The COVID-19 pandemic created a new normal for Americans—one where family members of all ages work and go to school from home. Businesses and schools have turned to technology to facilitate remote work and e-learning. Companies in the education space have rapidly adapted to offer expanded online educational experiences. Although distance learning tools have allowed schools to continue teaching despite the pandemic, the new online platforms and software offerings raise concerns about student data privacy.1
Similarly, employers rushing to facilitate work from home may not have considered the legal risks associated with data collection and analytics as thoroughly as they would have under normal circumstances. Unfortunately, the desire to quickly roll out technology for videoconferencing, identity verification, and timekeeping may expose businesses to liability under the Illinois Biometric Information Privacy Act (“BIPA”).2 Companies that capture or collect biometric information such as fingerprints or voiceprints3 run the risk of violating BIPA if proper disclosures and procedures are not in place. Because of the unprecedented increase in the use of technology and the large penalties that can accumulate under BIPA,4 businesses and insurers need to understand the risks associated with recording or collecting biometric information.
COVID-19 Will Result in Increased BIPA Claims Against Businesses Servicing the “Rush to Remote”
The recent class action filed in the Northern District of California illustrates some of the risks accepted by businesses assisting with remote learning. In H.K. et al. v. Google LLC, two students, through their father, filed a class action complaint against Google, LLC (“Google”).5 In the complaint, the plaintiffs allege violations of Illinois’ BIPA and the federal Children’s Online Privacy Protection Act (“COPPA”). The complaint alleges that Google provided ChromeBooks with its pre-installed “G Suite for Education” platform, collecting and storing face scans, voiceprints, and other forms of personal identifying information for children.6 Specifically, the complaint alleges that Google violated BIPA by providing software to the students and collecting certain biometric data without (1) providing a written policy regarding data retention and destruction of biometric identifiers or biometric information and (2) securing informed written consent.7
Although the class action brought against Google is not specifically tied to actions Google took in response to COVID-19, the lawsuit exemplifies the increased exposure to privacy regulations faced by stakeholders of the recent increases in remote work, learning, and services.
The Rise in BIPA Litigation
Although BIPA became effective in 2008, the recent uptick in BIPA litigation is a natural result of major court opinions permitting litigants to pursue causes of action against private entities for technical violations of statutory rights. Specifically, in a January 2019 opinion, the Illinois Supreme Court held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”8
As hundreds of BIPA-related lawsuits have now been filed by customers and employees in the last two years, biometric information privacy and security has quickly became a major risk for businesses and their insurers. This increased litigation has raised questions regarding federal court standing and BIPA’s extraterritorial impact.
Federal Court Standing
Beyond the debates surrounding state statutory standing, the U.S. Courts of Appeals have begun to wrestle with federal court Article III standing. Just a few weeks ago, on May 5, 2020, the Seventh Circuit held that a plaintiff’s claims that defendant failed to fulfill the informed consent requirements of BIPA’s Section 15(b) satisfied Article III’s injury-in-fact requirement.9 Specifically, the Court stated “[t]his was not a failure to satisfy a purely procedural requirement” as “[plaintiff] did not realize that there was a choice to be made and what the costs and benefits were for each option. This deprivation is a concrete injury-in-fact that is particularized to [her].” Apart from deepening a circuit split on the standing issue, the Court’s decision also alerts employers that removal to federal court is one more strategy available in the defense of putative class actions.
Although businesses may assume their operations are not restricted by BIPA as long as they do not operate in Illinois, this assumption could be costly. The extent of BIPA’s geographical reach is not yet fully known. Recent cases like H.K. et al. v. Google LLC, filed in California, shed light on the extraterritorial impact of BIPA. But ultimately, the application of BIPA to activity outside of Illinois is fact-intensive. This need for case-specific inquiry means that discovery will likely be required before the viability of extraterritoriality defenses can be determined.
In light of the need for rapid action and reaction to the hurdles created by COVID-19, as well as the lack of clarity regarding just how far BIPA regulations extend, businesses can reduce their exposure to BIPA liability by familiarizing themselves with the requirements of the Act and implementing data policies consistent with those requirements.
1 Valerie Strauss, As schooling rapidly moves online across the country, concerns rise about student data privacy, Wash. Post (March 20, 2020).
2 Biometric Information Privacy Act (eff. 10-03-08).
3 Although a “voiceprint” is not defined by the statute, voiceprints are referenced as one of the many “biometric identifiers” protected by BIPA. “‘Biometric identifier’ means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.” See 740 ILCS 14/10 (2016).
4 BIPA permits any “person aggrieved” by a statutory violation to sue for the greater of either actual damages or “liquidated damages” of $1,000 for a negligent violation or $5,000 for an intentional or reckless violation. See 740 ILCS 14/20 (2016).
5 H.K. et al. v. Google LLC, Class Action Complaint, 5:20-cv-02257 (April 2, 2020).
6 Class Action Complaint, ¶ 6.
7 Class Action Complaint, ¶¶ 18-19.
8 Rosenbach v. Six Flags Entm't Corp., 129 N.E.3d 1197, 1207 (Ill. 2019).
9 Bryant et al. v. Compass Group U.S.A. Inc., No. 20-1443 (7th Cir. May 5, 2020).
Sign up for our newsletter and get the latest to your inbox.