LitLand is a monthly feature that reviews developments in litigation as they relate to privacy matters and highlight any past, current, and future cases about which you should know.
When the government’s database of individual retina information causes the protagonist to get an eye implant and carry his real eyes in a bag, we get . . . another Tom Cruise blockbuster! When businesses in the real world implement biometric technology and collect consumer data as a more secure alternative to traditional passwords, we get . . . class actions? That seems to be the future that bills like Massachusetts’s S.120, An Act Relative to Consumer Data Privacy promise. Although not the first state to implement a biometric privacy law, or even the first to provide a private right of action when such information is breached, Massachusetts’ proposed law is different from every other law in that the legislature seemingly sought to avoid the “standing” pitfalls that plaintiffs in other states have faced, resulting in a statutorily conferred low-standing bar that potential plaintiffs will need to clear.
Biometric information refers to those metrics that are tied to an individual’s physical or behavioral traits. Unlike a traditional password or security question, biometric information provides enhanced security for personal information because of the difficulty in copying a unique physical or character trait like a smile or fingerprint pattern. Unfortunately, the expectation of permanence that accompanies all of our biometric profiles means that a compromise of biometric data could create significant problems for the affected individual.
Currently three states have biometric privacy laws in place: Illinois, Texas, and Washington. They range in scope and stringency, with Illinois’ Biometric Information Privacy Act (BIPA) far outpacing the other two in terms of the protections it offers to consumers, with Texas situated in the middle, and Washington being on the other end of the spectrum and relatively less restrictive. While all three require some sort of notice and consent, and have rules regarding the commercial use of biometric data, only BIPA gives consumers a private right of action.
Since BIPA was enacted, certain other states, including Alaska, California, Connecticut, Delaware, Florida, Massachusetts, Michigan, New Hampshire, New York, and North Carolina have tried to implement their own privacy laws that address biometric data. A number of them mimic BIPA and provide for a private right of action.
BIPA’s Private Right of Action
Under BIPA “[a]ny person aggrieved by a violation of” the law has a right of action “against an offending party.” Successful plaintiffs can recover $1,000 for each negligent violation and upwards of $5,000 for any violation deemed willfully and/or recklessly negligent. BIPA defines "biometric information" as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.” The law defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” The law’s overall regulation of the collection, retention, use, and storage of biometric information, combined with the broad definitions of biometric information and biometric identifier, raised expectations that the private right of action would be a devastating tool for potential plaintiffs. Indeed, the law’s passage led to a wave of class action lawsuits, with plaintiffs alleging that companies failed to either comply with BIPA’s notice rules, or failed to obtain written consent. However, as with other privacy lawsuits, many of these cases failed because of standing issues—specifically the failure to show a harm or injury.
That may be changing, however – at least in Illinois state courts. In the most famous of these cases, Rosenbach v. Six Flags & Great America, the plaintiff alleged that the defendant failed to both obtain verifiable written consent to collect fingerprints and disclose its policies for the collection, retention, and destruction of consumer biometric data. The Appellate Court noted that BIPA provides a right of action to those “aggrieved by” a violation, and found that the plaintiff’s assertion of a mere technical violation of the Act did not establish the actual injury necessary to confer standing. The Illinois Supreme Court reversed and remanded that decision in January of this year, finding that BIPA did not expressly require plaintiffs to show actual damage in order to maintain a claim for relief. Rosenbach v. Six Flags Entertainment Corp., No. 123186 (S. Ct. Ill. Jan. 25, 2019), at 8. The court also found that the Illinois legislature intended BIPA to serve “preventative and deterrent purposes,” which could be achieved only if the private right of action were available to plaintiffs before they sustained an actual injury. Id. at 12. To require plaintiffs to allege actual injury or harm resulting from a private entity’s violation of BIPA would frustrate the legislature’s intent. Therefore, plaintiffs are “aggrieved” and entitled to seek liquidated damages when their rights under BIPA have been infringed, regardless of whether they have suffered actual harm. Notably, at the federal level, at least one court interpreting BIPA certified a class using similar reasoning as the Illinois Supreme Court—that BIPA does not require “considerable detail” or “additional proof of individualized ‘actual’ harm” in order for a plaintiff to satisfy harm for Article III standing. In re Facebook Biometric Info. Privacy Litig., No. 3:15-CV-03747-JD, 2018 WL2197546, at *1 (N.D. Cal. May 14, 2018), appeal pending, No. 18-15982 (9th Cir.) (argument scheduled June 12, 2019).
The Massachusetts Bill
Massachusetts S. 120 provides that any violation of the law “constitute[s] an injury in fact to the consumer who has suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action . . ..” (Emphasis added.) Simply alleging that defendant has violated the law appears to be sufficient to satisfy the harm and injury elements of standing. If BIPA provides any lesson, there will surely be a wave of plaintiffs seeking to take advantage of the Massachusetts statute. Unfortunately, the potential exposure for businesses across the country may well exceed that of those subject to BIPA. Successful plaintiffs in Massachusetts could recover the greater of up to $750 per consumer per incident, or actual damages. In contrast, BIPA is capped at $1,000 or $5,000 per violation, and requires a showing of negligence or scienter for intentional or reckless negligence. Massachusetts does not have these limitations.
What this means is that a company that suffers a data breach, despite having reasonable security measures in place, may avoid damages in Illinois where plaintiffs must show negligence, while the same company could have a hefty bill in Massachusetts if S. 120 is enacted.