New York City recently enacted a biometric ordinance that is set to come into effect July 9, 2021. With this ordinance, NYC joins other cities (like Portland) in regulating the use of biometric information. The ordinance may impact retailers, restaurants, and entertainment venues in the city that use security cameras with facial-recognition technology or otherwise collect biometric identifiers from their customers.
Continue Reading New York City Biometric Ordinance Effective July 9, Are You Ready?

The Illinois Biometric Information Privacy Act (BIPA) has spawned hundreds of class action lawsuits and a raft of unresolved issues.  A core issue from a litigation perspective—as well as for companies bracing for potential lawsuits—is one of “standing,” and in particular, what BIPA claims can be brought by plaintiffs in what venues.

Continue Reading Beware BIPA Bifurcation: Plaintiffs’ New Gambit to Split BIPA Claims Between State and Federal Courts 

The new acting FTC chair, Rebecca Kelly Slaughter, recently signaled that the FTC may increase enforcement and penalties in the privacy and data security realm. Slaughter pointed to several areas of focus for the FTC this year, which companies will want to keep in mind:
Continue Reading What Is FTC’s Course Under Biden?

Artificial intelligence continues to be a focus and concern for businesses, regulators, and lawmakers alike. As we recently wrote, there was much activity and focus on artificial intelligence and the impact on privacy laws. In addition to legal developments, there have been advancements in AI business technologies by major multinational technology firms, something focused on this post in our sister Intellectual Property Law Blog. There has been an arms race underway by the world’s leading economies to win the estimated $13 Trillion of GDP this field stands to award the winner.  In a recent podcast episode, partners Siraj Husain and Michael P.A. Cohen discuss these developments, risks, and solutions that businesses are experiencing.
Continue Reading What to Watch in Artificial Intelligence in 2021

Many have been watching facial recognition law developments closely, and saw that Portland became the first US city to regulate the use of such technology by private entities operating “places of public accommodation” within the city. Of particular concern for the Portland city council was the use potentially discriminatory use of these technologies, and its impact on “children, Black, Indigenous and People of Color, people with disabilities, immigrants, refugees, and other marginalized communities and local businesses.”
Continue Reading Portland’s Facial Recognition Law: Impact on National Companies

The Federal Trade Commission recently entered the biometric fray. It settled with a now-defunct photo-storage app over its use of facial recognition technology. According to the FTC, the company engaged in a variety of deceptive and unfair acts, in violation of Section 5 of the FTC Act.
Continue Reading Defunct Photo App Agrees to Erase Biometric Data in FTC Settlement

The Seventh Circuit has recently ruled that plaintiffs have standing to enforce the Illinois Biometric Information Privacy Act’s informed consent requirements in federal court. As we have written before, , BIPA regulates the collection, use, and retention of a person’s biometric information, e.g., fingerprints, face scans, etc. For years, federal trial courts have been split on whether a violation of BIPA’s informed consent provision is alone sufficient to confer Article III standing. . The decision in Bryant v. Compass Group USA, Inc., — F.3d —-, 2020 WL 2121463 (7th Cir. May 5, 2020) removes that uncertainty and will drastically change the landscape of BIPA litigation going forward.
Continue Reading Seventh Circuit Issues Landmark BIPA Decision

A lawsuit against US Cold Storage under the Biometric Information Privacy Act was recently dismissed because, the court held, the violations of the law were merely technical. As a result, the plaintiff did not have sufficient standing. This decision echoes the other cases we have reported on recently.
Continue Reading No Federal Court Standing for BIPA Violation Without Injury

French data protection authority CNIL has issued a fine against company Assistance Centre d’Appel related to the use of biometric technology in the workplace. During an audit at the end of 2016, CNIL found that the company was using fingerprint timeclocks to track employee hours without prior authorization from CNIL as required by the French Data Protection Act. In France, an employer may not use biometric data to monitor employees’ hours absent prior approval from CNIL, which is only granted in exceptional circumstances. During the 2016 audit, CNIL also found that the company was recording employee phone calls without informing the employees or other call participants, and lacked adequate workstation security. While the company has since ceased the use of fingerprint timeclocks, a 2018 audit by CNIL revealed that the company had failed to properly inform telephone call participants about call recording, and that workstations remained insecure. The fine was set at € 10,000, which was based upon the partial compliance of the company and its finances. The company only employs fourteen workers. In publishing its decision, CNIL stated that it sought to remind employees of their rights and employers of their obligations, particularly with respect to biometrics in the workplace. CNIL also intended to remind companies of the consequences for failing to respond to and comply with CNIL notices of default.
Continue Reading France Imposes Fine for Unauthorized Use of Fingerprint Timeclocks

Last month a federal district court dismissed a putative class action lawsuit against United Airlines challenging its use of fingerprint scanning timeclocks. The lawsuit brought by United employee David Johnson alleged that the company’s collection and use of employees’ fingerprints violated the Illinois Biometric Information Privacy Act (BIPA) because the company failed to get the requisite consent from its employees for fingerprint collection and use.
Continue Reading BIPA Claims Against United Airlines Must be Arbitrated Due to Collective Bargaining Agreement

In continuing our series on biometrics, we conclude with an analysis of protection requirements and risks. Illinois, Texas, and Washington—the three states which have thus far implemented specific biometric privacy laws—each require companies to reasonably protect biometric data in their possession. Illinois and Texas have further specified that the data must be protected to the same degree as other confidential and secret information. All three states require that the data be destroyed within a fixed amount of time.
Continue Reading Biometric Breakdown Part IV – Protecting