Illinois State Court Issues First Settlement under Biometric Law

On December 1, 2016, the Cook County Circuit Court in Illinois approved what is being reported as the first settlement under the state’s Biometric Information Privacy Act, 740 ILCS 14/1 (BIPA or the Act). BIPA provides a private right of action against companies that fail to satisfy certain requirements for the collection, retention, and destruction of biometric information, and is an example of the more broad form of state legislation in this area. BIPA defines biometric information as any information based on an individual’s biometric identifier including iris scans, fingerprints, voiceprints, or scan of hand or face geometry. The Act requires companies to obtain consent before collecting such information and develop a written policy establishing a retention schedule and guidelines for destruction. This recent settlement demonstrates that despites its wide-breadth, BIPA and similar state laws could overcome significant enforceability hurdles.

In Sekura v. L.A. Tan, a class of tanning salon customers alleged that L.A. Tan Enterprises Inc. (L.A. Tan), which used fingerprint scanning technology rather than key fobs for membership, violated BIPA by failing to obtain prior written consent to collect this biometric information. The complaint further alleged that L.A. Tan failed to provide customers with a policy on how the information will be retained and ultimately destroyed. In a $1.5 million settlement, each class member will receive $125 and L.A. Tan will institute processes to comply with BIPA or destroy all biometric information within its possession.

As technology that collects biometric information continues to increase through cell phone applications and social media websites, such as most smartphones’ finger print unlocking ability and Snapchat Inc.’s facial template feature, companies face greater risk of similar class action litigation. Although there currently is no specific federal law that imposes requirements for the collection, retention, and destruction of biometric data, a few states have enacted legislation in this space and companies can expect more to follow in the future. Texas’ own biometric law, Texas Business and Commercial Code Annotated, § 503.001, imposes similar notice and consent requirements to collect biometric information as the Illinois BIPA. Further, these state laws can impose liability for data practices beyond the loss of information due to a security breach. Indeed, the plaintiffs in Sekura alleged that L.A. Tan did not treat the data as carefully as required by BIPA, not that there was a data breach involving the biometric information. Companies that use biometric information in its everyday practice should be vigilant in establishing written policies for the handling of such data, and obtain prior consent when required.

AMA Adopts Principles to Support Mobile Health Applications

The AMA has adopted a set of principles to more effectively integrate the use of mobile health applications (mHealth apps) and devices in everyday clinical practice. While many have touted the potential health benefits of mHealth apps and digital devices, the AMA also raises concerns about the potential health and safety risks that these apps can pose to patients and privacy and security risks. Accordingly, the AMA has prescribed the following set of principles to support the use of mHealth apps and devices:

  • Support the establishment or continuation of a valid patient-physician relationship;
  • Have a clinical evidence base to support their use in order to ensure mHealth app safety and effectiveness;
  • Follow evidence-based practice guidelines, to the degree they are available, to ensure patient safety, quality of care and positive health outcomes;
  • Support care delivery that is patient-centered, promotes care coordination and facilitates team-based communication;
  • Support data portability and interoperability in order to promote care coordination through medical home and accountable care models;
  • Abide by state licensure laws and state medical practice laws and requirements in the state in which the patient receives services facilitated by the app;
  • Require that physicians and other health practitioners delivering services through the app be licensed in the state where the patient receives services, or be providing these services as otherwise authorized by that state’s medical board; and
  • Ensure that the delivery of any services via the app be consistent with state scope of practice laws.

The AMA acknowledges how the increase in health technology through the use of mHealth apps and devices will cause increased risk to patient privacy and data security, including the risk that data breaches. Given the lack of regulation on these apps, the AMA advises physicians to alert patients of the potential privacy and security risks for any mHealth apps that they recommend and document the patient’s understanding of these risks. They also advise physicians to consult with legal counsel to ensure that mHealth apps and devices meet privacy and security laws.

It is clear that as physicians are increasingly incorporating digital health tools such as mHealth apps into their practice and advice to patients that the AMA needs to demonstrate a willingness to adapt to such innovation while reconciling some of their long held positions on the roles of physicians, licensure laws, and the need for evidence, which are reflected in their principles. It is interesting to see that they stayed clear of including recommendations on privacy and security in their principles, but felt the need to raise concerns and advice to physicians with respect to data protection.

Ecuador Debates Enactment of Data Privacy Law Prior to February Election

Ecuador’s National Assembly has begun debates over the proposed national data privacy law that would regulate the public and private use of personal information, and unify disparate data protection requirements found in various laws in the country. The proposed law is among many that President Rafael Correa is pushing to be approved prior to the general elections on February 19, 2017. The stated objective of the law is “to protect and guarantee the rights of all people to privacy in the treatment of personal data in databases or archives, in physical or digital format, in public or private entities.” The law establishes rights for the data subject regarding the collection, use, and destruction of personal information, specifically requiring consent prior to collecting such data. However, if enacted the proposed law would also create a government controlled database containing personal information and companies would be required to register. It would further create the National Authority for Personal Data Protection to oversee compliance with the law’s requirements.

Though most critics recognize the importance of establishing unified guidelines and principles to protect personal data, much of their larger concern with this proposed legislation is that it would provide the government of Ecuador with a strong interventionist role and sweeping powers over data generally. Such requirements would be imposed on multinational companies doing business in Ecuador or engaging in international data transfers. Accordingly, critics of the proposed law argue that the requirement to register with a database under the government’s control could potentially discourage foreign investment in the country.