With the first quarter of 2022 at a close, litigation involving the collection and protection of biometric data has taken off to a hot start, setting a fervent pace that could mean big things for data privacy litigation for 2022 (with crossover impact on data breach and cybersecurity litigations, as outlined below). Read on to see what trends CPW has seen, and which topics we will be keeping our eyes on as the year continues. For more information, be sure to register for our webinar on April 5 from 12-1 pm on "Developments and Trends Concerning Biometric Privacy and Artificial Intelligence."
I. New Biometric Privacy Cases Filed in Q1 2022
At time of writing, more than one hundred and ten cases have been filed related to biometric data privacy. It should come as no surprise to regular CPW readers to learn that nearly all of these cases were prospective class action claims filed in Illinois alleging damages under the Biometric Information Privacy Act ("BIPA"). For those new to CPW, BIPA is a state statute that provides state citizens with a private cause of action if their biometric information has been collected or shared without their informed consent.
Some quick statistics about these BIPA cases:
- The majority, more than sixty-five cases, involved claims resulting from fingerprints captured by timekeeping machines by the plaintiffs' employer.
- Twenty-five of these litigations involved allegations that the fingerprints were collected without the plaintiff's knowledge or consent, while nineteen complaints alleged that the employer failed to provide the plaintiffs with information relevant to the recording and retention of the information. Additionally, thirteen litigations filed sought damages alleging that plaintiff's employer failed to safeguard the data from third parties and/or hackers. Finally, eight plaintiffs simply alleged that the employer never obtained written consent as required under the statute.
- Eleven litigations were filed concerning allegations that the defendant had obtained the plaintiffs' facial geometry without knowledge or informed consent, or without safeguarding the information from third parties-a growing area of BIPA litigation, consistent with prior trends.
- Moreover, ten cases concerned claims involving the collection of voice recognition data-another growing area of potential litigation risk.
II. Biometric Privacy Cases to Watch in 2022
CPW has identified a number of biometric cases as ones to keep an eye on as the year progresses. This includes:
Stein v. Clarifai, Inc., No. 22 CV 314 (D. Del.): After winning dismissal of a BIPA class action filed in Illinois on personal jurisdiction grounds (covered by SPB team member David Oberly for Bloomberg Law here), AI software developer Clarifi found itself hauled into court once again-this time in Delaware-for purportedly running afoul of Illinois's biometric privacy statute. In that case, Stein v. Clarifai, Inc., Clarifai-which specializes in machine learning to identify and analyze images and videos using facial recognition technology-improperly harvested facial template data from OkCupid dating profile photos without providing notice or obtaining consent. If this procedural posture seems familiar to some, that is because it parallels another recent BIPA class action involving a cloud-based call center entity and its integrated voiceprinting technology provider-which was also refiled in Delaware after being dismissed in Illinois due to an absence of personal jurisdiction. The plaintiffs in the earlier voiceprint class action fared no better the second time around, with a Delaware federal court dismissing the re-filed suit based on a successful extraterritoriality challenge. Only time will tell if the Clarifi suit will be able to avoid the same fate.
Roberts v. Cooler Screens Inc., No. 2022-CH-0184 (Ill. Cir. Ct. Cook Cnty.): In another recently-filed case, Roberts v. Cooler Screens Inc., Cooler Screens's "Smart Coolers" have been targeted for allegedly improper biometric data collection practices that purportedly violate BIPA. "Smart Coolers" replace refrigerator cases in retail stores, replacing the doors with digital screens that provide an "interactive experience" to customers. This experience, according to the complaint, includes a "facial profiling system" that "detect[s] the age, gender, and emotional response of over 3 million verified daily viewers." The facial recognition system analyzes each customer, determining which advertisements and suggestions are most likely to lead to a purchase. While some might view this as an exciting potential advertising opportunity, the plaintiff saw otherwise. The technology in the litigation was characterized as an unlawful collection of biometric data, and a violation of BIPA's requirements to provide information and obtain consent. This will be worth watching, as the overlapping space between developing technology and efforts to ensure the privacy of biometric data is likely to lead to further litigation in the near future.
Copple v. Arthur J Gallagher & Co., No. 22 CV 116 (W.D. Wash.): Outside of BIPA claims, some litigants have alleged harms emerging from biometric data in other contexts. In Copple v. Arthur J Gallagher & Co., a ransomware attack has resulted in a prospective class-action lawsuit filed against the defendant, "one of the leading insurance brokerage, risk management, and HR & benefits consulting companies in the world." The plaintiffs in this action allege that a number of the defendant's clients provided the defendant with the plaintiffs' personally identifiable information ("PII") and protected health information ("PHI"), without the plaintiffs' knowledge or consent. According to the complaint, the defendant was struck by a cyberattack beginning in June 2020, only discovering the attack on September 26, 2020. The company allegedly did not begin notifying plaintiffs of the breach, however, until more than nine months later, in July 2021. Over the next six months, the company provided almost weekly reports to the state Attorney General, which included an increasing number of individuals affected, beginning with only 1,825 Washington residents in its initial July 13, 2021 report, and cumulating in 72,835 affected by December 6, 2021. Plaintiffs seek damages claiming that the PII and PHI are likely to appear on the dark web, and the class members were harmed by the significant delay in notifying the affected class members.
III. Notable 2022 Trends in Biometric Privacy Litigation
From a broader perspective, there are several areas of activity in BIPA class action litigation that are worth keeping an eye on as we head into the second quarter of 2022.
Voiceprints, Take II: One noteworthy trend that has developed since the start of the year is an increased volume of BIPA class action filings targeting voice biometric technologies. Voice biometrics (also known as a "voiceprint") relies on the analysis of unique voice patterns to identify or verify individuals' identities. In other words, this is the use of biological characteristics-one's voice-to verify an individual's identity. Voiceprints can be distinguished from general voice data, which merely captures a person's voice without analyzing the components of the voice and/or generating a voiceprint for the purpose of verification or identification. While voiceprints fall under BIPA's scope, courts have held that general voice data does not, with the important dividing line being the identifying quality of the identifier or other biometric information.
In mid-2021, a wave of lawsuits was filed targeting voice-powered technologies-including a high-profile suit involving McDonalds' drive-thru voice assistants, which SPB team member Kristin Bryan covered extensively in CPW articles here, here, and here-the majority of this litigation fell flat because the technology at issue ultimately did not involve voiceprints, but rather tech that merely captured or used individuals' voice data. It appears that enterprising plaintiffs' attorneys have again turned their attention to voice data in 2022, with one main difference. This time around, these BIPA class actions are focusing narrowly on voice data that is used specifically for time and attendance purposes. Because timekeeping necessarily involves the verification of individuals' identities, there is a reasonable likelihood that this round of filings may be different than 2021, where the majority of suits were dismissed within a short period of time after they were filed.
Additional Uses of Facial Recognition: Similarly, there has also been a wave of new BIPA filings focused on targeting timekeeping systems that utilize facial recognition software. While facial biometrics has long been one of the most popular targets for BIPA class actions, in the timekeeping context these actions have traditionally been confined to the use of fingerprint time and attendance systems. That is no longer the case in 2022.
Facial Recognition Cameras Used for Vehicle Monitoring: Facial recognition-powered cameras used to monitor vehicle fleets and their drivers has also emerged as a new favorite target for BIPA class actions. Transportation companies are increasingly relying on facial recognition cameras to analyze video collected from cameras mounted on the interior windshields of vehicles in their fleets to monitor driver activity and protect these companies against losses from vehicle accidents. The AI technology that is used by these facial recognition cameras allows for the monitoring of external variables such as cars and road signs. More importantly, this AI tech allows the devices to continually monitor and classify their drivers' status, including whether they are being attentive at the wheel.
According to recently-filed suits, these cameras also collect drivers' facial data and analyze it to detect certain types of driver behavior, like distracted or drowsy driving, then uses a built-in cellular data link to upload the video, biometrics, and other data to the company's servers. While these suits allege that these cameras scan drivers' facial geometry-which, if true, would bring these cameras within the scope of BIPA-it is uncertain whether this technology actually satisfies the definition of "facial recognition" under the law. Importantly, this trend illustrates the complex compliance decisions that arise when attempting to mitigate BIPA liability exposure in connection with new and advanced technologies where courts have not clearly addressed whether they fall under the scope of Illinois' biometric privacy law-and the need to consult with experienced biometric privacy counsel before rolling out any new type of biometric- or AI-related technology to ensure legal risks are addressed to the greatest extent possible.
IV. Recent Significant Decisions in Biometric and AI Privacy Litigation
Several significant decisions concerning biometric and AI litigation have been handed down in Q1 2022. Below, we highlight a few of these decisions as potential trends for 2022 litigation.
BIPA & Personal Jurisdiction: As noted above, BIPA provides a cause of action for Illinois residents who believe their biometric information has been obtained or disclosed without consent. One recent decision confirmed, though, that even suits brought by Illinois residents do not automatically signify that there is personal jurisdiction, and a plaintiff or putative class members may not be a sufficient connection to Illinois.
In Gutierrez v. Wemagine.ai LLP, 2022 U.S. Dist. LEXIS 14831 (N.D. Ill. Jan. 26, 2022), Plaintiffs claimed that defendant's app obtained and disseminated the biometric information of its users without their written consent in violation of BIPA, but defendant was a Canadian company and its only contacts with IL were app downloads in the state. Defendant moved to dismiss for lack of personal jurisdiction, which the court granted, finding that defendant had not "targeted" the forum of Illinois (such as through marketing or sales). While this is consistent with what many other courts have found with respect to personal jurisdiction, it sets an important precedent in the BIPA context that, without more, a plaintiff and/or putative class members are not a sufficient connection to Illinois for the purposes of BIPA - personal jurisdiction must still be proper and comport with due process. It is also a reminder to entities sued under BIPA to thoroughly examine whether personal jurisdiction is proper and to emphatically litigate the issue if it is not. This may explain the choice of venue in Stein v. Clarifai, Inc., and may suggest that more BIPA claims will be filed in out-of-state courts going forward.
BIPA Preemption: In a continuation from a 2021 trend, one often-raised defense to a BIPA suit is that the BIPA claims are preempted by a federal or Illinois state statute. Three recent decisions continue to demonstrate the strength of this complete liability defense in BIPA litigation.
Federal Litigation: Just recently, an Illinois federal court in Kislov v. Am. Airlines, Inc., No. 17 CV 9080, 2022 U.S. Dist. LEXIS 50481 (N.D. Ill. Mar. 22, 2022), dismissed a BIPA class action against airline giant American Airlines arising out of the company's use of integrated voice response ("IVR") software into its customer service hotline. IRV is the "robot voice" that a caller hears when calling a customer support hotline. Of note, the software also collects, stores, and analyzes callers' voiceprints to understand and predict callers' requests and track interactions with callers over time. According to the plaintiffs, American Airlines deployed this voiceprint technology without providing customers notice or obtaining their consent in violation of BIPA. The airline moved to dismiss the action, arguing that the suit was preempted by the Airline Deregulation Act ("ADA"). The court agreed, finding that American Airlines' use of the IVR software was covered under the ADA's preemption provision because it concerned the services the airline provided to customers.
Kislov is by no means the first BIPA action to be dismissed based on a successful preemption challenge. Federal courts have dismissed a number of BIPA class actions on preemption grounds under the Railway Labor Act ("RLA") and § 301 of the Labor Management Relations Act ("LMRA"). Significantly, however, both the RLA and the LMRA apply in the context of unionized employment relationships. Kislov is noteworthy because it demonstrates that the preemption defense is not limited to employers in BIPA litigation, but can also be deployed in a much broader range of contexts, including to defeat biometric privacy class actions filed by customers or other consumers.
State: An Illinois appellate court recently confirmed that federal law may preempt BIPA in certain circumstances. In Walton v. Roosevelt Univ., 2022 Ill. App. LEXIS 83 (Ill. Ct. App. Feb. 22, 2022), Plaintiff, who belonged to a union, filed suit seeking damages from his employer for alleged BIPA violations, including collection, storage, use, and dissemination of his biometric data, as well as disclosure to a third party payroll service. Defendant employer moved to dismiss on the grounds that Plaintiff's claims were preempted because he was covered by a collective bargaining agreement, and the Court agreed. It found that, while Plaintiff and other members of the putative class who were unionized employees were not prohibited from seeking redress, the collective bargaining agreement required them to seek it through the grievance procedures laid out in the agreement. Subsequently, the Court expressly found that BIPA "claims asserted by bargaining unit employees covered by a collective bargaining agreement are preempted under federal law."
On the other hand, a landmark ruling from the Illinois Supreme Court held that BIPA was not preempted by the Illinois Workers' Compensation Act. In McDonald v. Symphony Bronzeville Park, 2022 Ill. LEXIS 194 (Ill. Feb. 3, 2022), the Illinois Supreme Court found that the Illinois Workers' Compensation Act does not preempt BIPA claims, and, as such, an employer may be subject to liability for damages claims under BIPA as well as liability under the workers' compensation framework. Employees of a nursing home had sued, alleging violations of their rights under BIPA based on the employer's practice of scanning employees' fingerprints as a means of timekeeping. The employer argued that employees could not seek damages under BIPA because the violation had occurred at work, and so plaintiffs' exclusive remedy was to seek compensation under the Workers' Compensation Act. The Illinois Supreme Court disagreed, finding that violations of BIPA are not a "compensable injury" under the state Workers' Compensation Act because whether an injury is compensable depends both on where the injury occurred and the nature of the injury, and other compensable injuries under the statute differed greatly from the "personal and societal injuries" under BIPA.
With the first quarter just about wrapped up, 2022 is promising to be an exciting year in AI and biometric data litigation. As the year continues, be sure to stay tuned; CPW will be your go-to source to stay on the forefront of all new developments in real time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.