Photo of Michael Galibois

On September 17, 2021, the Illinois Court of Appeals for the First District ruled that some BIPA claims are subject to a five year statute of limitations, while others must be brought within one year. In Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, the appellate court accepted a certified question

Many online platforms are using verification tools to address the broader concern of trustworthiness and credibility on the Internet. With a general move toward a “verified internet,” these online platforms are looking at new verification measures, including facial recognition and other biometric technology. The online adult video platform Pornhub announced last week that it will be introducing biometric technology to verify users who upload videos. In a statement, Pornhub explained that verification will be done by Yoti, a digital identity verification company, “by providing a current photo and government-approved identification document.”

Yoti advertises that it is a “privacy driven” verification solution. The company is a conduit between consumers and the platform owners, like Pornhub. Essentially, a consumer will provide Yoti with their biometric identifier, such as a video or voice recording, plus their government identification. Yoti will then verify that data for the platform owner, such as Pornhub. Pornhub will not see that information, but will rely on the verification to allow the consumer to access their site.
Continue Reading Use of biometric technology is latest trend toward a verified internet

On January 6th, the first day of the New York legislature’s 2021 session, NY lawmakers proposed Assembly Bill 27 (AB 27), the Biometric Privacy Act.  The legislative purpose of AB 27 is to provide safeguards for consumers regarding their biometric identifiers, such as fingerprints, handprints, retina or iris scans, voiceprints, and other facial and hand recognition.  Effectively, the proposed Act would require private (non-governmental) organizations that possess a biometric identifier or biometric information (i.e., information “based on” a biometric identifier) (collectively “biometric data”) to develop a written retention policy  setting forth the time period for information containing biometric data, as well as guidelines for permanently destroying such biometric data either when: (i) the initial purpose for obtaining such information “has been satisfied,” or (ii) within three years of the individual’s last interaction with the private entity, whichever happens first.

AB 27 would also require organizations to obtain individuals’ express written consent for the collection of their biometric data prior to collecting or otherwise obtaining such data. In addition, the proposed Act would prohibit organizations from selling or otherwise profiting from the biometric data which they possess, and separately mandate organizations to provide technical and organizational safeguards around biometric data that are the same or more protective than the measures it maintains for other confidential and/or sensitive information.
Continue Reading New York proposes a new Biometric Privacy Act

The use of facial recognition and other biometric technologies by businesses, retailers, and landlords continues to grow and has found a new application in response to the COVID-19 pandemic. Proper implementation and management of these technologies can help increase security and limit physical contact. Real estate management firms and various businesses may be able

Companies facing class action litigation stemming from Illinois’ Biometric Privacy Act, 740 ILCS 14/1 et seq. (BIPA), will not get conclusive guidance from the U.S. Supreme Court on the issue of Article III standing. Despite the substantial increase in BIPA class actions filed between 2018 and 2019, and amici briefs imploring the Supreme Court to review a Ninth Circuit holding for one such case, the high court declined to weigh in and denied certiorari. As a result, questions persist as to whether class action plaintiffs bringing BIPA claims in federal court have Article III standing due to continued inconsistent treatment within the Ninth Circuit and elsewhere regarding what constitutes real, concrete and particularized injury in cases relating to intangible harms. Therefore, companies with Illinois employees or consumers will continue to face uncertainty, and plaintiffs may aggressively shop for favorable fora (including California) to bring such cases.
Continue Reading Uncertainty persists in biometric litigation

2019 signalled significant growth in both regulatory focus and litigation involving biometric privacy. The passage of the California Consumer Privacy Act (CCPA), the addition of biometrics to numerous state data breach notification laws (including New York), and continued class action lawsuits emanating from Illinois’ Biometric Information Privacy Act (BIPA) made biometrics a trend line in 2019 that shows no signs of slowing down in 2020. State legislatures will continue to take note of BIPA’s impact in Illinois and will watch closely as the CCPA is effective as of January 1, 2020, taking cues as to whether or how to implement statutory and regulatory frameworks for biometrics in their own states. Organizations that collect and use consumer or employee biometric data should be aware of their obligations and be on the lookout for more activity on both the regulatory compliance and litigation fronts in the new year.

BIPA provides an express private right of action for consumers who claim that their biometric privacy rights have been violated. In January of 2019, the Illinois Supreme Court affirmed this right when it ruled in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff need only allege a violation of BIPA, not an allegation of actual harm, in order to plead a claim under the Act. Since this decision, BIPA has continued to spawn an onslaught of biometric privacy class actions.Continue Reading Biometric privacy: The year in review and looking toward 2020

Many states are following in the footsteps of Illinois’ Biometric Information Privacy Act (BIPA), a law that has led to an increase in the volume of class action privacy litigation and highlighted the importance of enterprise-level management of biometric data (e.g., fingerprint, voiceprint, and retina, facial, or iris image). Organizations that collect and use

Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA) stands out among state biometrics statutes nationwide in that it includes a private right of action for anyone “aggrieved” by a private entity’s failure to comply with BIPA’s compliance requirements. The Illinois Supreme Court recently ruled that a plaintiff may assert that they are

The Ninth Circuit added another chapter to the storied tale of Article III standing jurisprudence on August 15 when, on remand from the Supreme Court, the appellate court unanimously revived a plaintiff’s Fair Credit Reporting Act (“FCRA”) suit in Robins v. Spokeo, Inc., __ F.3d __, 2017 WL 3480695 (9th Cir. Aug. 15, 2017).

The single FCRA claim asserted by Thomas Robins is premised upon the Spokeo website, which collects data to build consumer-information profiles.  Profiles may allegedly include such details, as the court noted, as a “person’s age, contact information, marital status, occupation, hobbies, economic health, and wealth.”  Robins’ website profile allegedly included his inaccurate age, marital status, reported wealth and profession, and even his photo (of a different person).

He sued Spokeo for willful violation of section 1681e(b) of the FCRA, alleging that it had “failed to ‘follow reasonable procedures to assure maximum possible accuracy’ of the information in his credit report.”  A willful violation allows for a statutory award, even in the absence of actual damages.  See id. 15 U.S.C. § 1681n.  Robins alleged that the publication of the inaccurate information hurt his job prospects and caused him to suffer emotional distress.   Whether such alleged injuries satisfied the Article III test for standing has been the focus of the litigation, which is now in its seventh year.

On the first appeal, the Ninth Circuit reversed the district court’s dismissal of the suit, finding that Robins had pleaded a “concrete and particularized” injury, i.e., an injury-in-fact, because he had alleged Spokeo violated his individual statutory rights (Spokeo I).  The Supreme Court in May 2016 vacated the Ninth Circuit’s decision (Spokeo II).  While the Court agreed Robins’ alleged injury was particularized to him, it held that a mere alleged statutory violation was not enough to establish a concrete injury necessary for Article III standing.
Continue Reading Ninth Circuit Holds Alleged FCRA Violation Satisfies Article III Standing