Class Actions Quarterly Update: Biometric Privacy Claims Not Barred by Illinois Workers’ Compensation Act

Class actions brought under the Illinois Biometric Information Privacy Act (BIPA) continue to trend upward in favor of plaintiffs. Enacted in 2008, BIPA regulates the collection, use, storage, retention, and destruction of biometric identifiers and information. A biometric identifier is a physically unique characteristic used to identify an individual, including a fingerprint, voiceprint, face geometry scan, or eye or hand scan.

In January 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Ent. Corp. that individuals can pursue statutory damages for technical violations of BIPA even when no actual harm is alleged or sustained. The decision opened the door for increased BIPA class actions, many of which target employers that use biometric technology (typically fingerprints) for timekeeping purposes.

Companies facing BIPA class actions have raised a variety of defenses (most notably standing) with little success. Preemption under the Illinois Workers’ Compensation Act (IWCA) is now the latest defense to be rejected. In McDonald v. Symphony Bronzville Park LLC, the defendants moved to dismiss a BIPA class action complaint based upon the exclusivity of the IWCA, which generally provides the sole means for an employee to recover against an employer for a work-related injury. In September 2020, an Illinois appellate court ruled in favor of the plaintiffs, concluding that an employee’s claim for statutory damages under BIPA is not the type of injury that is compensable under the IWCA. McDonald represents the first appellate decision in Illinois on IWCA preemption, following the lead of several federal district courts denying the same defense earlier this year.

CCPA Class Actions Push the Limits of Consumers’ Right to Sue 

Litigation is just getting started under the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. The landmark privacy law grants consumers new rights regarding their personal information, including the right to know what information businesses collect from them, the right to opt-out of disclosure of their data to third parties, and the right to access and request deletion of their data.

The CCPA includes a narrow private right of action that allows consumers to bring suit only when sensitive personal information is exposed due to a business’s failure to maintain reasonable data security measures. Violations of other consumer rights enumerated in the CCPA are subject to enforcement only by the California Attorney General’s Office. These limitations, taken together, are widely understood to mean that consumers can only sue after a data breach. 

Dozens of data breach class actions filed in California this year have featured claims under the CCPA. However, as we previously reported, some plaintiffs have attempted to invoke the CCPA even where no data breach has occurred. The trend has continued in the absence of any reported decisions construing the CCPA’s private right of action.

For example, in McCoy v. Alphabet, Inc., which was filed in the Northern District of California on August 5, 2020, the plaintiffs asserted CCPA violations based upon allegations that Google failed to disclose adequately the data it collects from Android smartphone users. Google filed a motion to dismiss on September 30, 2020, which is pending. Likewise, in L.P. v. Shutterfly Inc., filed in the Northern District of California on July 23, 2020, a group of minor plaintiffs and their guardians claim the popular online photo service failed to comply with the CCPA’s notice, opt-out, and deletion requirements. Until the courts rule on the scope of the CCPA’s private right of action, business will continue to face questionable class action claims by plaintiffs seeking to take advantage of a perceived ambiguity in the law.

New Proposed Federal Privacy Bill

In September 2020, data privacy regulation was back in the national spotlight when a group of Republican senators proposed federal privacy legislation called the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act” (the SAFE DATA ACT). Most notably, the proposed law would preempt state data privacy and data security laws, with the exception of breach notification laws. In addition, the SAFE DATA Act would be subject to civil enforcement only by state attorneys general and the Federal Trade Commission. The bill does not offer a private right of action for consumers. These two key issues – preemption and the right to sue – continue to divide lawmakers on partisan lines

Contacts

Continue Reading