FingerprintBiometric Litigation Continues To Rise As Businesses Work To Minimize Risk

Biometric Litigation Continues To Rise As Businesses Work To Minimize Risk

In 2008, Illinois enacted the Illinois Biometric Information Privacy Act (“BIPA”) with the purpose of recognizing a person’s privacy right to their “biometric information” and “biometric identifiers”.  BIPA was enacted in response to the growing use of biometrics by businesses.   

In part because of its private right of action, by which plaintiffs may bring suit against businesses directly, BIPA litigation remains at the forefront of the data privacy litigation landscape as businesses continue to collect the biometric identifiers of their employees.  Recent BIPA class action settlements with major tech companies like Facebook and TikTok have been in the hundreds of millions of dollars, but the majority of BIPA litigation is brought against small and medium sized enterprises who collect biometric information in employee timekeeping or for access controls to physical spaces.   

To date, defendants have found courts to be generally unwilling to dismiss BIPA litigation at early motion practice.  Two recent cases, Thornley v. Clearview AI and Barton v. Swan Surfaces, demonstrate that there are some potential limits to BIPA litigation. 

Thornley  v. Clearview AI 

In Thornley, Melissa Thornley accused Clearview AI of scaping publicly available photos from her social media accounts for facial recognition purposes and selling her biometric information to third parties without her consent.  Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1242-1243 (7th Cir. 2021).  Thornley initially filed a complaint in Illinois state court, alleging as a class representative, that Clearview violated § 15(c) of BIPA, which requires in relevant part, that “[n]o private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.”  Id. at 1246.  Clearview removed the case to federal court on the basis that the allegation of a statutory violation gave rise to a concrete and particularized injury-in-fact that is necessary for Article III standing.  Id. at 1243.  Under the Constitution, a plaintiff must have Article III standing to sue in federal court, which requires that the plaintiff prove: (1) an injury in fact; (2) causation of the injury by the defendant; and (3) that the injury is likely to be redressed by the requested relief.  See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).  In Spokeo, the Supreme Court of the United States held that a statutory violation could be sufficient to constitute an injury in fact; however, it did not provide any analysis as to which types of statutory violations necessarily implicate concrete and particularized injuries in fact.  Id.   

The district court held that Clearview alleged violation of § 15(c) of BIPA was “only a bare statutory violation, not the kind of concrete and particularized harm that would support standing”, the case must be remanded to the state court.  Thornley., 984 F.3d at 1242.  Clearview then appealed to the Seventh Circuit, who concurred with the District Court and remanded the case back to the Illinois State Court for much the same lack of standing.  Id.  Clearview has now petitioned the Supreme Court of the United States to take its case.  See Porter Wells, Clearview AI Will Take BIPA Standing Challenge to Supreme Court. 

Barton v. Swan Surfaces, LLC 

In Barton, a unionized employee of Swan Surfaces, LLC (“Swan”) was required to clock in and out of her employer’s manufacturing plant using her fingerprints as part of company protocol.  Barton v. Swan Surfaces, LLC, No. No. 20-cv-499-SPM, 2021 WL 793983 at *1 (S.D. Ill March 2, 2021).  On May 29, 2020 Barton filed a complaint in the United States District Court for the Southern District of Illinois alleging that she represented a class of individuals who “while residing in the State of Illinois, had their fingerprints collected, captured, received, otherwise obtained and/or stored by Swan”.  Id. at *2.  Barton asserted Swan violated BIPA in: (1) failing to institute, maintain, and adhere to publicly available retention schedule in violation of 740 ILCS 14/15(a); and (2) failing to obtain informed written consent and release before collecting biometric of information.  Id.  On July 31, 2020, Swan filed a Motion to Dismiss, asserting in relevant part, that Barton’s BIPA claims were preempted by § 301 of the Labor Management Relations Act (“LMRA”).  Id.  

On March 2, 2021, the court held that as Barton was a unionized employee, her Collective Bargaining Agreement (“CBA”), which contained a management rights clause and grievance procedure, controlled and as such Barton’s BIPA claims were preempted by § 301 of the LMRA.  In coming to its conclusion, the court heavily relied on the courts holding in Miller v. Southwest Airlines, Inc., 926 F.3d 898 (7th Cir. 2019). Id. at *6. In Miller, the Seventh Circuit held an adjustment board had to resolve the employees’ dispute over the airline’s fingerprint collection practices because their unions may have bargained over the practice on their behalf.  Miller, 926 F.3d 898.  The court in Barton noted that the United States “Supreme Court has held that the RLA preemption standard is virtually identical to the pre-emption standard the Court employs in cases involving § 301 of the LMRA” and therefore the same outcome should apply.  Barton, 2021 WL 793983 at *4. 

Key Takeaway 

While these cases demonstrate the potential to circumvent or limit BIPA litigation, the increased volume of biometric information being used by companies and the push for biometric policies that govern the use of these technologies and promote safeguards for consumers will undoubtedly continue.  

With many states looking to implement biometric privacy laws similar to BIPA, it is important to have legal tech counsel to address compliance with these emerging laws. Beckage attorneys, who are also technologists and former tech business owners, have years of collective experience with new technologies, like artificial intelligence, biometric data, facial recognition technology. We have a team of highly skilled lawyers that stay up to date on all developments in case law on BIPA and who can help your company best defense given the current legal landscape. Our team can help assist your company in assessing and mitigating risks associated with emerging technologies. 

*Attorney Advertising: Prior results do not guarantee a similar outcome. 

Subscribe to our newsletter. 

VirginiaWhat You Need to Know About Virginia’s New Consumer Data Protection Act

What You Need to Know About Virginia’s New Consumer Data Protection Act

On March 2, 2021, Virginia enacted the Consumer Data Protection Act (the “CDPA”) with the goal of establishing a framework for controlling and processing the personal data of Virginia Residents. Where the CDPA resembles California’s Consumer Privacy Act (“CCPA”) in some regards and resembles the European Union’s General Data Privacy Regulation (“GDPR”) in others, the CDPA is likely the first step in a line of new state laws governing the processing of a consumers’ data.  As such, companies should use this time to familiarize themselves with the intricacies of the CDPA so as to begin to adapt to the intricacies of handling consumer data.

Who Does the CDPA Apply to?

The CDPA applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia, and that:

  1. during a calendar year, control or process personal data of at least 100,000 consumers; or
  2. control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. 

Equally important is who is exempted from the CDPA.  Va. Code Ann. § 59.1-572(A).  To that end, the CDPA does not apply to i) any governmental body within Virginia; ii) financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.); or iii) any covered entity or business associate governed by the privacy, security, and breach notification under HIPAA or HITECH.  Va. Code Ann. § 59.1-572(A).

What is “Sensitive Data” Under the CDPA?

Understanding what constitutes as “sensitive data” under the CDPA first requires an understanding of what is “personal data” under the CDPA.  The CDPA defines personal data as being “any information that is linked or reasonably associated to an identified or identifiable natural person”.  Va. Code Ann. § 59.1-571.  Nevertheless, personal data under the CDPA does not include de-identified data or “publicly available information”.  Id.

The CDPA more heavily regulates a covered business’ processing and handling of sensitive data.  Under the CDPA sensitive data is defined as including:

  1. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  3. the personal data collected from a known child; or
  4. the precise geolocation of an individual.  Va. Code Ann. § 59.1-571. 

Moreover, the CDPA provides certain exceptions for data which is not to be considered sensitive data, including, but not limited to:

  1. protected health information under HIPAA; information used only for public health activities under by HIPAA; information derived from any of the health care-related information that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA; patient identifying information for purposes of 42 U.S.C. § 290dd-2;  information created for purposes of the Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.) or  the Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.);
  2. information collected and maintained regulated and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.); and
  3. personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.).  Va. Code Ann. § 59.1-571(C).

What is My Business Required to Do if it is a Covered Business?

Under the CDPA, a covered business is required to:

  1. adopt data minimization practices;
  2. disclose their privacy practices through a “meaningful privacy notice”;
  3. implement data security measures;
  4. refrain from discriminating against consumers who exercise their rights under the CDPA; and
  5. obtain consent prior to processing sensitive data, as defined below.  Va. Code Ann. § 59.1-574. 

Moreover, a covered business may be required to conduct risk assessments on their data protection practices.  These risk assessments must be taken where the covered business activities involve:

  1. the processing of personal data for purposes of targeted advertising;
  2. the sale of personal data;
  3. the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk;
  4. the processing of sensitive data; and
  5. any processing activities involving personal data that present a heightened risk of harm to consumers.  Va. Code Ann. § 59.1-576.

Does the CDPA Provide Any Rights to Virginians?

Under the CDPA, Virginians are provided certain individual rights including:

  1. the right to access their data;
  2. the right to amend their data;
  3. the right to delete their data;
  4. the right to transfer their data; and
  5. the right to opt out of certain uses of their personal data.  Va. Code Ann. § 59.1-573(A)(1-5). 

What Happens If My Business Violates the CDPA?

CDPA does not contain a private right of action.  Va. Code Ann. § 59.1-579(C).  As such, enforcement is the exclusive jurisdiction of the Virginia Attorney General.   Va. Code Ann. § 59.1-579(A).  Under the CDPA, the Virginia Attorney General is required to provide the covered business a letter outlining the provisions of the CDPA that have been, or are alleged to have been, violated.   Va. Code Ann. § 59.1-579(B).  The covered business than has 30 days to cure any alleged violations.  Id.  If the covered business cures the alleged violations of the CDPA “and provides the consumer an express written statement that the alleged violations have been cured and that no further violations shall occur” then Virginia Attorney General is not to seek statutory damages against the covered business.  Id.  Nevertheless, if the covered business fails to cure the alleged violations of the CDPA, it may be “subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation.  Va. Code Ann. § 59.1-580(B).

When Will the CDPA Become Effective?

The CDPA will become effective on January 1, 2023.  Va. Code Ann. § 59.1-581.  Moreover, in contracts to the new California Consumer Privacy Rights Act (“CPRA”), the CDPA does not contain a twelve-month lookback period, and thus compliance with the CDPA will only be required moving forward.

What Do I Do Next?

Now is the time to prioritize developing a robust, scalable data privacy program within your organization.  First and foremost, conducting an assessment to determine what laws and regulations, such as the CDPA, CCPA, or GDPR, apply to your organization is a great starting place. Your business may be required to make additional disclosures surrounding your data collection practices and how consumers can exercise certain rights to that data.

Beckage’s dedicated data privacy attorneys routinely provide guidance on various consumer data privacy regulatory regimes and are especially adept to help your business adapt to the changing legal landscape.  We recommend reviewing all cookie consent banners and just in time notices to evaluate whether they provide the necessary opt out consent for targeted advertising as required by the CDPA and other evolving laws.  Based on the above, if you believe that the CDPA may impact your business, reach out to Beckage for assistance.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.

PrivacyVirginia, Oklahoma, and Florida Join Growing List of States With Proposed Privacy Legislation

Virginia, Oklahoma, and Florida Join Growing List of States With Proposed Privacy Legislation

Since California’s Consumer Privacy Act (CCPA) was passed in 2018, Beckage has seen a slew of other states follow suit in proposing and enacting their own comprehensive data privacy bills. Most recently, lawmakers in Virginia, Oklahoma, and Florida have joined the growing list of states with proposed privacy bills. So far this year, New York, Washington, and Minnesota have also introduced legislation governing the ways companies collect, store, use, and share consumer data and we expect to see other laws emerging in the coming months with still no federal data privacy bill in sight.  

Working with experienced privacy counsel can help build out data privacy programs that stand the test of time and contemplate emerging legislation.   

Below is an overview of the Virginia and Oklahoma proposed bills, their requirements, and their potential impact on the data privacy landscape. 

Virginia Consumer Data Protection Act (SB 1392) 

The Virginia proposal is quickly moving through the Virginia state legislature and is likely to be the next comprehensive state data privacy law on the books. This bill passed the Virginia House of Delegates on January 29th by a wide margin and was unanimously approved in the Senate on February 3rd. Assuming Governor Northam signs it into law, the Virginia Consumer Data Protection Act is set to go into effect on January 1, 2023. 

Who Does It Apply To? 

Companies that conduct business in Virginia or “produce products or services that are targeted to” Virginians would have to comply with the Virginia Consumer Data Protection Act if they: 

  • Control or process the personal data of at least 100,000 Virginians; or 
  • Control or process the personal data of at least 25,000 Virginians and derive over 50% of their gross revenue from the sale of that data. 

The Legislation does provide exemptions for financial institutions governed by the Gramm-Leach-Bliley Act, entities subject to HIPAA or HITECH, non-profits, and educational institutions. 

What Is Included? 

Included in this Bill are several requirements not covered under the CCPA or any other U.S. privacy law. One such obligation requires entities that control personal data to conduct protection assessments of any activities that use personal data for specific purposes, such as targeted advertising. These data protection assessments may be requested and evaluated by the attorney general to ensure compliance. 

This Act would afford Virginia consumers with several rights regarding their personal data, including the right to opt-out of the sale or use of their information for targeted advertising or profiling. It would also allow consumers to delete their data, move their data, correct inaccuracies in their data, and confirm if their data is being processed upon request.  

Notably missing is a private right of action through which consumers could seek damages for alleged violations. Instead, enforcement of the Act would be left exclusively to the attorney general, who may seek up to $7,500 per violation. 

Oklahoma Computer Data Privacy Act (HB 1602) 

Introduced on January 19, 2021 by Representatives Josh West (R) and Collin Walke (D), this Bill has bipartisan support in the Oklahoma House of Representatives. Its intended purpose is to give Oklahomans more online privacy by taking aim at tech companies. If passed, the Oklahoma Computer Data Privacy Act would go into effect on November 1, 2021. 

Who Does It Apply To? 

If passed, this act would apply to companies that operate in the state of Oklahoma and collect Oklahoman’s personal information or have information collected on their behalf, determine the purpose for and means of processing that information, and satisfy one of the following thresholds: 

  • Has an annual gross revenue exceeding $10 million; 
  • Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or 
  • Derives 25% or more of their annual revenue from the sale of personal data. 

What Is Included? 

Companies subject to this legislation would be required to disclose what personal information they hold on a consumer and allow for the deletion of that information upon the consumer’s request. This proposal also mandates consumers opt-in to providing their personal data, which differentiates it from most other state privacy laws, like the CCPA. The Oklahoma Computer Data Privacy Act also differs from the CCPA in its inclusion of a broad private right of action through which Oklahoma residents could seek damages up to $7,500 for violations. 

Florida House Bill 969 (HB 969) 

Introduced on February 15th by Representative Fiona McFarland (R), House Bill 969 would place several requirements on businesses that deal with Florida residents’ private information. If passed, it would go into effect on January 1, 2022. 

Who Does It Apply To? 

For-profit companies that do business in Florida and collect personal information about consumers, have personal information collected on their behalf, or determine the process and means of processing personal information will have to comply with this Bill’s requirements if they satisfy one of the following thresholds: 

  • Has an annual gross revenue exceeding $25 million; 
  • Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or 
  • Derives 50% or more of their annual revenue from the sale of personal data. 

What Is Included? 

HB 969 would require that applicable businesses notify consumers about their data collection and selling practices before or at the point of data collection. Under this Bill, consumers would also have the right to request their data be disclosed, corrected, or edited and the right to opt-out of having their personal information disclosed or sold to a third party. 

Applicable businesses would be required to implement reasonable security protocols to protect their consumer’s personal data. Also included is a private right of action through which a consumer “whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access” may seek damages for violations of the Bill. The Department of Legal Affairs would be authorized to bring other enforcement actions, up to $2,500 per unintentional violation and $7,500 per intentional violation. 

Potential Impact 

Currently, the data privacy landscape in the United States is a patchwork of enacted and proposed laws, all with their own requirements and consumer rights, creating a confusing web for companies operating in more than one jurisdiction. While advocates of these state privacy laws argue for the protection of consumers’ data in an increasingly digitally-driven world, opponents argue that the potential risk of operating within states who have enacted comprehensive privacy laws may deter businesses from expanding their operations there. 

A federal privacy law that could rectify the many differences between individual state laws would simplify this landscape, making it easier for companies to protect their consumers’ data and operate efficiently while complying with regulations.  

Beckage is closely monitoring these, and other emerging privacy laws. In the meantime, companies that collect personal data should start thinking about privacy compliance by conducting a baseline privacy assessment and starting to develop relevant policies and procedures. Beckage attorneys, who are also technologists and certified privacy professionals, are happy to help counsel your business on compliance with the CCPA, GDPR, and other pending and enacted privacy legislation.  We work with clients of all sizes to build out data privacy programs and address compliance matters.  

Subscribe to our newsletter. 

*Attorney advertising – prior results do not guarantee future outcomes. 

BiometricsBipartisan Group Proposes New York Biometric Policy

Bipartisan Group Proposes New York Biometric Policy


In January of 2021, a bipartisan group of New York State lawmakers proposed a comprehensive policy that places restrictions on the collection of biometric information by companies operating in the state. Assembly Bill 27, the Biometric Privacy Act, would allow for consumers to sue companies that improperly use or retain an individual’s biometric information. New York’s biometric act follows suit behind Illinois’ Biometric Information Privacy Act (BIPA), the first and most robust state law that guards against the unlawful collection and storing of biometric information. Like BIPA, Assembly Bill 27 was created to place regulations on a company’s handling of biometric data, such as fingerprints, voiceprints, retina scans, and scans of the hand and face geometry. Assembly Bill 27, however, does not cover writing samples, written signatures, photographs, or physical descriptions.

What Is Included?

The Biometric Privacy Act requires businesses collecting biometric identifiers or information to develop a written policy establishing a retention schedule and guidelines for permanently destroying the biometric data. The destruction of the data must occur when the initial purpose for collecting the biometric data has been “satisfied,” or within three years of the individual’s last interaction with the company, whichever occurs first. This bill also includes a private right of action that would allow consumers to sue businesses for statutory damages up to $1000 for each negligent violation and $5,000 for each intentional or reckless violation.

Further, AB 27 requires companies to obtain written consent from individuals before collecting, purchasing, or obtaining biometric information and provide notification to those individuals about the specific purpose and length of time the data will collected, stored, and used. Companies are prohibited from selling, leasing, trading, and profiting from biometric information and strict restraints are placed on a business’s ability to disclose biometric information to a third party without consumer consent.

The Impact of Biometrics on Future Legislation

With the increased volume of biometric information being used by companies leveraging biometric-driven timekeeping systems and other technologies, the push for biometric privacy policies that govern the use of these technologies and promotes safeguards for employees is gaining momentum. Several states are also looking to amend their breach notification and security laws to include biometric identifiers. For example, New York State’s SHIELD Act, the breach notification law enacted in 2019, has already been expanded to include biometric data in its definition of private information.

At Beckage, we have a team of highly skilled lawyers that stay up to date on proposed and enacted legislation. With states looking to implement biometric privacy laws similar to BIPA, it is important to have legal tech counsel to address compliance with these emerging laws. Our team can help assist your company in assessing and mitigating risks associated with emerging technologies.

Subscribe to our newsletter.

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

WashingtonWashington State Legislature Considers Data Privacy Again

Washington State Legislature Considers Data Privacy Again

As 2021 unfolds, so does the data privacy regulatory landscape, with Washington state unveiling the Washington Privacy Act (WPA) (SB 5062). However, this is not the state’s first attempt at comprehensive privacy legislation. January 11, 2021, marked the third time in three years that the state considers comprehensive data privacy law. If passed, the law will take effect on July 31, 2022. It will join Washington’s state biometric law and a growing number of technology-focused privacy laws that frame evolving privacy legislation in the US. While the WPA does not appear to generate the same buzz as the California Consumer Privacy Act (CCPA), it would nonetheless have similar data protection obligations.

Who is covered and why?

In line with comprehensive data frameworks, the definition of personal data is broad. Under the WPA, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This definition excludes deidentified or publicly available information.

The law would apply to legal entities conducting business in the state or producing products or services targeting Washington residents. Such legal entities must also satisfy one or more of the following:

  • Control or process the personal data of at least 100,000 Washington residents during a calendar year, or
  • Derive over 25% of their gross revenue from the sale of personal data and control personal data of 25,000 or more Washington residents.

What are business obligations concerning consumer privacy rights?

Under the law, companies would be obligated to provide Washington residents with the privacy rights outlined below. The law, however, does not cover individuals in commercial or employment contexts. It only protects the personal data of Washington residents acting in an individual or household context.

Consumer Privacy Rights under WPA:

  • Right of Access;
  • Right of Rectification:
  • Right of Deletion;
  • Right of Portability;
  • Right of Opt-Out;

Business Obligations under WPA:

  • Notice/Transparency Requirements;
  • Risk Assessments;
  • Prohibition on Discrimination for exercising rights;
  • Purpose Limitation;
  • Processing Limitation

WPA is not unlike existing comprehensive privacy laws. Therefore, in addition to fulfilling consumer data privacy requests, WPA imposes staple provisions on business relating to third-party relationships, privacy notices, and data impact assessments. However, the law has a new requirement with specific coverage on technology-assisted contact tracing in light of the pandemic. For instance, Section 302 introduces prohibitions and conditions for the processing and disclosing technology-assisted contact tracing information. As the breadth of privacy laws expands and recognizes the impact of digital technologies, businesses should be prepared to respond to compliance obligations.

The Beckage team is monitoring the development of the WPA and other pending state data privacy laws going through state legislatures right now. Our team of data privacy and technology lawyers is here to assist your company with privacy compliance, develop relevant policies, and other privacy-related matters. A baseline privacy assessment is a great starting place to develop a data management framework that will help guide your business to compliance with future privacy regulations such as the WPA.

Subscribe to our newsletter.

*Attorney advertising – prior results do not guarantee future outcomes.

1 2 3 8