Can unionized employees sue their employers in court for violations of Illinois’ Biometric Information Privacy Act (BIPA)? In a rare victory for BIPA defendants, the Illinois Supreme Court unanimously ruled they cannot.Continue Reading Illinois Supreme Court Finds Federal Law Labor Preempts Union Members’ BIPA Claims
David Poell is a partner in the Business Trial Practice Group in the firm’s Chicago office, particularly focusing on the areas of consumer privacy and class action litigation.
February 2023 was a momentous month for Illinois’ Biometric Information Privacy Act (BIPA). Just two weeks after imposing a 5-year time limit for all BIPA claims, the Illinois Supreme Court resolved another pressing issue. In Cothron v. White Castle System, Inc., the Illinois Supreme Court considered whether a BIPA claim accrues every time a company scans or transmits a person’s biometric identifier (e.g., fingerprint) without consent. In a closely divided 4-3 ruling, the Court answered “yes.” Continue Reading Illinois High Court Rules “Per-Scan” Damages Can Be Awarded Under BIPA
A plaintiff has her fingerprints forever. But she doesn’t have forever to file a lawsuit for improper retention, deletion, collection, or use of her fingerprints. For years, Illinois courts have been perplexed on what statute of limitations applies to different claims under the Illinois Biometric Information Privacy Act (“BIPA”). That left an unanswered question: how long does a plaintiff have to file a BIPA claim before losing it? The Illinois Supreme Court weighed in last week, siding with the plaintiffs’ bar. In Tims v. Black Horse Carriers, Inc., that Court held that plaintiffs have five years to file any BIPA claim.Continue Reading Illinois High Court Allows Biometric Privacy Claims to Go Back Five Years
An Illinois state appellate court’s recent ruling will impact how companies consider compliance with Illinois’ Biometric Information Privacy Act (BIPA). That court ruled companies must have a BIPA-compliant written retention-and-destruction policy in place before collecting and possessing biometric data. The decision makes clear that mere possession of biometric data triggers the duty to develop the necessary written BIPA policy. In relevant part, under BIPA’s section 15(a), companies must establish a written, publicly-available policy that governs their retention and destruction of biometric data.Continue Reading Illinois Appellate Court Weighs in on Biometric Data Policies
The Supreme Court’s recent decision in Van Buren addressed the meaning of the term “exceeds authorized access” under the Computer Fraud and Abuse Act (CFAA). The Court held, in a criminal case that alleged that the person used information for an improper purpose, that the law’s definition of this term does not include situations when people have improper motives for obtaining computerized information they are otherwise authorized to access.
Continue Reading The Impact of the Narrowed Scope of CFAA Liability in the Privacy and Security Realm
The Illinois Biometric Information Privacy Act (BIPA) has spawned hundreds of class action lawsuits and a raft of unresolved issues. A core issue from a litigation perspective—as well as for companies bracing for potential lawsuits—is one of “standing,” and in particular, what BIPA claims can be brought by plaintiffs in what venues.
Continue Reading Beware BIPA Bifurcation: Plaintiffs’ New Gambit to Split BIPA Claims Between State and Federal Courts
The Federal Trade Commission recently entered the biometric fray. It settled with a now-defunct photo-storage app over its use of facial recognition technology. According to the FTC, the company engaged in a variety of deceptive and unfair acts, in violation of Section 5 of the FTC Act.
Continue Reading Defunct Photo App Agrees to Erase Biometric Data in FTC Settlement
The FCC recently adopted new rules that will limit the volume of calls that can be made to residential phones under certain TCPA consent exceptions. The new rules affect non-telemarketing calls that use an artificial or prerecorded voice. For years, companies have been able to make unlimited numbers of these calls to residential lines without the need for prior express consent if the exceptions applied. Beginning later in 2021, companies will need to follow volume limits for the following types of exempted calls, unless they have obtained prior express consent to make more calls. The new limits will apply to calls that fall into one of these consent exceptions:
Continue Reading FCC Sets Volume Limits For Some Prerecorded Calls to Home Phones
The Supreme Court’s recent decision in Barr v. American Association of Political Consultants held the government-debt exception of the TCPA unconstitutional under the First Amendment’s Free Speech Clause. This means that going forward, companies that make “debt-collection” calls on behalf of the federal government can only do so with the prior express written consent of the called individuals.
Continue Reading TCPA’s 2015 Government-Debt Collection Exception Struck Down- Now What?
The Seventh Circuit has recently ruled that plaintiffs have standing to enforce the Illinois Biometric Information Privacy Act’s informed consent requirements in federal court. As we have written before, , BIPA regulates the collection, use, and retention of a person’s biometric information, e.g., fingerprints, face scans, etc. For years, federal trial courts have been split on whether a violation of BIPA’s informed consent provision is alone sufficient to confer Article III standing. . The decision in Bryant v. Compass Group USA, Inc., — F.3d —-, 2020 WL 2121463 (7th Cir. May 5, 2020) removes that uncertainty and will drastically change the landscape of BIPA litigation going forward.
Continue Reading Seventh Circuit Issues Landmark BIPA Decision
For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.
Continue Reading SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations