In 1890, a 34-year-old Bostonian lawyer penned an article asking whether the law should play a role in protecting citizens’ right to privacy against threats of technological intrusion. “Recent inventions and business methods call attention to the next step which must be taken for the protection of the person,” the lawyer wrote. “Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”
The lawyer: future Associate Justice Louis Brandies.
His article, “The Right to Privacy”—which Brandeis co-wrote with his law partner, Samuel Warren—foreshadowed his celebrated dissent in Olmstead v. United States, where he famously wrote: “The makers of our Constitution … sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the government, the right to be let alone—the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.”
A century later, the Illinois Supreme Court cited Brandeis’s famous words in Rosenbach v. Six Flags, 2019 IL 123186 (Jan. 25, 2019), holding that Illinois’ Biometric Information Privacy Act (BIPA) grants individuals a “right to privacy in and control over their biometric identifiers and biometric information.” This seminal ruling has important ramifications for the treatment of biometric information and the potential legal exposure faced by even well-intending companies.
The Birth of Biometrics
Biometric systems analyze unique physical or behavioral characteristics to verify identity.
In practice, this means using our faces to unlock our phones, or our eyes to unlock our homes. Likewise, companies verify customer identities through voice recognition software, while law enforcement combine DNA scans with geolocation data to track suspects. Long gone are the days of passcodes and padlocks; today, we safeguard our privacy with biometrics.
With the passing of BIPA in 2008, Illinois became the first state to regulate the collection and storing of biometrics information. Among other things, BIPA requires companies doing business in Illinois to: obtain a “written release” from individuals prior to collecting or disclosing their biometric information; destroy biometric information in accordance with a publicly available retention policy; and store biometric information in a “reasonable manner.” As the Electronic Frontier Foundation recently proclaimed, “BIPA is the strongest biometric privacy law in the United States.”
Notably, under the BIPA, a prevailing party may recover actual damages or liquidated damages of $1,000 (whichever is greater), for each violation. If the violation is intentional or reckless, however, these liquidated damages balloon to $5,000 per violation. Injunctive relief and reasonable attorney fees and costs, as well as expert witness fees and other expenses, are also available to the prevailing party.
Illinois is not the only state to have addressed biometrics via legislation. Since 2008, Washington and Texas have both passed similar privacy laws. And while each permit enforcement actions by the respective state Attorneys General, what makes BIPA unique is that only it provides private individuals with the ability to seek monetary damages for violations. Because of this damages provision, BIPA has spawned numerous class action lawsuits in recent years against some of the country’s biggest tech companies—Google, Snapchat and Facebook among them.
BIPA provides a private right of action to anyone “aggrieved” under the statute. As recent decisions show, however, whether one has been “aggrieved” is open to interpretation. That is, until recently.
In January, the Illinois Supreme Court held in Rosenbach v. Six Flags that individuals need not allege a real-world harm to be considered “aggrieved” under the statute; instead, individuals need only allege a “technical violation” under the act.
Applied to the facts at hand, this meant the plaintiff—whose 14-year-old son provided a thumb scan to obtain a Six Flags season pass—could proceed with a class action against the amusement park. As the unanimous court explained, “when a private entity fails to comply with one of [BIPA’s] requirements, that violation constitutes an invasion, impairment, or denial of a person’s statutory rights … No additional consequences need be pleaded or proved.”
Onward Toward the Onslaught?
In the past two years alone, more than 200 BIPA class actions have been filed—a number that will undoubtedly increase in the wake of Rosenbach. To be sure, just two weeks after the Illinois high court issued its opinion, a class action was filed against Ryder Integrated Logistics Inc., a company with 7,000 employees that, according to the complaint, “required employees to use their handprints as a means of authentication” without their consent. (Relatedly, provisions requiring consent to biometric security are also starting to appear in employee handbooks.)
Moreover, several states—including California, Alaska and Idaho—have tried, unsuccessfully, to pass similar legislation. Given the attention BIPA is currently receiving, it is possible a revitalized call for legislative action will be forthcoming in these states as well.
Rosenbach also comes as a blow to Facebook and Google, both of which are enmeshed in BIPA cases of their own. Indeed, in the Facebook case—which is currently pending before the U.S. Court of Appeals for the Ninth Circuit—the social media conglomerate argued that, contrary to the lower court’s ruling, the plaintiffs class should not have been certified because BIPA requires a showing of actual injury.
Given the privacy interests at stake in BIPA cases, Rosenbach may spark an increase in insurance disputes as well. With appropriate caveats, the most significant question for insureds and insurers alike is going to be whether a BIPA violation involves a “personal and advertising injury” arising out of an enumerated offense under the parties’ commercial general liability policy. Of the various offenses, the one most likely to be implicated is the “oral or written publication of material that violates a person’s right to privacy.” Considering that “publication” is not a prerequisite to proving a BIPA violation, the answer to this question is far from certain.
Currently perched on the event horizon is an uptick (and perhaps an onslaught) of BIPA claims. Not to mention the additional category of attendant insurance claims. Going forward, businesses, consumers and litigators would be wise to monitor this space, as Rosenbach has all but redefined the biometric landscape and required interested parties to stand up and take notice.
Jeffrey N. Rosenthal is a partner in Blank Rome’s Philadelphia office. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. Contact him at Rosenthal-j@BlankRome.com.
Thomas F. Brier Jr. is an associate in the firm’s Philadelphia office. He concentrates his litigation practice on a variety of criminal and civil litigation matters, and has written extensively on issues pertaining to data privacy and cybersecurity. Contact him at TBrier@BlankRome.com.