of technologies that are being targeted. In the employment context, cases are brought by employees or temporary workers. By and large, the most prevalent type of case that we're seeing involves timekeeping technology. A time clock that allows people to clock in or out by scanning a finger, a face, an eye, or a hand.

That's certainly not the only type of case we see under the statute. We've seen litigation involving dash cam technology. We've seen cases involving point-of-sale systems and security access systems. Somebody scanning a finger or a body part to access a part of a building, a key storage system, or a medication dispensing cabinet. There have been cases involving video game avatars, online photo storage, and theme park entry. We've seen vending machines and test-taking software. 

The plaintiffs' bar has really tried to be creative and push the envelope in terms of the types of technology that they target. As these technologies become more ubiquitous, they're spurring more and more of this type of litigation.

Lazzarotti 

One question about that. I presented at a conference a couple of days ago, and there was an interesting discussion. A lot of problems that some employers are having are identifying remote IT workers who are trying to get these jobs fraudulently. One of the techniques is, can we ask an applicant to show their driver's license to verify that that's who they say they are? I believe the Illinois statute may exclude photographs, but are you seeing any issues like that, where something that might be excluded could be included? Have you seen that issue come up where you use a photograph or something?

Mason

Yes, there is a fine line. Like I said, the scan of face geometry is not defined in the statute. We don't have a lot of guidance as to what that means. Yes, you are right that photographs are exempted from coverage under the statute. The question becomes, when is something just a photograph, and when is something being done to the photograph to scan facial geometry? That line is not always as clear as you might expect it to be. It's been the subject of litigation as to when something is covered and when it is exempted or outside the scope of the statute. Certainly, something to be mindful of. 

We've seen a lot of litigation, for example, targeting financial services companies where somebody provides perhaps a photo ID that is then compared against a live photo or somebody's taking a selfie. Is this the same person in the driver's license as the person who's sitting here on the camera in front of me? That is something that has been targeted in litigation because it's that act of comparing those two photos that the plaintiff's bar has argued involves facial geometry scans.

Silver

Jason, beyond the fact that various companies out there are using different types of biometric technologies for timekeeping or access control, including for vending machines, that's definitely one I was unaware of. What is it that these companies are doing wrong? What are the core elements of the claims that are being brought under BIPA?

Selvey

I'd say the first question is whether or not it's covered data, of course. Let's say that it is covered data; under those circumstances, you've got the big three. The big three are what we see in almost all the cases. 

The first one is Section 15A, which I'm going to shorten because it's long and confusing. It's having a retention and destruction policy for your covered biometric data. You must check it within the time that it's no longer needed in Illinois, or within three years, whichever comes earlier. That's a common one. 

The next one is the 15B subsection claim, which is really where it is. That's the consent and information disclosure claim. You have to get consent before collecting or taking any of those. There are several terms for it within the BIPA, like get knowing and written consent. Also, you have to make certain disclosures, such as how you are going to take it, what you are going to use it for, and things like that. There are multiple requirements. That is an easy thing to hone in on and easy to, at least in the past, have issues with. 

Then, the last one is the disclosure of the biometric data. Here, I sometimes think the plaintiffs are a little wishy-washy, and they don't know what they might be alleging, but here it is. The most common thing is to go to your vendor or somebody who's keeping that biometric data for you, and say that you have to get consent for that too. It says it in the statute. Let's say that you don't. Then in that case, you've got another claim. 

Now, there are a couple of others that are just not as common. For example, safeguarding the data appropriately. You'd think that might actually be common, but it would involve questions of fact for the plaintiffs; that's more complicated, so why get into that? Those are what we see most. 

Then, the thing we really see that is also important is the damages under the statute and what's being requested. This has actual damages. Let's throw those to the side because we're not aware of a single case under the belt where there has been any harm, like someone had their identity stolen or anything like that. It goes to the statutory damages, which are $5,000 for reckless or intentional violation and $1,000 for negligent violation, plus attorney's fees and costs. That's really where and why the plaintiff's bar is interested, of course. That's why they bring those claims in the first place.

Silver

Just a quick follow-up on that, Jason. On the topic of consent specifically, are you finding that most defendants didn't get consent at all, or that their consent was defective? What does the fact pattern typically look like?

Selvey

That depends on the era. When this first came down, back then, it was very common for someone to say, what are you talking about? As time has gone by, Jody would agree, they will be more and more compliant. There are plenty of times now where we get a case and say, plaintiff's attorney, look at this, and they're out of there. The kinds of things you see, though, are often things that are defective. Actually, I'm not going to say defective. I'm going to say less specific, perhaps, where you might see a claim based on that one we wouldn't agree with, but something like that. These days, there are a good number of companies that are really doing it. It's easier to get examples from other companies to start with.

Mason

Damon, on that, we also are seeing, as more and more companies have become compliant, courts are going to grapple with the question of post-use consent and what the effect of that is. We don't have clear guidance from courts on what it means when a company gets consent after someone has been using a system for some period of time, but that's something that's going to be working its way through the courts as well.

Silver 

Just to clarify, Jody, there are claims being brought saying that maybe as of June 1st of this year, you are getting compliant consent, but prior to that, you were not. So, we're making a claim based on the prior violations.

Mason

Yes, the statute suggests, although it's not entirely clear, that consent should be obtained prior to collection. If there was no consent in place prior to the first collection or disclosure of data, that's where we see a claim brought a lot of times.

Silver

Are you seeing that it's the case that when a company goes to remedy the fact that it either wasn't getting consent at all or the consent might not have been as specific as it could have been, that then prompts the bringing of claims because it puts this on people's radars?

Mason

That's certainly something that we do see periodically. We always recommend that companies work closely with counsel with respect to policies and consents.

Lazzarotti

Do you have any other kind of trends, Jody, that listeners may find interesting or helpful as they think about or implement different types of technologies that you're seeing in the litigation that might be helpful?

Mason

BIPA continues to be the subject of a lot of litigation, including a lot of appellate review. We don't expect that to change. Two big issues right now that we can talk about are on the radar that we expect will be decided probably within the next year, and are working their way through the courts. One is with respect to the scope of the healthcare exemption under BIPA.

BIPA expressly excludes from the definition of biometric identifiers and biometric information, information that is collected, used, or stored for healthcare treatment, payment, or operations under HIPAA. The Illinois Supreme Court decided a case at the end of 2023 called Mosby v. Ingalls Memorial Hospital. In that case, it involved healthcare workers who were scanning their fingers to access a medication dispensing cabinet. The Illinois Supreme Court said that any collection of data in connection with that medication dispensing cabinet falls within the scope of that healthcare exemption. It's just excluded from coverage under the statute. The big question that the courts are now grappling with is what happens when it involves a timekeeping system used by healthcare workers? Is data generated from that type of system, and can that be excluded from the scope of the statute as well? That issue is currently up on appellate review, so we're watching closely. 

The other issue that we're seeing that's been a big subject of attention from the courts over the past year is the effect of a clarification to the statute that was enacted by the Illinois General Assembly about a year ago, in August of 2024, in response to the Illinois Supreme Court's decision in Cothron v. White Castle System, Inc. The Illinois General Assembly essentially said that when the same entity collects the same biometric identifier information from the same individual using the same mechanism of collection, that, at most, that's a single violation of the statute for which there can be, at most, one recovery. The real big question right now is, does that clarification legislation apply to cases that were pending at the time that it was enacted, or does it only apply prospectively to future cases? Obviously, that will have a potentially very large impact on cases that are pending because it could take off the table the possibility of what we call per-scan damages. The Federal Appellate Court for the Seventh Circuit has recently decided to take that issue up. We're all waiting to see what happens with that issue.

Silver

Jason, would you mind just, at a very high level, for those who maybe haven't had the pleasure of going through one of these cases, just take us through what they look like, starting from the filing, which is that usually multiple filings by different plaintiff firms, or is it just one filing? Then, do we usually make a motion to dismiss or answer? What does the case usually look like, and how does it play out?

Selvey

I'll say this: maybe in the earlier days, we saw more things, like two quick filings for the same thing. We don't see that as much anymore; now, it's really just usually one filing brought by. This is interesting, maybe not interesting, but there are around 10 firms that bring all of these. Maybe you're not going to be so surprised, but we get the complaint in, and I have never been in an area of law where it has been such a chance to be created. We do everything from filing a demand for a of particulars just to slow them down and say, give us all this information about your damages claim and so forth. Moving to dismiss on, just these great grounds, different ones like railway preemption, even though it may be a railroad, an airline or something like that. Knocking people out because they're union members. We try to be our most creative because we're really facing it here. At a high level, we fight and fight, which wears them out. We stay cases when it makes sense and we can do so. 

In the end, where do these end? Well, I mean, most do end in settlement, but not always. You can win that motion to dismiss sometimes. That, of course, is a good feeling. Like I said, only a couple have gone to trial, and that's really the way that they go. Again, it's great to be creative in these.

Silver

Are you seeing any that go to a summary judgment motion, or is it typically either we went on a motion to dismiss or resolve a certain discovery?

Selvey

It's not usually that we're afraid; it's that we're so busy slowing things down and making sure that we get a good result. I have filed motions for summary judgment before, and they do happen, certainly. At the same time, some of the things that we're bringing defenses about may not look very different at summary judgment. For example, is this consent good enough? Yes, you could find later evidence, maybe. Summary judgment may be different, but it may be exactly the same. We do get there, and we do get to other motion practice certainly along the way.

Lazzarotti

Have you guys seen any developments in other states that are raising any similar types of claims at this point?

Selvey

The one that's just like BIPA, or maybe not just like BIPA, but quite a bit, is Texas. It's also a little older; I don't remember the year. The biggest difference between Texas and Illinois is that it has to be destroyed. The data has to be destroyed within the time it's not needed, essentially, or three years, whichever is earlier. It's one year in Texas. Washington also has one that's more about the use of data for commercial purposes. Two key things about this and the other ones I might have mentioned are that there's no private right of action. That's why you haven't had a massive movement of plaintiff’s attorneys to Texas or to Washington. 

One of the big ones is Colorado, which just enacted a law on July 1st of this year that deals with biometric information as well. It uses some of the same words as BIPA, some not. An important thing is that it does allow requiring, as a condition of employment, that employees give you permission to use their biometrics for a discrete number of purposes. Now, for us, the one we see most often on that list is timekeeping. Not everything we see is out there. Also, there are some other requirements there. Also, you have to have a crisis response plan. There are a couple of others, too. We've seen for years, New York toying with doing one itself, but that's it for now. I'm sure we'll see more as time goes on.

Silver

Jody, to help us land this plane and wrap up, could you talk a little bit about what companies can do to get out in front of these claims and put themselves in a better position?

Mason

The first thing, Damon, that I would recommend that companies do is really just take stock of the technologies that they're using. To be aware of whether or not any of the technologies implemented company-wide could potentially implicate BIPA or similar statutes in the states in which the company operates. Even if a company has a policy and consent in place, it's really a good idea to have a periodic review of those policies and consents with counsel. As Jason mentioned, we're seeing new laws enacted, and the case law continues to develop. We're seeing how the plaintiffs are bringing these types of claims and how they're framing the issues. It's just a good idea to periodically have those policies and consents reviewed. Once you have those policies and consents in place, you do a periodic review of them. Then, looking at what you're doing to implement those policies and making sure that you're doing what you say that you're going to do – you’re following the policies and getting the consents that you need to be getting. You can have the greatest policies in the world in place, but if you're not following them, you could still have a potential issue.

Certainly, if you operate in Colorado, you want to make sure to update your policies to account for that new statute that's in place. This is the big one. I would say in a perfect world, if a company can have a process in place for the review of new technologies before they're implemented, that's really key. To have legal review, either with inside or outside counsel, to say, this is the technology we're thinking of using or implementing, and here’s how we're planning to use it. Does it implicate BIPA or any other potential privacy laws in the states where we're using it? What do we need to do to get compliant, ideally, before that technology is implemented? If you do those things, knock on wood, you will stay out of the crosshairs of the plaintiff's bar.

Lazzarotti

Thank you guys so much for coming on. This has really been helpful, I think, for us and for everyone. Damon, it's always a pleasure presenting with you. 

If anyone has any questions or suggestions, feel free to reach out to us at privacy@JacksonLewis.com.