Companies should take note of the recent expansion of biometric privacy laws, that could have significant impact on their businesses, changing how they collect and process biometric data and how third party vendors handle such data.
Background on BIPA
The Illinois Biometric Information Privacy Act (BIPA) was passed on October 3, 2008, and regulates how “private entities” collect, use, and share biometric information and biometric identifiers, collectively known as biometric data. BIPA imposes certain security requirements including:
1. Developing a publicly available written policy regarding the retention and destruction of biometric data in an entity’s possession.
2. Providing required disclosures and obtaining written releases prior to obtaining biometric data.
3. Prohibiting the sale of biometric data.
4. Prohibiting the disclosure of biometric data without obtaining prior consent.
Expansion of BIPA to Third Party Vendors
In a significant turn of events, courts in Illinois are applying BIPA to third party vendors who do not have direct relationships with plaintiffs, but whose products are used by plaintiff's employees or in other settings to collect plaintiff's biometric data.
This is an alarming expansion of BIPA's scope of which all third-party providers should be aware. Under this caselaw, putting a biometric-collecting product into the stream of commerce does not immunize the manufacturer of that product from suit in Illinois.
Since the passing of BIPA, numerous class actions suits have been filed against those alleged to have collected plaintiffs’ biometric data, but claims brought up against vendors that sell the biometric equipment are exponentially growing. These claims allege not that plaintiffs have had direct contact with the vendor defendants, but that the defendants obtained the plaintiff’s biometric data through timekeeping equipment without complying to BIPA’s requirements.
Recently, the U.S. District Court for the Northern District of Illinois held that a biometric time clock vendor could be liable for violations of BIPA in the context of employment, extending the liability to people who “collect” biometric information.
Another recent decision, Figueroa et al v. Kronos, held that the plaintiffs sufficiently alleged that the collection function extended to the company, Kronos, and was responsible, along with the employer, for obtaining required employee consent.
These cases, among others, signify that third-party vendors are becoming defendants in BIPA consent cases and broaden third party contribution claims brought by employers against the vendors of Biometric clocks for failure to obtain required consent. These decisions also allow insured employers to seek contributions from clock vendors for any judgement assessed against an insured employer under the Employment Practices Liability (EPL).
However, BIPA’s Section 15(a), which requires publicly available policies for the retention and destruction of biometric data, makes it difficult for plaintiffs to make claims against third parties in federal court. BIPA Section 15(a) creates an issue of standing. A state federal court could exercise jurisdiction over a vendor in connection with a BIPA claim if the vendor maintained continuous and systematic contacts with Illinois. If the vendor is located in the forum state, then there is no jurisdictional dispute, but since many vendors sell their equipment nationally, the issue of whether the court has specific personal jurisdiction of the vendor must be addressed.
For example, in Bray v. Lathem Time Co., the US District Court for the Central District of Illinois alleged that the defendant sold a facial-recognition time keeping product to the plaintiff’s employer and violated BIPA because they failed to notify employees and obtain their consent. The plaintiffs had no dealing with the defendant, who was located in Georgia but was sued in Illinois. The court found no contacts between the defendant and the state of Illinois and concluded that the time keeping equipment was sold to an affiliate of the plaintiff’s employer and then transferred to Illinois by the employer. The court concluded that it lacked jurisdiction over the defendant vendor.
Expansion of BIPA Outside Illinois?
Vendors being located in states outside of Illinois raises the question of whether BIPA is applicable to conduct in other states. But while BIPA is applied to violations in Illinois, upcoming class suits may address the issue of BIPA having an extraterritorial effect when bringing claims against out of state vendors. The extraterritorial application of BIPA is fact-dependent and courts acknowledge that decertifying extraterritoriality as being evaluated on an individual basis may be appropriate. Companies collecting, using, and storing biometric information will face an increased risk in BIPA lawsuits.
All companies should assess whether they are collecting biometric data, directly or through third parties. Next is to evaluate the legal requirements regarding the handling of such data. Note, many state data breach laws include biometric data as protected personally identifiable information (PII). Companies should take steps to comply with applicable laws, including developing policies and practices around handling biometric data. Also, contracts with third party vendors should be reviewed to help protect the business if there is mishandling of biometric data.
At Octillo, we have a team of skilled attorneys that can assist your company in developing BIPA compliant policies that will help mitigate the risks associated with collecting biometric information. Our team of lawyers are also technologists who can help you better understand the legal implications surrounding BIPA and the legal repercussions that follow suit.
*Attorney Advertising. Prior results do not guarantee future outcomes. *