In McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, the Illinois Supreme Court issued an opinion finding the exclusive remedy provisions of the Illinois Workers’ Compensation Act (“Compensation Act”) 820 ILCS 305/1 et seq. does not bar an employee’s claim for statutory damages under the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq.

An employee filed a class-action lawsuit against her employer for violating BIPA. Her employer required its employees to use a biometric timekeeping system in order to scan an employee’s fingerprint for purposes of authenticating an employee and tracking their time at work. The employee alleged that her employer never obtained her written consent to store her biometric information or informed her how the information will be stored.

820 ILCS 305/5 and 11 of the Compensation Act are the exclusive remedy provisions by which an employee may seek recovery against their employer for work-related injuries. However, an employee can escape the exclusivity provisions if the employee can show that the injury: (1) was not accidental; (2) did not arise from their employment; (3) did not occur during the course of employment; or (4) was not compensable under the Compensation Act.  At issue was the fourth exception.

The Court held that whether the exclusivity provision applied depends on the type of injury the employee sustained. The Court noted the purpose of the Compensation Act is to provide financial protection for injured workers until they can return to work, whereas the purpose of BIPA is to protect a person’s biometric information. In comparing the two statutes’ purposes, the Court found that “[t]he personal and societal injuries caused by violating the Privacy Act’s prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act.” Accordingly, the Court concluded that the BIPA violation did not categorically fall under the purview of the Compensation Act and therefore is not compensable under the Compensation Act. For this reason, the Court held that the employee may pursue her BIPA claim against her employer in the circuit court rather than through the Workers’ Compensation Commission.

Although not an insurance coverage case, this finding may have important implications for insurers regarding coverage for BIPA violations. Here, the Illinois Supreme Court’s held that an employee’s BIPA claim does not fall within the purview of the Compensation Act. However, this does not necessarily mean that an insurer will not be able to disclaim coverage under the Employment Related Practices Exclusion. As we discussed in our previous article regarding the finding from the Northern District of Illinois that the Employment-Related Practices Exclusion applies to BIPA claims.

If you want to read more about BIPA, please check out the below articles:

• Illinois Leaves Its “Thumbprint” On American Privacy Law As The Illinois Supreme Court Finds An Individual Can Bring An Action Under the Biometric Act Without Being Involved In A Breach

• Illinois’ Biometric Information Protection Act Gets More Tangled With Employment Law

• Seventh Circuit Court Of Appeals Reopens Doors to Federal Courts For BIPA Plaintiffs

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post The Illinois Workers’ Compensation Act Does Not Bar An Employee’s Claim Under BIPA appeared first on Privacy Risk Report.

On May 20, 2021, the Illinois Supreme Court delivered its opinion in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978[1] regarding whether the claims contained in a lawsuit alleging the violation of the Biometric Information Privacy Act (“BIPA”) were covered under a business owners’ liability policy.

In the underlying lawsuit, Klaudia Sekura (“Sekura”)[2] filed a class-action suit against Krishna Schaumburg Tan, Inc. (“Krishna”), a tanning salon and franchisee of L.A. Tan for violating BIPA by requiring its customers, including Sekura, to scan their fingerprints without first getting their signed, written release to allow disclosure of their fingerprints to any third party.

Krishna tendered the underlying lawsuit to its insurer, West Bend Mutual Insurance Company (“West Bend”), and requested West Bend to defend it. West Bend issued two business owners’ liability policies (“the West Bend policies”) to its insured, Krishna for two consecutive policy periods between 2014 to 2016. West Bend disclaimed coverage to Krishna arguing that it did not have a duty to defend it in the underlying lawsuit.

West Bend then filed a complaint for declaratory judgment against Krishna and Sekura asserting that it did not owe a duty to defend its insured in the underlying lawsuit. Both West Bend and Krishna filed cross-motions for summary judgment. Sekura also joined Krishna’s motion for summary judgment but sought alternative relief. Id. at ¶1. The trial court entered judgment for Krishna. West Bend then appealed the trial court’s decision, which was affirmed by the appellate court. The Illinois Supreme Court allowed West Bend’s petition for leave to appeal the appellate court’s decision, but the Court ultimately affirmed the appellate court’s decision.

The Illinois Supreme Court determined that West Bend had a duty to defend Krishna. At issue was whether the underlying complaint’s allegations fell within the West Bend policies’ coverage under the “personal injury” provision, which states in relevant part:

13. ‘Personal injury’ means injury, other than ‘bodily injury’, arising out of one or more of the following offenses:

* * *

1. Oral or written publication of material that violates a person’s right of privacy.

Id. at ¶ 8.

The Court determined that the underlying lawsuit potentially alleged: “personal injury” because Sekura alleged that she suffered “nonbodily injury” (“emotional upset, mental anguish and mental injury”) when Krishna disclosed her biometric information to a third party. Id. at ¶ 36.

The Court found that the sharing of Sekura’s fingerprints to a third party constituted a “publication.” Id. at ¶ 50. The Court noted that the term “publication” was undefined in the West Bend policies. As a result, the Court looked to the “plain, ordinary, and popular meaning, i.e., [the Court] look[ed] to its dictionary definition.” Id. at ¶ 38 (citing Founders Insurance Co. v. Munoz, 237 Ill. 2d 424, 436, 341 Ill.Dec. 485, 930 N.E.2d 999 (2010)). Based on its review of the dictionaries, treatises and the Restatement of Torts, the Court determined that it “means both the communication of information to a single party and the communication of information to the public at large.” Id. at ¶ 43.

The Court also concluded that the sharing of Sekura’s fingerprints to a third party constituted a violation of her “right of privacy.” Id. at ¶ 51. The Court noted that the term “right of privacy” was also undefined in the West Bend policies. Accordingly, the Court looked to the dictionary definition of that term and determined that the “right of privacy” includes “the right of an individual to keep his or her personal identifying information like fingerprints secret.” Id. at ¶ 46.

The Court then determined that the “violation of statutes exclusion” did not apply to bar coverage to Krishna. The exclusion states in relevant part:

This insurance does not apply to:

DISTRIBUTION OF MATERIAL IN VIOLATION OF STATUTES

‘Bodily injury’, ‘property damage’, ‘personal injury’ or ‘advertising injury’ arising directly or indirectly out of any action or omission that violates or is alleged to violate:

(1) The Telephone Consumer Protection Act (TCPA) [(47 U.S.C. § 227 (2018))], including any amendment of or addition to such law; or

(2) The CAN-SPAM Act of 2003 [(15 U.S.C. § 7701 (Supp. III 2004))], including any amendment of or addition to such law; or

(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.

Id. at ¶ 9

The Court began its analysis with the title of the exclusion, which was titled “‘Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information.’” Id. at ¶ 58. The Court also noted that the exclusion listed “statutes like the TCPA and the CAN-SPAM Act, which regulate methods of communication like telephone calls, faxes, and e-mails.” Id. at ¶ 59. Based on the title of the exclusion and the fact that BIPA does not regulate the method of communication, the Court held that the violation of statutes exclusion could not be used to bar coverage to the insured. Id. at ¶ 60.

In summary, the Illinois Supreme Court ultimately concluded that West Bend had a duty to defend its insured, Krishna, in the underlying lawsuit. It determined that (1) Sekura suffered a “nonbodily personal injury;” (2) Krishna’s sharing of Sekura’s biometric information (i.e., her fingerprints) to a third party constituted a “publication” as that term is used in the “personal injury” provision; and (3) Krishna’s sharing of Sekura’s biometric information to a third party potentially violated Sekura’s “right of privacy” as that term is used in the “personal injury” provision. Id. at ¶ 61. Moreover, the Court found that the violation of statutes exclusion contained in the West Bend policies did not apply to BIPA allegations.

[1] This decision is currently not considered a final decision. According to the Illinois Supreme Court, this opinion has not been released for publication, and thus is still subject to revision or withdrawal. Moreover, pursuant to the Illinois Supreme Court Rule 367, “a party has 21 days [(June 10, 2021)] after the filing of an opinion to request a rehearing, which, if allowed, will act to nullify the previously filed opinion.” A Caution on Court Opinions, ILLINOIS COURTS (May 24, 2021), http://www.illinoiscourts.gov/Opinions/caution.asp.

[2] In this blog, we will refer to Sekura to mean both her and the Class.

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post Illinois Supreme Court Finds “Publication” In Some BIPA Claims appeared first on Privacy Risk Report.

The law related to Illinois Biometric Information Protection Act (“BIPA”) came to a halt over the last year or so while the Illinois Supreme Court analyzed what constitutes an injury under the Act. As expected, courts have started to once again visit the various legal issues related to biometric data now that the Rosenbach decision has been issued. Now that BIPA cases are moving through the courts again, one major issue will be what is the proper venue for these cases as many BIPA claims intertwine state and federal laws.

The Seventh Circuit recently undertook an analysis of the Illinois Biometric Information Protection Act (“BIPA”) by consolidating two cases involving claims by employees of two separate airlines. In Miller v. Southwest Airlines Co./Johnson v. United Airlines, Inc., 2019 WL 2462664 (June 13, 2019), the Seventh Circuit analyzed a number of procedural and statutory requirements involved in filing a BIPA claim. At first blush, the question presented by the Seventh Circuit appears to be narrow:  “whether persons who contend that air carriers have violated state law by using biometric identification in the workplace must present these contentions to an adjustment board under the Railway Labor Act (RLA), 45 U.S.C. §§ 151–88, which applies to air carriers as well as railroads. 45 U.S.C. § 181?”  However, while the analysis of these cases may be driven by the RLA–an act that applies only to unions–the Seventh Circuit decision provides insight on many procedural aspects related to alleged biometric violations.

The facts giving rise to the two lawsuits were similar to Southwest Airlines and United Airlines maintained timekeeping systems that requiring workers to clock in and out with their fingerprints. The class action plaintiffs in both cases claimed the airlines implemented biometric systems without proper consent, failed to publish protocols related to use of the systems and improperly disclosed their information when the airlines used a third-party vendor to oversee the system.

• Southwest Airlines Case

District Judge Marvin E. Aspen in the District Court for the Northern District of Illinois held the class action plaintiffs had standing under Article III but still dismissed the suit against Southwest Airlines for improper venue. Specifically, Judge Aspen found the matter should be litigated before an adjustment board under the Railway Act rather than in state or federal court in order to give the class action plaintiff’s union the opportunity to address the alleged BIPA violations.

• United Airlines Case

The litigation against United Airlines originated in state court but was removed by United Airlines to federal court based on United Airlines’ claim that there was a federal-question presented by the Railway Labor Act and the Class Action Fairness Act.  District Judge Virginia Kendall reached the same conclusion as Judge Aspen in the Southwest Airlines case but dismissed the United Airlines Case based on a finding that the complaint failed to present an actionable case or controversy.

• Standing And Damages

After consolidating these cases and reviewing the issues, the Seventh Circuit held the airline employees had standing to sue and, while United’s motion to remove was granted based on federal question jurisdiction, the cases should be litigated before an adjustment board governed by the Railway Labor Act.

In short, the Seventh Circuit found the involvement of unions required the analysis of whether the plaintiffs have standing to be slightly different from most data breach or privacy cases:

The prospect of a material change in workers’ terms and conditions of employment gives these suits a concrete dimension that Spokeo, Groshek, and Casillas lacked. Either the discontinuation of the practice, or the need for the air carriers to agree to higher wages to induce unions to consent, presents more than a bare procedural dispute. See Robertson v. Allied Solutions, LLC, 902 F.3d 690, 697 (7th Cir. 2018). (“Article III’s strictures are met not only when a plaintiff complains of being deprived of some benefit, but also when a plaintiff complains that she was deprived of a chance to obtain a benefit.”)

With the Seventh Circuit’s reference to Spokeo and similar cases we can expect defendants to argue that the Seventh Circuit was not convinced that BIPA claimants can survive motions to dismiss without injuries that are “particular and concrete.”

On the other hand, we can expect plaintiffs to argue the Spokeo analysis has no relevance because lack of proper consent is a violation under BIPA and, therefore, employees and customer are “aggrieved” within the meaning of the Act. Many of the BIPA cases have not progressed far enough through the courts to allow a full analysis of whether class action plaintiffs need to show independent injury beyond improper notification.

• Notice To Union Representatives

In addressing whether the airlines gave proper notice as required by BIPA, the Seventh Circuit examined whether the unions were provided with sufficient information to consent to “how workers clock in and out.” The Seventh Circuit provided the following analysis concerning notification for union members:

BIPA “provides that a worker or an authorized agent may receive necessary notices and consent to the collection of biometric information.” 740 ILCS 14/15(b). Based on this statutory language, the Seventh Circuit states “We reject plaintiffs’ contention that a union is not a ‘legally authorized representative’ for this purpose. Neither the statutory text nor any decision by a state court suggests that Illinois wants to exclude a collective-bargaining representative from the category of authorized agents.

Admittedly, the involvement of the airline unions pushes the Seventh Circuit to examine issues that may not impact the vast majority of BIPA cases where the class action plaintiffs may not belong to a union. However, many defendants will be able to take the position that their case is not over merely because the class action plaintiffs did not receive notification.

• Removal From State Court To Federal Court

The Seventh Circuit did not have to address whether these matters could be removed from state court to federal court. That is, the Seventh Circuit could have left its analysis at an adjustment board operating under the Railway Act should address the BIPA claims. The Court still addresses this question and allows for the inference that removal is appropriate in BIPA cases based on diversity of citizenship:

Given our conclusion that the federal-question jurisdiction supports removal, we need not remand for the district court to explore the question whether on the date the case was removed, one class member was a citizen of Wisconsin or Indiana, or conceivably some third state other than Illinois or Delaware—say, a citizen of California temporarily detailed to work at O’Hare.

While the Seventh Circuit did not have to address this question, the Court acknowledged the fact that many BIPA cases filed in state court may be removed to federal court because there are likely going to be employees that reside outside of Illinois. Therefore, removal may be an option in the vast majority of BIPA class actions when Illinois corporations have a large number of employees. Further, this question will become even more important as BIPA claims brought by customers become more routine.

• These Questions Are Not Going Away

Outside the procedural aspects of BIPA ligation, the full impact of the use of equipment to collect and store biometric data will be unclear until courts provide guidance on these issues.  Further, the bounds of biometric laws will be tested as this equipment begins to be increasingly used on the general public outside the context of employees. For example, just last week, there were a number of reports about the use of biometric equipment on air travelers:

TSA is testing a biometrics system, including at the busy Atlanta airport, that uses Customs and Border Protection databases to verify customers’ identities when they check in, pass through security and board their flights.The ultimate goal: Eliminate the need to carry a boarding pass, passport or other identification — with cameras and computers verifying travelers’ identities.

It will be interesting to see how biometric equipment will be received by air travelers.  Of course, air travel customers are different from employees as they can simply switch to a competitor that does not use biometric gathering equipment to register their opposition to the collection and use of their information. Therefore, if there is a true backlash against this equipment, we may see companies abandon the use of this equipment for customers.

The post Seventh Circuit’s Recent Decision Indicates Courts May Be Willing To Chip Away At BIPA appeared first on Privacy Risk Report.

While many states are still struggling to enact comprehensive cyber/privacy laws and the federal government still lacks a uniform framework, Illinois data collectors have been working under the most advanced privacy statutes and common law in the United States. Specifically, the Illinois legislature has taken steps through the Personal Information Protection Act and the Biometric Information Protection Act (“Biometric Act”) that will put data collectors and courts at the forefront of privacy law for years to come.

The latest development in Illinois privacy law was seen last Friday when the Illinois Supreme Court issued its decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) which provides insight on what is necessary to bring a cause of action under the Biometric Act.  In Rosenbach, the Illinois Supreme Court analyzed the provision in the Biometric Act which states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The central question for the Supreme Court was whether the use of the term “aggrieved” in the Biometric Act requires a plaintiff assert that they suffered an injury in addition to having their biometric data collected.  In reversing the Illinois Court of Appeals, the Supreme Court found a violation of the Biometric Act when a data collector merely took information from a minor without proper consent.  The most important aspect of this case is a data collector can be liable without breaching any information.

• The Facts In Rosenbach

The Defendant, Six Flags Entertainment Corporation (“Six Flags”), operates an amusement park located in Gurnee, Illinois.  The Plaintiff, Stacy Rosenbach (“Rosenbach”), is a parent of a 14-year-old boy that visited Six Flag’s amusement park for his class trip. Before the trip, Rosenbach purchased a season pass for her son using Six Flag’s website.  Rosenbach claims she was surprised to find out that her son was directed to scan his thumbprint to gain access to Six Flags and to receive his season pass card.  Rosenbach claims she would not have purchased the season pass for her son if she knew Six Flags intended to collect his thumbprint without obtaining written consent or disclosing their plan to collect such data. Rosenbach claimed she was “aggrieved” under the Biometric Act without any allegation that Six Flags breached any data.

In Rosenbach, The Illinois Supreme Court provided the following analysis of the term “aggrieved” as in the Biometric Act:

More than a century ago, our court held that to be aggrieved simply “means having a substantial grievance; a denial of some personal or property right.” Glos v. People, 259 Ill. 332, 340 (1913). A person who suffers actual damages as the result of the violation of his or her rights would meet this definition of course, but sustaining such damages is not necessary to qualify as “aggrieved.” Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” (Emphasis added.) Id.  ¶

• The Illinois Court Of Appeals’ Decision Is Reversed

The Illinois Court of Appeals held the allegations that Six Flags took patrons’ thumbprints without proper consent was not a violation of the Act because the patrons were not “aggrieved” as required by the Biometric Act.  In reversing the Court of Appeals, the Illinois Supreme Court held:

In sum, defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term “aggrieved,” depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do.

• Potential Impact Of This Decision

The Rosenbach decision will undoubtedly cause ripples in privacy law for years to come as a party can conceivably maintain a viable cause of action without pleading any “actual injury or damage.”  This decision may close the door on data collectors being held liable only when they breach biometric data.  Rather, data collectors will need to review all processes that may collect biometric data to confirm they are complying with the Biometric Act.  For example, Six Flags may now need to revamp its use of thumbprints to make sure it obtains consent from a minor’s guardian and they make clear how the data will be used.

Further, this decision may undercut the usefulness of expensive equipment used to collect biometric data if a majority of people withhold their consent to have their information collected.  For example, many workplaces have started to track employees’ hours by using biometric data including fingerprints and thumbprints.  These new systems that rely on biometric data make “clocking in” more convenient than systems that may rely on employee numbers or time cards.  It will be interesting to see how employers will work with employees that refuse to consent to having their biometric information collected after the employer purchased the expensive equipment.  Suffice it to say, we can expect Illinois to continue to be the source of many influential developments in privacy law in the coming years.

The post Illinois Leaves Its “Thumbprint” On American Privacy Law As The Illinois Supreme Court Finds An Individual Can Bring An Action Under the Biometric Act Without Being Involved In A Breach appeared first on Privacy Risk Report.

Taylor Swift has a stalker problem.  In April 2018, a man broke into her New York City loft and took a shower before falling asleep in her residence.The same stalker attempted to break Taylor Swift’s front door down with shovel in February 2018. Other stalkers have sent emails threatening to kill Taylor Swift’s entire family. Suffice to say, Taylor Swift and other public personalities should take all reasonable steps to protect themselves and their families. And, thankfully, it appears Taylor Swift is taking these threats seriously.  In addition to taking a variety of other security measures, a number of news reports indicate Taylor Swift has installed a face-recognition camera at her concerts that cross-references pictures of her known stalkers.

A recent Rolling Stone article provides the following information concerning this new security measure:

Taylor Swift fans mesmerized by rehearsal clips on a kiosk at her May 18th Rose Bowl show were unaware of one crucial detail: A facial-recognition camera inside the display was taking their photos. The images were being transferred to a Nashville “command post,” where they were cross-referenced with a database of hundreds of the pop star’s known stalkers, according to Mike Downing, chief security officer of Oak View Group, an advisory board for concert venues including Madison Square Garden and the Forum in L.A. “Everybody who went by would stop and stare at it, and the software would start working,” says Downing, who attended the concert to witness a demo of the system as a guest of the company that manufactures the kiosks.

While there is no reasonable argument against Taylor Swift taking reasonable steps to protect herself from stalkers, we cannot ignore the privacy questions related to this new security method.  Specifically, there are significant questions involving the privacy of individuals that have their images captured, the vast majority are not stalkers. And, unfortunately, there is little guidance on how this new technology should be used.

While we do not have substantial legal guidance on this new security method using biometric data, there are at least a couple of sources that provide some insight.  At present, most protections for biometric data arises out of state laws and regulations such as the Illinois Biometric Information Protection Act (“BIPA”).  BIPA states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  As it stands, the technology that allows for the storage and collection of biometric data may be outpacing the development of protections for this information. For example, by using the term “aggrieved,” there is a possible violation under at least one or any of the following scenarios:

• The collection of biometric data without the individual’s consent;
• The collection and use of biometric data without the individual’s consent;
• The collection of biometric data with consent but use without consent;
• The collection of biometric data with consent and use of the data outside the limited consent provided by the individual.

While BIPA clearly states any person “aggrieved by a violation” of BIPA has a potential cause of action, there is little guidance as to when a person should bring suit.

While the protections arising from BIPA are cutting edge compared to most states where there are no protections in place for biometric data, courts are still being called upon to interpret biometric data protection laws.  For example, the Illinois Supreme Court recently heard arguments in a case that may become the cornerstone decision interpreting the term “aggrieved” as used in BIPA.

In Rosenbach v. Six Flags Entertainment Corp., 2017 Ill. App (2d) 170317, 2017 WL 65239, the Illinois Court of Appeals held allegations that an amusement park taking patrons’ thumbprints without proper consent was not a violation of the Act because the patrons were not aggrieved under the Act. The Defendant, Six Flags Entertainment Corporation (“Six Flags”), operates an amusement park located in Gurnee, Illinois.  The Plaintiff, Stacy Rosenbach (“Rosenbach”), is a parent of a 14-year-old boy that visited Six Flag’s amusement park for his class trip.  Before the trip, Rosenbach purchased a season pass for her son using Six Flag’s website.  Rosenbach claims she was surprised to find out that her son was directed to scan his thumbprint to gain access to Six Flags and to receive his season pass card.  Rosenbach claims she would not have purchased the season pass for her son if she knew Six Flags intended to collect his thumbprint without obtaining written consent or disclosing their plan to collect such data.

In determining whether real or actual harm was required for a party to be “aggrieved” under the Act, the Court of Appeals held “if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word “aggrieved” and stated that every violation was actionable.”  Based on this reasoning, the Court of Appeals held Rosenbach could not recover because “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person” under the Act.

Of course, data collectors and individuals will have more guidance once the Illinois Supreme Court either affirms or reverses the Court of Appeals in Rosenbach.  And, while the Supreme Court will provide some clarity, we should not be surprised if this decision fails to answer all questions related to BIPA.

The privacy issues are clear even when viewed outside of the various biometric data laws. For example, the Rolling Stone article on Taylor Swift’s use of the images asks: “Despite the obvious privacy concerns — for starters, who owns those pictures of concertgoers and how long can they be kept on file?”  And, that is a reasonable question for any data collector or individual having their data collected.  In addition to the concerns discussed in Rolling Stone, there are a number of other questions that quickly come to mind:  Can Taylor Swift keep the images and cross-reference them down the road when new stalking cases arise?  Are the images limited to be used in only stalking cases?  Can Taylor Swift use the images for marketing purposes?  Do concertgoers need to give consent to have their images taken?  In simpler terms, Taylor Swift’s security team will need to analyze the likelihood that non-stalker concert-goers are going to be “aggrieved” by having their photos taken without consent. Suffice it to say, the parent in Rosenbach may be just as angry if she sent her teenager to a Taylor Swift concert and her child was photographed without consent.  Consequently, even though courts are increasingly providing clarification on these issues, we can expect to see technology continue to outpace the law on biometric issues.

The post Shake It Off! Even Taylor Swift Is Collecting Your Biometric Data appeared first on Privacy Risk Report.