Photo of Jim Barbuto

It is natural for businesses to be concerned about the security of their premises and to explore new technologies that can help mitigate health and safety risks related to that security. As retailers get back to business in the United States, the laws implicating biometrics and the increase in use cases for biometric technologies have

The use of facial recognition and other biometric technologies by businesses, retailers, and landlords continues to grow and has found a new application in response to the COVID-19 pandemic. Proper implementation and management of these technologies can help increase security and limit physical contact. Real estate management firms and various businesses may be able

Companies facing class action litigation stemming from Illinois’ Biometric Privacy Act, 740 ILCS 14/1 et seq. (BIPA), will not get conclusive guidance from the U.S. Supreme Court on the issue of Article III standing. Despite the substantial increase in BIPA class actions filed between 2018 and 2019, and amici briefs imploring the Supreme Court to review a Ninth Circuit holding for one such case, the high court declined to weigh in and denied certiorari. As a result, questions persist as to whether class action plaintiffs bringing BIPA claims in federal court have Article III standing due to continued inconsistent treatment within the Ninth Circuit and elsewhere regarding what constitutes real, concrete and particularized injury in cases relating to intangible harms. Therefore, companies with Illinois employees or consumers will continue to face uncertainty, and plaintiffs may aggressively shop for favorable fora (including California) to bring such cases.
Continue Reading Uncertainty persists in biometric litigation

Washington state’s lawmakers started the 2020 legislative session with a renewed focus on consumer privacy through the introduction of ten privacy-related bills across the state House and Senate on January 13. Chief among these proposals was the comprehensive Washington Privacy Act (WPA), a new version of which was re-introduced in the Senate after the previous bill died in the House in 2019. The WPA continues to draw comparisons to the now-effective California Consumer Privacy Act (CCPA), and the EU’s General Data Protection Regulation (GDPR). It borrows the concepts of data controllers and processors from the GDPR and the right to opt out of personal data sales from the CCPA, among other similarities between these forerunners of far-reaching privacy regulation. In addition to the new version of the WPA, Washington’s House introduced nine accompanying bills covering various aspects of consumer privacy, including: (i) granting more rights over biometrics (for which Washington has an existing law); (ii) artificial intelligence in employment decisions; (iii) requiring transparency over device connectivity; (iv) mandating notice and consent for voice data collection; and (v) strengthening oversight through the state’s chief privacy officer. Each of these bills highlights various isolated issues that would complement the foundational framework for data protection that the WPA proposal seeks to establish.
Continue Reading New year, new laws: Washington re-introduces comprehensive privacy act among flurry of 2020 consumer privacy bills

With the Artificial Intelligence Video Interview Act (effective January 1, 2020), or “AI Video Act,” Illinois has passed a groundbreaking new law regulating the use of artificial intelligence (“AI”) in video recruitment practices.

Background
Employers increasingly seek tech-enabled tools to facilitate the hiring, evaluation, retention and development of their workforces. However, as the implementation of

2019 signalled significant growth in both regulatory focus and litigation involving biometric privacy. The passage of the California Consumer Privacy Act (CCPA), the addition of biometrics to numerous state data breach notification laws (including New York), and continued class action lawsuits emanating from Illinois’ Biometric Information Privacy Act (BIPA) made biometrics a trend line in 2019 that shows no signs of slowing down in 2020. State legislatures will continue to take note of BIPA’s impact in Illinois and will watch closely as the CCPA is effective as of January 1, 2020, taking cues as to whether or how to implement statutory and regulatory frameworks for biometrics in their own states. Organizations that collect and use consumer or employee biometric data should be aware of their obligations and be on the lookout for more activity on both the regulatory compliance and litigation fronts in the new year.

BIPA provides an express private right of action for consumers who claim that their biometric privacy rights have been violated. In January of 2019, the Illinois Supreme Court affirmed this right when it ruled in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff need only allege a violation of BIPA, not an allegation of actual harm, in order to plead a claim under the Act. Since this decision, BIPA has continued to spawn an onslaught of biometric privacy class actions.Continue Reading Biometric privacy: The year in review and looking toward 2020

Over the past several years, legislators from coast to coast have increasingly made data privacy and cybersecurity top priorities. The result has been a spike in the number and stringency of laws that impose proactive and reactive responsibilities – covering, for instance, data security and breach notifications – on companies that collect personal information, whether

Many states are following in the footsteps of Illinois’ Biometric Information Privacy Act (BIPA), a law that has led to an increase in the volume of class action privacy litigation and highlighted the importance of enterprise-level management of biometric data (e.g., fingerprint, voiceprint, and retina, facial, or iris image). Organizations that collect and use

After soliciting public comments since last November, the Chinese Ministry of Public Security (MPS) published the finalized Guideline for Internet Personal Information Security Protection (Guideline) on April 10, 2019. The Guideline applies to Personal Information Holders, defined as entities or individuals that “control and process personal information” through their provision of services using the Internet,

On April 10, U.S. lawmakers introduced the Algorithmic Accountability Act (the AAA). The AAA empowers the Federal Trade Commission (FTC) to promulgate regulations requiring covered entities to conduct impact assessments of algorithmic “automated decision systems” (including machine learning and artificial intelligence) to evaluate their “accuracy, fairness, bias, discrimination, privacy and security.” The bill is evocative