On September 17, 2021, the Illinois Court of Appeals for the First District ruled that some BIPA claims are subject to a five year statute of limitations, while others must be brought within one year. In Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, the appellate court accepted a certified question

The use of facial recognition and other biometric technologies by businesses, retailers, and landlords continues to grow and has found a new application in response to the COVID-19 pandemic. Proper implementation and management of these technologies can help increase security and limit physical contact. Real estate management firms and various businesses may be able

Companies facing class action litigation stemming from Illinois’ Biometric Privacy Act, 740 ILCS 14/1 et seq. (BIPA), will not get conclusive guidance from the U.S. Supreme Court on the issue of Article III standing. Despite the substantial increase in BIPA class actions filed between 2018 and 2019, and amici briefs imploring the Supreme Court to review a Ninth Circuit holding for one such case, the high court declined to weigh in and denied certiorari. As a result, questions persist as to whether class action plaintiffs bringing BIPA claims in federal court have Article III standing due to continued inconsistent treatment within the Ninth Circuit and elsewhere regarding what constitutes real, concrete and particularized injury in cases relating to intangible harms. Therefore, companies with Illinois employees or consumers will continue to face uncertainty, and plaintiffs may aggressively shop for favorable fora (including California) to bring such cases.
Continue Reading Uncertainty persists in biometric litigation

Washington state’s lawmakers started the 2020 legislative session with a renewed focus on consumer privacy through the introduction of ten privacy-related bills across the state House and Senate on January 13. Chief among these proposals was the comprehensive Washington Privacy Act (WPA), a new version of which was re-introduced in the Senate after the previous bill died in the House in 2019. The WPA continues to draw comparisons to the now-effective California Consumer Privacy Act (CCPA), and the EU’s General Data Protection Regulation (GDPR). It borrows the concepts of data controllers and processors from the GDPR and the right to opt out of personal data sales from the CCPA, among other similarities between these forerunners of far-reaching privacy regulation. In addition to the new version of the WPA, Washington’s House introduced nine accompanying bills covering various aspects of consumer privacy, including: (i) granting more rights over biometrics (for which Washington has an existing law); (ii) artificial intelligence in employment decisions; (iii) requiring transparency over device connectivity; (iv) mandating notice and consent for voice data collection; and (v) strengthening oversight through the state’s chief privacy officer. Each of these bills highlights various isolated issues that would complement the foundational framework for data protection that the WPA proposal seeks to establish.
Continue Reading New year, new laws: Washington re-introduces comprehensive privacy act among flurry of 2020 consumer privacy bills

Massachusetts state Senator Cynthia Creem has introduced a consumer data privacy bill, SD 341, that would give Massachusetts consumers the right to sue in the event their personal information or biometric data is improperly collected or distributed or for any other potential violation of the new law. Under SD 341, and similar to Illinois’s Biometric Information Privacy Act (BIPA), consumers may not be required to demonstrate or have suffered monetary or property losses in order to seek damages for an alleged violation. Any violation of the proposed new law could be grounds for a valid private action.

The proposed bill is the latest signal that state legislatures are going to be increasingly active in regulating data protection issues. California’s new California Consumer Privacy Act (CCPA) is considered an expansion of privacy-related regulation beyond any existing federal or state law. Although the CCPA will not go into effect until January 2020, businesses are busy implementing compliance policies and procedures, including making plans now to ensure they can adequately and accurately respond to consumers’ requests regarding the type and nature of personal information they may possess on California residents. The Massachusetts bill appears to have many of the same characteristics as the CCPA, but its private right of action provision would be a boon for the plaintiff’s bar. Like Illinois’ BIPA and the Telephone Consumer Protection Act (TCPA), which have spawned scores of class action lawsuits, SD 341 does not require proof of actual damages. It states that “a violation of this chapter shall constitute an injury in fact to the consumer who has suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this chapter.” A prevailing plaintiff can receive the greater of $750 “per consumer incident” or actual damages and can also receive attorneys’ fees.Continue Reading Comprehensive data privacy legislation introduced in Massachusetts – includes private right of action without a need to prove harm