The law related to Illinois Biometric Information Protection Act (“BIPA”) came to a halt over the last year or so while the Illinois Supreme Court analyzed what constitutes an injury under the Act. As expected, courts have started to once again visit the various legal issues related to biometric data now that the Rosenbach decision has been issued. Now that BIPA cases are moving through the courts again, one major issue will be what is the proper venue for these cases as many BIPA claims intertwine state and federal laws.

The Seventh Circuit recently undertook an analysis of the Illinois Biometric Information Protection Act (“BIPA”) by consolidating two cases involving claims by employees of two separate airlines. In Miller v. Southwest Airlines Co./Johnson v. United Airlines, Inc., 2019 WL 2462664 (June 13, 2019), the Seventh Circuit analyzed a number of procedural and statutory requirements involved in filing a BIPA claim. At first blush, the question presented by the Seventh Circuit appears to be narrow:  “whether persons who contend that air carriers have violated state law by using biometric identification in the workplace must present these contentions to an adjustment board under the Railway Labor Act (RLA), 45 U.S.C. §§ 151–88, which applies to air carriers as well as railroads. 45 U.S.C. § 181?”  However, while the analysis of these cases may be driven by the RLA–an act that applies only to unions–the Seventh Circuit decision provides insight on many procedural aspects related to alleged biometric violations.

The facts giving rise to the two lawsuits were similar to Southwest Airlines and United Airlines maintained timekeeping systems that requiring workers to clock in and out with their fingerprints. The class action plaintiffs in both cases claimed the airlines implemented biometric systems without proper consent, failed to publish protocols related to use of the systems and improperly disclosed their information when the airlines used a third-party vendor to oversee the system.

• Southwest Airlines Case

District Judge Marvin E. Aspen in the District Court for the Northern District of Illinois held the class action plaintiffs had standing under Article III but still dismissed the suit against Southwest Airlines for improper venue. Specifically, Judge Aspen found the matter should be litigated before an adjustment board under the Railway Act rather than in state or federal court in order to give the class action plaintiff’s union the opportunity to address the alleged BIPA violations.

• United Airlines Case

The litigation against United Airlines originated in state court but was removed by United Airlines to federal court based on United Airlines’ claim that there was a federal-question presented by the Railway Labor Act and the Class Action Fairness Act.  District Judge Virginia Kendall reached the same conclusion as Judge Aspen in the Southwest Airlines case but dismissed the United Airlines Case based on a finding that the complaint failed to present an actionable case or controversy.

• Standing And Damages

After consolidating these cases and reviewing the issues, the Seventh Circuit held the airline employees had standing to sue and, while United’s motion to remove was granted based on federal question jurisdiction, the cases should be litigated before an adjustment board governed by the Railway Labor Act.

In short, the Seventh Circuit found the involvement of unions required the analysis of whether the plaintiffs have standing to be slightly different from most data breach or privacy cases:

The prospect of a material change in workers’ terms and conditions of employment gives these suits a concrete dimension that Spokeo, Groshek, and Casillas lacked. Either the discontinuation of the practice, or the need for the air carriers to agree to higher wages to induce unions to consent, presents more than a bare procedural dispute. See Robertson v. Allied Solutions, LLC, 902 F.3d 690, 697 (7th Cir. 2018). (“Article III’s strictures are met not only when a plaintiff complains of being deprived of some benefit, but also when a plaintiff complains that she was deprived of a chance to obtain a benefit.”)

With the Seventh Circuit’s reference to Spokeo and similar cases we can expect defendants to argue that the Seventh Circuit was not convinced that BIPA claimants can survive motions to dismiss without injuries that are “particular and concrete.”

On the other hand, we can expect plaintiffs to argue the Spokeo analysis has no relevance because lack of proper consent is a violation under BIPA and, therefore, employees and customer are “aggrieved” within the meaning of the Act. Many of the BIPA cases have not progressed far enough through the courts to allow a full analysis of whether class action plaintiffs need to show independent injury beyond improper notification.

• Notice To Union Representatives

In addressing whether the airlines gave proper notice as required by BIPA, the Seventh Circuit examined whether the unions were provided with sufficient information to consent to “how workers clock in and out.” The Seventh Circuit provided the following analysis concerning notification for union members:

BIPA “provides that a worker or an authorized agent may receive necessary notices and consent to the collection of biometric information.” 740 ILCS 14/15(b). Based on this statutory language, the Seventh Circuit states “We reject plaintiffs’ contention that a union is not a ‘legally authorized representative’ for this purpose. Neither the statutory text nor any decision by a state court suggests that Illinois wants to exclude a collective-bargaining representative from the category of authorized agents.

Admittedly, the involvement of the airline unions pushes the Seventh Circuit to examine issues that may not impact the vast majority of BIPA cases where the class action plaintiffs may not belong to a union. However, many defendants will be able to take the position that their case is not over merely because the class action plaintiffs did not receive notification.

• Removal From State Court To Federal Court

The Seventh Circuit did not have to address whether these matters could be removed from state court to federal court. That is, the Seventh Circuit could have left its analysis at an adjustment board operating under the Railway Act should address the BIPA claims. The Court still addresses this question and allows for the inference that removal is appropriate in BIPA cases based on diversity of citizenship:

Given our conclusion that the federal-question jurisdiction supports removal, we need not remand for the district court to explore the question whether on the date the case was removed, one class member was a citizen of Wisconsin or Indiana, or conceivably some third state other than Illinois or Delaware—say, a citizen of California temporarily detailed to work at O’Hare.

While the Seventh Circuit did not have to address this question, the Court acknowledged the fact that many BIPA cases filed in state court may be removed to federal court because there are likely going to be employees that reside outside of Illinois. Therefore, removal may be an option in the vast majority of BIPA class actions when Illinois corporations have a large number of employees. Further, this question will become even more important as BIPA claims brought by customers become more routine.

• These Questions Are Not Going Away

Outside the procedural aspects of BIPA ligation, the full impact of the use of equipment to collect and store biometric data will be unclear until courts provide guidance on these issues.  Further, the bounds of biometric laws will be tested as this equipment begins to be increasingly used on the general public outside the context of employees. For example, just last week, there were a number of reports about the use of biometric equipment on air travelers:

TSA is testing a biometrics system, including at the busy Atlanta airport, that uses Customs and Border Protection databases to verify customers’ identities when they check in, pass through security and board their flights.The ultimate goal: Eliminate the need to carry a boarding pass, passport or other identification — with cameras and computers verifying travelers’ identities.

It will be interesting to see how biometric equipment will be received by air travelers.  Of course, air travel customers are different from employees as they can simply switch to a competitor that does not use biometric gathering equipment to register their opposition to the collection and use of their information. Therefore, if there is a true backlash against this equipment, we may see companies abandon the use of this equipment for customers.

The post Seventh Circuit’s Recent Decision Indicates Courts May Be Willing To Chip Away At BIPA appeared first on Privacy Risk Report.

While many states are still struggling to enact comprehensive cyber/privacy laws and the federal government still lacks a uniform framework, Illinois data collectors have been working under the most advanced privacy statutes and common law in the United States. Specifically, the Illinois legislature has taken steps through the Personal Information Protection Act and the Biometric Information Protection Act (“Biometric Act”) that will put data collectors and courts at the forefront of privacy law for years to come.

The latest development in Illinois privacy law was seen last Friday when the Illinois Supreme Court issued its decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) which provides insight on what is necessary to bring a cause of action under the Biometric Act.  In Rosenbach, the Illinois Supreme Court analyzed the provision in the Biometric Act which states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The central question for the Supreme Court was whether the use of the term “aggrieved” in the Biometric Act requires a plaintiff assert that they suffered an injury in addition to having their biometric data collected.  In reversing the Illinois Court of Appeals, the Supreme Court found a violation of the Biometric Act when a data collector merely took information from a minor without proper consent.  The most important aspect of this case is a data collector can be liable without breaching any information.

• The Facts In Rosenbach

The Defendant, Six Flags Entertainment Corporation (“Six Flags”), operates an amusement park located in Gurnee, Illinois.  The Plaintiff, Stacy Rosenbach (“Rosenbach”), is a parent of a 14-year-old boy that visited Six Flag’s amusement park for his class trip. Before the trip, Rosenbach purchased a season pass for her son using Six Flag’s website.  Rosenbach claims she was surprised to find out that her son was directed to scan his thumbprint to gain access to Six Flags and to receive his season pass card.  Rosenbach claims she would not have purchased the season pass for her son if she knew Six Flags intended to collect his thumbprint without obtaining written consent or disclosing their plan to collect such data. Rosenbach claimed she was “aggrieved” under the Biometric Act without any allegation that Six Flags breached any data.

In Rosenbach, The Illinois Supreme Court provided the following analysis of the term “aggrieved” as in the Biometric Act:

More than a century ago, our court held that to be aggrieved simply “means having a substantial grievance; a denial of some personal or property right.” Glos v. People, 259 Ill. 332, 340 (1913). A person who suffers actual damages as the result of the violation of his or her rights would meet this definition of course, but sustaining such damages is not necessary to qualify as “aggrieved.” Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” (Emphasis added.) Id.  ¶

• The Illinois Court Of Appeals’ Decision Is Reversed

The Illinois Court of Appeals held the allegations that Six Flags took patrons’ thumbprints without proper consent was not a violation of the Act because the patrons were not “aggrieved” as required by the Biometric Act.  In reversing the Court of Appeals, the Illinois Supreme Court held:

In sum, defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term “aggrieved,” depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do.

• Potential Impact Of This Decision

The Rosenbach decision will undoubtedly cause ripples in privacy law for years to come as a party can conceivably maintain a viable cause of action without pleading any “actual injury or damage.”  This decision may close the door on data collectors being held liable only when they breach biometric data.  Rather, data collectors will need to review all processes that may collect biometric data to confirm they are complying with the Biometric Act.  For example, Six Flags may now need to revamp its use of thumbprints to make sure it obtains consent from a minor’s guardian and they make clear how the data will be used.

Further, this decision may undercut the usefulness of expensive equipment used to collect biometric data if a majority of people withhold their consent to have their information collected.  For example, many workplaces have started to track employees’ hours by using biometric data including fingerprints and thumbprints.  These new systems that rely on biometric data make “clocking in” more convenient than systems that may rely on employee numbers or time cards.  It will be interesting to see how employers will work with employees that refuse to consent to having their biometric information collected after the employer purchased the expensive equipment.  Suffice it to say, we can expect Illinois to continue to be the source of many influential developments in privacy law in the coming years.

The post Illinois Leaves Its “Thumbprint” On American Privacy Law As The Illinois Supreme Court Finds An Individual Can Bring An Action Under the Biometric Act Without Being Involved In A Breach appeared first on Privacy Risk Report.

The Illinois Biometric Information Protection Act (“Act”) states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  Last week, the Illinois Supreme Court heard arguments on what may become the cornerstone decision interpreting the term “aggrieved” as used in the Act.  In Rosenbach v. Six Flags Entertainment Corp., 2017 Ill. App (2d) 170317, 2017 WL 65239, the Illinois Court of Appeals held allegations that an amusement park took patrons’ thumbprints without proper consent was not a violation of the Act because the patrons were not aggrieved under the Act.  Before the Supreme Court issues its decision in the coming months, it is worth taking a closer look at how this case evolved, the impact it had on other courts and how this decision may impact the use of biometric data.

• Facts And Analysis of Rosenbach Decision

The Defendant, Six Flags Entertainment Corporation (“Six Flags”), operates an amusement park located in Gurnee, Illinois.  The Plaintiff, Stacy Rosenbach (“Rosenbach”), is a parent of a 14-year-old boy that visited Six Flag’s amusement park for his class trip. Before the trip, Rosenbach purchased a season pass for her son using Six Flag’s website. Rosenbach claims she was surprised to find out that her son was directed to scan his thumbprint to gain access to Six Flags and to receive his season pass card.  Rosenbach claims she would not have purchased the season pass for her son if she knew Six Flags intended to collect his thumbprint without obtaining written consent or disclosing their plan to collect such data.

The Illinois Court of Appeals for the Second District held alleging a technical violation of the Act was insufficient to maintain an action under the Act. In particular, the Court of Appeals framed its interpretation of the term “aggrieved” in the Act as follows:

The certified questions revolve around whether a party is “aggrieved,” and thus may bring an action for liquidated damages or injunctive relief, when the only injury alleged is a violation of the notice and consent requirements of section 15(b) of the Act. Defendants contend that the interpretation of “aggrieved” most consistent with the Act’s language and purpose, and with interpretations of that term in other statutes and in other jurisdictions, is that it requires actual harm or adverse consequences. Plaintiff opposes this and argues that a mere technical violation of the Act is sufficient to render a party “aggrieved.”

In determining whether real or actual harm was required for a party to be “aggrieved” under the Act, the Court of Appeals held “if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word “aggrieved” and stated that every violation was actionable.”  Based on this reasoning, the Court of Appeals held Rosenbach could not recover because “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person” under the Act.

In her Brief submitted to the Illinois Supreme Court, Rosenbach claims she did not receive the rights and benefits provided to her and her son under the Act.  Specifically, Rosenbach claims Six Flags deprived season ticket holders with the opportunity to receive “detailed notices” required under the Act and deprived her of the opportunity to provide or withhold her consent to take her son’s thumbprint as required under the Act.

• Illinois Supreme Court Has The Opportunity To Resolve Disputes Over Interpretation Of “Aggrieved”

The Rosenbach decision has received significant analysis since it was issued in December 2017. For example, in In Re Facebook Biometric Information Privacy Litigation, 326 F.R.D. 525 (N.D. Cal. April 16, 2018), a California court rejected the Rosenbach court’s interpretation of “aggrieved.”  Instead, the Facebook court found “because a plain of reading of BIPA ‘leave[s] little question that the Illinois legislature codified a right of privacy in personal biometric information rooted in ‘a long tradition of claims actionable in privacy law” and extending to control over one’s data, independent of disclosure or misuse risks.”  In particular, the Facebook court relied on Am. Sur. Co. v. Jones, 384 Ill. 222, 230, 51 N.E.2d 122 (Ill. 1943), where the Illinois Supreme Court determined that “aggrieved” parties under an Illinois statute are those with a “direct, immediate and substantial interest rather than a speculative, theoretical, inconsequential or remote interest.”  The Facebook court found Facebook and the Rosenbach court failed to address the holding in Jones that a party was aggrieved by an act that directly or immediately affects their legal interest may have a viable cause of action. The Facebook court  further noted that the Rosenbach court may have come to a different conclusion if it had properly reviewed Jones.  We will now see whether the Facebook court was correct in predicting how the Illinois Supreme Court will interpret this portion of the Act.

Further, the Illinois Supreme Court also has an opportunity to address a split in the interpretation of “aggrieved” as seen in the Rosenbach decision and the recent decision in Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175.  In Sekura, the Illinois Court of Appeals adopted reasoning similar to that seen in the Facebook litigation when it ruled the Act does not require actual harm. Instead, the Sekura court held an alleged violation of the Act may give a plaintiff the right to sue since the Act protects an individual’s legal right to privacy.

• The Impact Of The Rosenbach Decision

There should be little question that this decision will impact the collection, storage and use of biometric data. Further, this decision may impact data collectors outside of Illinois to the extent that many states are watching the development of the Illinois Biometric Act.  Therefore, the legislatures in states that are still considering implementing a similar law will be able to consider the Illinois Supreme Court’s interpretation of “aggrieved” while determining what allegations give rise to a viable cause of action.

Further, data collectors will need to address the public’s’ view on storing their data regardless of the outcome of this decision. Outside of this litigation, Six Flags has maintained that they are not storing the actual thumbprints:  “Similar to those used at Walt Disney World and other theme parks, the scans at Great America in Gurnee, take measurements of fingerprints and create mathematical models, which officials said cannot be used to re-create full fingerprints.”

Nevertheless, at the time when the scanners first went into use, there was a fair amount of backlash as seen in a May 31, 2014 Chicago Tribune article:

“I don’t see why they need to have juveniles’ fingerprints on file,” said Vincent Bennett, of Antioch, whose wife and two daughters bought season passes a few weeks ago. “It’s a step up on security to not let other people use season passes, but I think it’s an invasion of privacy rights.”

Consequently, even if the Illinois Supreme Court rejects Rosenbach’s position that Six Flags did not obtain proper consent, data collectors will need to address the fact that the public may not be entirely comfortable with the collection of their biometric data.

The post Illinois Supreme Court Set to Address Amusement Park’s Use of Biometric Data appeared first on Privacy Risk Report.

Over the last few years, we have seen a number of common themes and concepts run through privacy cases and legislation.  We have seen plaintiffs struggle with surviving motions to dismiss because they failed to properly allege an injury.  Likewise, we have seen courts struggle with how to protect unfamiliar types of data, including biometric information.

On May 31, 2018, the District Court for the Northern District of Illinois provided the latest analysis of what is necessary for a viable claim under the Illinois Biometric Information Privacy Act (“BIPA”). In finding that data collectors can be liable for merely failing to obtain proper consent to use biometric data, we are seeing another step in the trend where no breach is necessary to impose liability.

In Dixon v. The Washington and Jane Smith Community, 17-cv-08033 (May 31, 2018), the plaintiff, Cynthia Dixon (“Dixon”), claimed her former employer, Smith Senior Center (“Smith”)  violated her privacy by requiring her to use fingerprint scanners to punch in and punch out at work.  In particular, Dixon claimed the Senior Center’s use of her biometric information violated her rights in the following manner:

• “Smith did not inform Dixon of the specific purpose or length of time for which her fingerprint was to be collected, stored and/or used;”
• “Nor did Smith make available information about its biometric data retention policy (if it had such a policy) or other guidelines regarding the permanent destruction of the biometric information it possessed;”
• “Smith also neglected to obtain a written release from Dixon authorizing Smith to collect or store her fingerprints.”
• “Lastly, Dixon alleged that, in addition to collecting and storing her biometric information, Smith also ‘systematically disclosed’ that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric clocks, without informing her that it was doing so.”

Motion To Remand Denied:  The Federal District Court Was The Proper Venue For This Litigation

The District Court’s first order of business was to deny Dixon’s motion to remand the case back to Illinois state court.  In arguing her case should be heard back in state court where she originally filed the action, Dixon took the position that the defendants’ motions to dismiss “effectively asserted that she does not meet the injury-in-fact requirement for Article III standing.”

As stated in many privacy cases before this one, the U.S. Supreme Court has held that a litigant cannot “avail themselves of the federal courts” unless they can show (1) they suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.”  Spokeo Inc. v. Robbins, 136 S. Ct. 1540, 1547 (2016).

After a substantial discussion on civil procedure and the legislative intent behind BIPA, the District Court found it had jurisdiction over this matter because “where privacy rights are concerned, the dissemination to a third party of information in which a person has a right to privacy is a sufficiently concrete injury for standing purposes.”  Of course, in this case, Dixon alleged Smith disseminated her biometric information to Kronos, the third-party vendor.  (“The Court concludes that this alleged violation of the right to privacy in and control over one’s biometric data, despite being an intangible injury, is sufficiently concrete to constitute an injury in fact that supports Article III standing.”)

Given the above, the District Court held it had subject matter jurisdiction over this matter and the case should not be remanded back to the state court.

Motion To Dismiss Denied: Dixon Has A Viable Claim

Both Smith and Kronos argued Dixon failed to assert an actual injury “sufficient to confer a right of action under BIPA.”  Prior to analyzing Dixon’s claim, the District Court provided the following background on BIPA:

“BIPA provides that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The statute further provides that, for each negligent violation of the Act, a prevailing plaintiff may recover ‘liquidated damages of $1,000 or actual damages, whichever is greater,’ in addition ot obtaining other relief such as an injunction.”

Given this statutory framework, the District Court found Dixon could survive the motion to dismiss based on her allegations that “the defendants violated her right to privacy in and control over her personal biometric data.”  Further, the District Court found Dixon’s allegation that Smith “fails to inform its employees that it discloses employees’ fingerprint data to an out-of-state third-party-vendor, Kronos,” to be problematic.  In denying the motions to dismiss, the District Court held:

“BIPA established a right to privacy in such information and that obtaining or disclosing a person’s biometric data without her consent or knowledge necessarily infringes on the right to privacy in that data.  Even though this may not be tangible or pecuniary harm, it is an actual and concrete harm that stems directly from the defendants’ alleged violations of BIPA.” 

This case signals a willingness by a number of courts to acknowledge the significant risk with the storage and disclosure of biometric data. Importantly, there were no allegations of a breach in the classical sense of Dixon’s fingerprint information.  In Dixon, the data collector merely provided biometric data to its vendor and yet the District Court found Dixon’s allegations were sufficient because, “obtaining or disclosing a person’s biometric data without her consent or knowledge constitutes an actual and concrete injury because it infringes on the right to privacy in that data.”

Therefore, data collectors will need to make sure they are obtaining proper consent to store data and to provide it to third parties. A breach of this information is no longer required to impose liability.

The post No Breach Required: Illinois Court Finds Providing Biometric Data To Vendor Without Proper Consent May Give Rise To Injury appeared first on Privacy Risk Report.

The Privacy Risk Report has previously reported on the necessity to safeguard personal information such as names, addresses, social security numbers and credit card information to avoid risk resulting from data breaches. The latest trend we are seeing now involves a push by state legislatures to enact new laws that also protect biometric data, such as the Illinois Biometric Information Privacy Act (BIPA).

“Biometrics” defines “the field of science relating to the identification of humans based upon unique biological traits, such as fingerprints, DNA, and retinas” and recently “has produced new ways of conducting commercial transactions.” In particular, the protection of biometrics is a growing concern as this technology is turning up in everything from watches that may collect health data, finger-scanners at grocery stores and gas stations to retina scanners for financial transactions. Not only is this technology is here to stay, but it is already involved in litigation across the country.

For example, in Vigil v. Take-Two Interactive Software, Inc., the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game.

Illinois Biometric Information Privacy Act

The Illinois legislature enacted BIPA (740 Ill. Comp. Stat. 14/1 et seq.), “which sets forth disclosure, consent, and retention requirements for private entities that collect, store, and disseminate biometric data.”

Before reaching its decision to grant Take-Two’s motion to dismiss, the District Court provided the following exhaustive background on BIPA:

As the Illinois legislature observed, biometric data are by definition unique, and thus—unlike a credit card number—cannot realistically be changed if they are subject to identity theft. See 740 Ill. Comp. Stat. 14/5(c). The Illinois legislature was concerned that the failure of businesses to implement reasonable safeguards for such data would deter Illinois citizens from “partaking in biometric identifier-facilitated transactions” in the first place, and would thus discourage the proliferation of such transactions as a form of engaging in commerce. 740 Ill. Comp. Stat. 14/5(e). The BIPA represents the Illinois legislature’s judgment that the collection and storage of biometrics to facilitate financial transactions is not in-of-itself undesirable or impermissible; instead, the purpose of the BIPA is to ensure that, when an individual engages in a biometric-facilitated transaction, the private entity protects the individual’s biometric data, and does not use that data for an improper purpose, especially a purpose not contemplated by the underlying transaction. See 740 Ill. Comp. Stat. 14/5(a–g).

Under the BIPA, a “biometric identifier” is “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” while “biometric information” is information based on “biometric identifiers.” 740 Ill. Comp. Stat. 14/10.

Take-Two’s Video Game — NBA 2K16

The defendant, Take-Two, collects and uses biometric data for its video games, including NBA 2K16. The plaintiffs allege that they used a feature in the video game “to scan their respective faces to create personalized virtual basketball players, exclusively for in-game play.” The plaintiffs did not allege the images of their faces were used for anything beyond use in their own games. The “MyPlayer” feature was specifically at issue, “which allows a gamer to create a ‘personalized basketball avatar’ based on a three-dimensional rendition of the gamer’s face.”

Plaintiffs’ Claims of BIPA Violations

Plaintiffs claimed that Take-Two’s violations of BIPA included the following:

• Take-Two did not publicly provide “a retention schedule or guidelines for permanently destroying biometric identifiers;”
• Take-Two failed to inform the plaintiffs in writing that their biometric information was being collected;
• Take-Two collected biometric information without obtaining a proper release from the plaintiffs;
• Take-Two disclosed and disseminated plaintiffs’ biometric information without adequate consent;
• Take-Two did not employ “industry-standard reasonable care;” and,
• Take-Two profited from plaintiffs’ biometric information.

Dismissal of Plaintiffs’ Complaint

Unconvinced by the plaintiffs’ arguments, the District Court granted Take-Two’s motion to dismiss the plaintiffs’ second amended complaint based on a finding that plaintiffs’ lacked standing to bring suit against Take-Two. As with many data storage cases, plaintiffs’ had to demonstrate they had standing to bring suit. In order to avoid Take-Two’s motion to dismiss, the plaintiffs attempted to support their claims with allegations of procedural violations of BIPA, without any allegations of additional harm in order to establish standing.

The District Court rejected the plaintiffs’ position because “[n]one of the plaintiffs’ allegations of procedural violations, on their own, demonstrate a material risk of harm to BIPA’s concrete data protection interest because there is no plausible allegation that there is a material risk that plaintiffs’ biometrics may be used in a way not contemplated by the underlying use of the MyPlayer feature.

Additionally, the District Court held the plaintiffs failed to establish that there was “an imminent risk of harm that Take-Two’s storage and dissemination of their facial scans could compromise the data protection interest of the BIPA.” The District Court held the allegations that Take-Two’s practices may have subjected plaintiffs’ facial scans to an “‘enhanced risk of harm’ of somehow falling into the ‘wrong hands’” was too speculative to demonstrate plaintiffs had standing to sue Take-Two.

The District Court also rejected the plaintiffs’ argument that their damages were more than merely “speculative and abstract” by arguing that “face scans are relatively immutable, and, unlike (for example) passwords, cannot be changed.”

Initial Impact of this Decision

One fundamental principle in each section of the District Court’s lengthy opinion is that the plaintiffs scan their own faces in order to create avatars for the video game. And, the plaintiffs failed to allege that the biometric information was used for any purpose other than what plaintiffs had consented. That being said, this will not be the last time a court will be called on to interpret BIPA or similar statutes across the country. It is only a matter of time before data collectors find other uses for biometric information.

The post Use of Biometric Data Enters the Courts appeared first on Privacy Risk Report.