Powered by recent privacy laws, lawsuits for wrongful data collection have been rapidly increasing. The result is a growing body of caselaw, many unanswered questions, and a new landscape for companies to navigate.
I recently had the opportunity to discuss the expanding number of wrongful collection lawsuits with several experts at Beazley. Based in Denver, Katherine Heaton is the Focus Group Leader for Cyber Services and InfoSec at Beazley. Amanda Thai is a Cyber TPL Specialist in Beazley’s New York office.
SOLOVE: We have heard a lot recently about the growing number of lawsuits filed alleging wrongful collection of data, particularly under Illinois’ Biometric Information Privacy Act (“BIPA”). What type of data collection practices are being challenged in these lawsuits?
HEATON: Over the past few years we have seen a large increase in the number of lawsuits based on allegations of wrongful collection of data. Although BIPA was passed in 2008, we didn’t start to see lawsuits alleging BIPA violations until 2017. Since then, approximately 1,500 such lawsuits have been filed, and the number of such lawsuits has been rapidly growing. More than 115 BIPA lawsuits were filed in the first quarter of 2022 alone.
The most common BIPA lawsuits are those filed by a putative class of employees against employers based on the use of biometrics for timekeeping purposes. In most of these lawsuits, employers are using devices that scan employees’ fingerprints in order to clock them in and out. The complaints allege that employers are collecting employee fingerprints without advance notice and consent, disclosing employee fingerprint data to third parties without consent, and failing to implement a retention/destruction policy for the collected data.
More recently, we have also seen a number of complaints against the manufacturers of the timekeeping devices. These lawsuits are being filed both by classes of employees whose employers used a particular manufacturer’s device and by employers alleging that the device manufacturers failed to comply with BIPA or adequately advise the employer about the need to comply with BIPA.
In the past year, we also started seeing BIPA complaints based on technology developed as a result of people being isolated during Covid-19. For example, some retailers are using facial recognition technology to allow customers to virtually “try on” things like glasses and sunglasses. Facial recognition technology is also being used for remote exam proctoring, to compare a face with an ID in order to verify a person’s age to allow them to bet online or purchase crypto currency, and in cars to monitor drivers.
SOLOVE: Why should companies be concerned about these lawsuits?
HEATON: There are three main issues making these lawsuits risky. First, potential damages under BIPA can be very high. BIPA provides statutory damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, plus reasonable attorneys’ fees and costs. Second, it’s easy for plaintiffs to establish standing, since actual harm is not required and mere procedural violations are sufficient. Thus, it’s difficult for defendants to win on an early motion. And finally, despite the significant number of these lawsuits, the case law is still being developed by the courts so it’s not clear what defences might be successful and what practices will actually lead to an adverse judgment.
SOLOVE: How is the BIPA caselaw developing? What are the unresolved issues?
THAI: BIPA is a developing area of law. Parties have been testing BIPA limits in Illinois courts since its enactment in 2008. There have been a few big appellate rulings in recent months that are shaping the BIPA landscape, with additional issues still on appeal. For example, in February, the Illinois Supreme Court ruled in McDonald v. Symphony that employers cannot escape biometric privacy lawsuits through the state worker’s compensation law, but left the question of the size of those damages, and how claims accrue, wide open. Also in February, an Illinois appellate panel held in Walton v. Roosevelt University that federal labor law pre-empts BIPA claims asserted by employees covered by a collective bargaining agreements, and thus preserved a BIPA defense for employers in BIPA lawsuits brought by union workers. On whether a BIPA claim accrues each time biometric information is collected or disclosed, or only from the first instance, the key case is Cothron v. White Castle. The Illinois Supreme Court recently scheduled oral argument in this case for May 17, with an opinion expected by October 2022 or sooner. Another case, Tims v. BlackHorse Carriers, addresses whether the statute of limitations for BIPA claims is 1 year or 5 years. However, this case was not listed for argument in May 2022.
To add a layer of complexity, the Illinois legislature has brought forth multiple attempts to amend BIPA and curtail its effects, including SB 3782, which introduces a framework by which a private entity could collect or otherwise obtain biometric information without satisfying other requirements, SB 3874, which would exclude information captured by biometric time clocks and biometric locks, SB3413, which limits BIPA’s application to certain healthcare employers, and SB5396, which would limit an employee’s entitlement to relief under BIPA to be determined as provided in the Workers’ Compensation Act. There has been little movement to push these proposals through and BIPA legislative reform seems to be a long shot, although these attempts are neither the Illinois legislature’s first attempts, and probably not its last.
SOLOVE: While BIPA is certainly the most common statute for wrongful collection claims, are you seeing plaintiffs filing claims alleging wrongful collection under any other statutes?
HEATON: Yes, about two years ago, we saw a number of lawsuits filed in Florida and California alleging violations of state wiretapping statutes based on the use of technology to track search history or analyze how users interact with websites. Like BIPA, these wiretapping statutes had a private right of action that provided for statutory damages. The first of these lawsuits was filed in California against Facebook in 2020 and alleged that consumers were not aware that Facebook was tracking users’ search histories, which allegedly constituted an “interception” of a communication under federal and California wiretap laws. After this lawsuit was filed, a large number of lawsuits were filed in Florida against companies that use session replay technology, which is a small piece of code on the company’s website that replays a user’s visit to the website so that companies can improve user experience and identify and address technical issues. These lawsuits alleged that such technology was intercepting the users’ communications. The courts ultimately found that the use of such technology did not violate wiretapping statutes for several reasons, including that a user’s mouse movements were not a “communication,” and that there was no reasonable expectation of privacy. After courts started overwhelmingly granting defendants’ motions to dismiss, we saw the number of these lawsuits sharply decline and these lawsuits now seem to have disappeared.
We have also seen a few cases alleging violations of Illinois’ Genetic Information Privacy Act (“GIPA”). Like BIPA, GIPA also has a private right of action and provides statutory damages. GIPA provides that a person’s genetic information is confidential and may be released only to the individual tested and to persons specifically authorized in writing by that individual to receive the information, among other things. The GIPA lawsuits allege that plaintiffs’ genetic information was disclosed without the GIPA-required consent. There are only a handful of these lawsuits, but they serve as a good reminder to watch out for statutes that provide statutory damages and a private cause of action.
Most recently, we have seen several cases alleging violations of the Video Privacy Protection Act (“VPPA”), against companies that are using third-party tracking tools on their websites. VPPA prohibits a video tape service provider from knowingly disclosing personally identifiable information concerning any consumer of such provider. These recent VPPA lawsuits allege that defendants are violating VPPA by allowing Facebook to embed its tracking pixel on their websites, which in turn allows Facebook to track the people using defendants’ website and the actions they take. This information is then used for targeted advertising. The VPPA has statutory damages of $2,500 per violation, plus potentially punitive damages, attorneys’ fees and equitable relief.
SOLOVE: How do you see challenges to wrongful collection of data evolving?
THAI: More legislation and more litigation, everywhere. Since there is no national regulation on data collection or privacy, the states have taken it upon themselves to enact these regulations, define “wrongful collection” and “biometric information,” and assign levels of severity to infractions. The result is a growing patchwork of state wrongful collection and biometric privacy laws. Currently, only three states have enacted biometric privacy-specific laws: Illinois, Texas, and Washington, with BIPA being the only one that provides a private right of action. However, there are eight additional states that have introduced biometric privacy laws: California, Kentucky, Maine, Maryland, Massachusetts, Missouri, New York, and West Virginia. All these proposed bills, except Kentucky’s, include a right of private action, while California’s proposed bill provides for a private right of action in addition to statutory damages per violation per day. The challenges that businesses face is not only the growing web of regulations that they must navigate to stay compliant, but also the threat of increased litigation resulting from these new regulatory frameworks. The private right of action along with statutory damages and an underdeveloped area of law will present an appealing target for plaintiffs’ attorneys.
SOLOVE: What are your takeaways from looking at these trends?
THAI: Biometric data from individuals can help create innovative and helpful technology that consumers want to elevate their shopping experiences, and that companies need in order to optimize their functionality. However, the collection of this biometric data, particularly when surreptitious, have increasingly become the basis for class action lawsuits brought against businesses. An increasingly tangled network of state biometric privacy laws, statutory damages, and a still-developing area of law represent a gold mine to eager plaintiffs’ attorneys that is only growing. As such, companies should anticipate seeing more legislation and more litigation in connection with technologies that collection biometric data. We recommend consulting with experts to fully understand the possible ramifications and compliance issues before rolling out new technology, either internally or to the public.
The information set forth in this interview is intended as general risk management information. It is made available with the understanding that Beazley does not render legal services or advice. It should not be construed or relied upon as legal advice and is not intended as a substitute for consultation with counsel. Although reasonable care has been taken in preparing the answers to my questions in this interview, Beazley accepts no responsibility for any errors it may contain or for any losses allegedly attributable to this information.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum an annual event designed for seasoned professionals.