NY Daily Record Since 1908
Lawrence Bice
Have a hankering for that midday Snickers bar, but left your wallet at home? No problem. The vending machine in your office lobby will gladly accept your fingerprint as proof of payment. Left your fingerprint at home too? Well then, you’ve probably got a bigger problem on your hands than how to get at that Snickers.
All kidding aside, if you have not yet encountered one of these vending machines, they do exist. You see, we are living in a world where “biometric identifiers” are increasingly used to validate the identity of individuals, even for the most prosaic of transactions. Your fingerprint, your face, even how you smell apparently (ew?), are all unique to you. So what better way to confirm that Snickers purchase was made by you than through use of these unique biometric identifiers?
If you think this all sounds too easy, you would be right. Biometric data is not just any data. It’s different. For instance, when your social security number is compromised, in a data breach let’s say, you can get a new one. Your face, your fingerprint, your signature smell — not so easy. Recognizing that an individual’s unique biometric data is indeed different, a small but growing number of states have passed legislation specifically to address various aspects of its collection, storage and use, including New York, Texas, Washington, California and Arkansas.
One state leads the pack. Illinois was among the first to pass comprehensive biometric legislation in 2008 with the Biometric Information Privacy Act (BIPA). Unlike biometric legislation passed by most other states, including New York’s Shield Act, BIPA provides for a private right of action: $1,000 in liquidated damages for each negligent violation and $5,000 in liquidated damages for each willful or reckless violation, plus injunctive relief and actual damages in excess of liquidated damages. BIPA protections extend to the following categories of biometric identifiers: a retina or iris scan; fingerprint; voiceprint; or scan of hand or face geometry.
Although BIPA has been around since 2008, courts continue to grapple with how to interpret it. A fundamental question is whether a plaintiff who alleges a violation of their rights under BIPA must also allege they have suffered an actual injury. As discussed below, in two recent BIPA cases, courts held that plaintiffs who alleged only a violation of BIPA and no actual injuries had standing to sue.
In Rosenbach v. Six Flags Entertainment, 129 N.E.3d 1197 (Ill. 2019), Stacy Rosenbach’s 14-year-old son Alexander visited Six Flags on a school fieldtrip. In advance of the fieldtrip, Alexander had purchased a season pass. To complete the application for the season pass, Six Flags scanned Alexander’s thumbprint into its biometric data capture system during his visit to the park. Six Flags collected Alexander’s thumbprint as a means to validate his identity whenever he presented his pass for entry.
Ms. Rosenbach discovered after the fact that Six Flags had collected her son’s thumbprint and she was not pleased. She sued Six Flags as an “aggrieved” party under BIPA, alleging that Six Flags: (1) failed to inform Rosenbach in writing that it was collecting her son’s thumbprint; (2) failed to inform Rosenbach in writing of the specific purpose and length of time for which her son’s thumbprint had been collected; and (3) failed to obtain from Rosenbach a written release for collection of her son’s thumbprint. Six Flags argued that Rosenbach was not “aggrieved” because she had not alleged any actual or threatened injury, only violations of BIPA. Therefore, according to Six Flags, Rosenbach lacked standing to sue. The Appellate Court of Illinois agreed.
The Supreme Court of Illinois reversed. It held that Rosenbach was in fact “aggrieved” and had standing to sue based solely on Six Flags’ alleged BIPA violations. Rosenbach did not need to allege actual or threatened injuries. It rejected the appellate court’s characterization of Six Flags’ BIPA violations as merely “technical,” noting that “[w]hen a private entity fails to adhere to the statutory procedures [of BIPA] … the right of the individual to maintain his or her biometric identity vanishes into thin air.”
And now let’s talk about those biometric vending machines. In Bryant v. Compass Group USA, No. 20-1443, 2020 U.S. App. LEXIS 14256 (7th Cir. May 5, 2020), Christine Bryant’s employer installed “Smart Market” vending machines in the employee cafeteria. The vending machines, owned and operated by defendant Compass Group USA (“Compass”), did not accept cash, just fingerprints. As part of her workplace orientation, Bryant’s employer instructed her to scan her fingerprint into the “Smart Market” system. Thereafter, Bryant was able to make vending machine purchases and replenish her account all through the use of her fingerprint.
Bryant alleged several violations of BIPA by Compass, including violations of Section 15(b), when Compass, like Six Flags in Rosenbach: (1) failed to inform Bryant in writing that it was collecting and storing her fingerprint; (2) failed to inform Bryant in writing of the specific purpose and length of time for which her fingerprint had been collected; and (3) failed to obtain from Bryant a written release with respect to the collection of her fingerprint. Bryant conceded she knew her fingerprint was being collected and stored by Compass and that she voluntarily used her fingerprint to make vending machine purchases. However, Bryant nevertheless alleged that Compass’s BIPA violations denied her the opportunity to give informed written consent for Compass’s use of her fingerprint.
Defendant Compass sought to remove the case to federal court. In what the court deemed a “role reversal,” Compass, as defendant, argued that Bryant had Article III standing under the United States Constitution to sue in federal court. Bryant, who wished to remain in state court, disagreed. The question turned on whether Bryant satisfied the “concrete injury in fact” prong of the test for standing under Article III.
The Bryant court agreed with Compass that Bryant suffered a concrete injury in fact and therefore had standing to sue in federal court. Specifically, the court found that Compass’s failure to satisfy the requirements of Section 15(b) of BIPA was more than simply “a failure to satisfy a purely procedural requirement.” By failing to provide substantive information to which Bryant was entitled, Compass deprived Bryant of her ability to give informed consent to the collection of her fingerprint. Sure, Bryant had voluntarily provided her fingerprint to Compass and had regularly used her fingerprint to purchase items from the vending machine. But the court reasoned that Bryant might have chosen to do otherwise had Compass fulfilled its obligations to her under Section 15(b) of BIPA.
In both Rosenbach and Bryant, the courts found that plaintiffs had standing to bring an action for violation of Section 15(b) of BIPA. Plaintiffs did not need to allege a concrete injury, only that defendants had violated BIPA. Similar questions regarding standing are being addressed by courts across the country in a variety of data privacy contexts with respect to both biometric and non-biometric data, including actions for data breaches and actions for surreptitious collection of personal data. It will be interesting to see in the coming months and years if courts coalesce around the notion that when it comes to personal data, violations of privacy are injuries in their own right, absent a showing of actual damages.
Lawrence Bice is Senior Counsel and Director of Litigation Services at Larimer Law, PLLC and is an adjunct professor at the University at Buffalo School of Law where he and John Larimer co-teach a course on electronic discovery, privacy law and cybersecurity.
