Businesses have gained limited new advantages in maintaining compliance with Illinois’ Biometrics Privacy Act.Following a recent state appeals court decision
Apple believes that biometric authentication is a no-brainer because customers voluntarily use optional features such as Touch ID and Face ID, and the data is stored locally on their devices, and the company did not collect or store that data on a separate server. Exempted from liability under information privacy laws. The court issued its ruling in late December. Therefore, Apple did not own or control your data. This may have triggered state biometric privacy requirements.
Apple’s win comes on the heels of several lawsuits in which plaintiffs successfully allege companies violated BIPA by improperly collecting and storing data such as facial scans and fingerprints. I was.
The latest appeals court opinion adds to the growing pool of precedent providing guidance to companies offering products or services that collect biometric data, defense attorneys said. , they said, were limited by the factual nature of the case.
David Oberly, biometric privacy attorney at Squire Patton Boggs, said the decision was “informative and the best tool defenses can use to assess whether something falls under BIPA.” .
This is particularly useful, Oberly said, because the courts are edging out defense arguments in BIPA cases and broadly interpreting the statute in favor of plaintiffs.
“With BIPA, there are so many legal uncertainties at this point that I cannot say with 100% certainty that its use will not result in a class action lawsuit,” he said.
Narrowing the scope of BIPA
In this case, Apple user David Barnett announced in June 2021 that the company owned, and therefore controlled, BIPA-protected data, but did not first obtain the necessary consumer consent, It has filed a proposed class action lawsuit against the company, alleging it did not provide users with copies of the data it needed. retention policy.
The court’s explanation of why some of the facts alleged in the lawsuit do not violate BIPA can be used in advising companies on compliance with the law, defense counsel said.
Plaintiffs equated Apple’s “product with the company,” Judge Oden Johnson wrote for the unanimous three-member panel. According to the opinion, Apple does not own or control users’ biometric data, and they remain confined to users’ devices rather than being stored on the company’s servers.
Ken Suh, Locke Lord’s senior counsel on privacy matters, said the court’s conclusion builds on previous BIPA rulings that ruled out unusual interpretations of what is considered property under the law.
“You need to be specific about how your rights have been allegedly infringed, which service or product,” Suh said. “If it’s a company, what part of the company? To be able to track some kind of position, you have to identify them.”
Another key factor in the Illinois commission’s decision was the optional nature of using Apple’s biometric feature, which didn’t require the device to be unlocked, Suh said. increase.
Users voluntarily choose to use the facial and fingerprint scanning feature, must complete a multi-step process to obtain biometrics on their device, and can delete saved scans at any time. the opinion said.
The ruling also noted that some of the plaintiffs’ allegations derived from the federal court’s ruling did not meet the Illinois standard for alleging facts in the complaint.
State standards require a more specific assertion of a claim than the relatively lenient notification standards used in federal courts.
“As a result of this difference, we have found some of the federal actions cited by plaintiffs to be unconvincing,” Johnson wrote.
This point adds to the factors that defense attorneys may consider when deciding whether to hold a BIPA case in state court or move it to federal court, but it does not outweigh other strategic considerations. is not.
“There is a notion among attorneys that federal courts may have an advantage in certain respects, but as you know, we always advise our clients that there are no such clear-cut rules. increase.
Given the tenuous arguments linking Apple to BIPA violations, the outcome of the lawsuit isn’t surprising, and Apple is one of the few companies doing the right thing with biometric data, plaintiff Edelson said. Eli Wade-Scott, lead class action practice for PC, said.
“The introduction of this kind of ‘stretch suit’ distracts from the real privacy issues facing the country, both inside and outside of Apple,” said Wade-Scott.
Opinions serve as a useful model for compliance attorneys, but their scope is limited to cases with similar fact patterns, said commercial litigation attorney Molly McGinley of Honigman LLP.
Squire Patton Boggs’ Oberly said virtual try-on technology litigation is an area of BIPA litigation where defendants may seek to infer the doctrine of the decision. Consumers voluntarily choose to collect biometric data with tools confined to their computers and phones, he said.
But if the Illinois Supreme Court decides to take up the issue, an appeal-level decision may be short-lived.
“While this decision is binding in District 1, as you know, it may not be the final answer to this question. I don’t know,” she said.