While the emergence of biometric technology in the workplace is not a new phenomenon, employers being sued for utilizing this technology is a new trend. Over the past three months, more than 30 class action lawsuits have been filed in Illinois state and federal courts against employers that use timeclocks that scan an employee’s fingerprint, retina, or iris to clock employees into and out of work (“biometric timeclocks”).1 The lawsuits allege violations of Illinois’ Biometric Information Privacy Act (“BIPA”), which governs the collection, use, and disclosure of biometric data2 by entities in Illinois.
By its own terms, BIPA was designed to regulate the security, storage and handling of biometric data in “biometric-facilitated transactions” which, when the law was enacted in 2008, were becoming more prevalent.3 The class action lawsuits currently being filed against employers do not allege that employees’ biometric data has been unlawfully disclosed, sold or stored in an unsecure manner.4 Instead, the actions focus on employers’ alleged non-compliance with BIPA’s notice and consent requirements; specifically: (1) the employer allegedly failed to provide its employees with written notice that the biometric timeclock would collect their biometric data, and to explain the purpose for the collection, how the biometric data would be stored, and how long it would be retained; and (2) the employer did not obtain employees’ prior, written consent to the collection and use of their biometric data.
BIPA’s requirements of prior notice and consent potentially are an obstacle to employers filing motions to dismiss these actions for failure to state a claim under BIPA, because employees typically will allege lack of notice and consent. However, when these actions are filed in federal court (or removed to federal court), they are susceptible to attack through a motion to dismiss for a lack of standing.
A recent Second Circuit decision affirming the dismissal of a class action lawsuit alleging violations of BIPA’s notice and consent requirements provides a roadmap to obtaining this result in similar cases. Thus, employers that implemented biometric timeclocks without giving notice to, or obtaining consent from, employees as required by BIPA are not necessarily “dead in the water” when swept up in the current wave of class action filings.
The Second Circuit’s Ruling in Vigil v. Take-Two Interactive Software, Inc.5
The case centered on a videogame feature (“MyPlayer feature”) that allowed players to scan their faces and create a personalized avatar, exclusively for in-game play. The named plaintiffs filed a class action against the game’s maker, Take-Two, alleging many of the same types of claims that are currently being asserted against employers that use biometric timeclocks. Specifically, the plaintiffs alleged that Take-Two failed to (1) provide adequate written notice under BIPA; (2) provide a written retention schedule and guidelines for permanently destroying the scans of users’ faces; and (3) obtain users’ written consent before scanning their faces. The district court dismissed the case, with prejudice, noting that these “bare procedural violations” of BIPA were insufficient to confer standing on the plaintiffs.6
On November 21, 2017, the Second Circuit affirmed, in an unpublished “summary order,” the district court’s dismissal of the plaintiffs’ BIPA claims based on a lack of standing. Although the Second Circuit’s opinion has limited precedential value, it offers guidance for employers defending class actions in federal court, alleging violations of BIPA’s notice and consent requirements. Here are two key takeaways:
- Allegations That An Employer Failed To Provide Proper Notice Or Obtain Written Consent, Without Allegations Of A Resulting Material Risk Of Harm To The Employee, Is Insufficient To Maintain A BIPA Action In Federal Court.
In Spokeo v. Robins,7 the U.S. Supreme Court held “a plaintiff does not automatically satisfy the injury-in-fact requirement whenever a statute grants a right and purports to authorize a suit to vindicate it,” and therefore a plaintiff cannot “allege a bare procedural violation” that is “divorced from any concrete harm” and maintain standing to sue.8 Consistent with this analysis, the Second Circuit in Vigil first established that “BIPA’s purpose is to prevent the unauthorized use, collection or disclosure of an individual’s biometric data.” Based on this, the court concluded that the plaintiffs’ claims that Take-Two failed to provide proper notice and obtain users’ consent prior to collecting their biometric data amounted to “bare procedural violations” that did not establish a material risk that plaintiffs’ biometric data would be used or disclosed without their consent.
a. Failure to Provide Proper Notice
Central to the Second Circuit’s finding was the fact that the plaintiffs were notified that their biometric data would be collected. Before scanning user’s biometric data, the MyPlayer feature provided the following notification:
Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement.9
Therefore, the plaintiffs’ claim was tantamount to an allegation that they were not given a notice that tracked the language used in BIPA, and satisfied each of BIPA’s notice requirements, including providing a retention schedule. The Second Circuit ruled that this claim failed because plaintiffs did not plead a material risk of harm resulting from the technical violation.
b. Failure to Obtain Consent
The Second Circuit similarly rejected plaintiffs’ claim that Take-Two’s failure to obtain their written consent prior to collecting their biometric data conferred standing. The court noted that when using the MyPlayer feature, the plaintiffs had to “place their faces within 6 to 12 inches of the camera, slowly turn their heads to the left and to the right, and do so for approximately 15 minutes” in order for their face to be scanned. The court held that “no reasonable person” would fail to understand that their face was being scanned, and plaintiffs could not credibly assert that they would have withheld their consent had Take-Two provided a BIPA-compliant notice.
c. Application to Employers With Biometric Timeclocks
The Second Circuit’s finding that a failure to provide proper notice and obtain written consent did not create a material risk of harm is equally applicable to employers with biometric timeclocks. To be sure, in 2016 an Illinois federal court made the same point when granting a motion to dismiss a BIPA action filed against an entity that provided storage lockers that could be opened / locked with a user’s fingerprint.10 Similar to the Second Circuit in Vigil, the court in that case ruled that the defendant’s failure to provide notice and obtain written consent from a user did not create a material risk of harm.
In light of this case law, employers defending BIPA actions alleging a failure to provide prior notice of, and obtain consent to, collection of biometric data using a biometric timeclock should consider taking at least the following two steps. First, they should identify any form of notice provided to employees even if the notice did not meet all of BIPA’s specific requirements. Second, they should analyze the technology used to collect biometric data to determine whether the technology itself effectively notified employees that their biometric data was being collected.
- General Allegations That An Employee’s Biometric Data Collected By A Biometric Timeclock Is Not Being Stored In Accordance With BIPA’s Data Security Requirements Will Not Establish A Material Risk Of Harm Sufficient To Confer Standing.
The Second Circuit also addressed plaintiffs’ claim that Take-Two had violated BIPA’s requirement that an entity in possession of biometric data store and transmit the data: (1) using the “reasonable standard of care within the private entity’s industry”; and (2) in a manner that is the same or more protective than the manner in which other confidential information is stored.11 Plaintiffs claimed Take-Two violated these provisions by transmitting the scans of their faces “via the open, commercial Internet, and not a secure network” and by storing the plaintiffs’ face templates “in a manner that associates their identity with their biometric data.”
The court ruled that these broad allegations were insufficient to “show a risk of real harm” necessary to confer standing. Consistent with the U.S. Supreme Court’s holding in Clapper v. Amnesty Int’l USA,12 in which the Court expressed its “reluctance to endorse standing theories that rest on speculation about the decisions of independent actors,”13 the Second Circuit held that without allegations establishing that Take-Two’s alleged violations of BIPA’s data security requirements had “raised a material risk that [the plaintiffs’] biometric data will be improperly accessed by third parties,” the plaintiffs’ allegations were an insufficient basis for a BIPA claim. Accordingly, employees’ speculative allegations of potential security risks to their biometric data cannot save a federal court BIPA class action that is based on a failure to provide proper notice and/or obtain written consent.
The Second Circuit’s ruling in Vigil provides a potential roadmap of arguments for employers forced to fend off BIPA class actions based on a failure to provide notice and obtain consent. As more BIPA actions are removed from state court to federal court, employers should expect to see additional rulings from courts offering guidance in this area.