Monthly Archives: December 2017

Actual Injury Required for Biometric Suits

** Biometric Plaintiffs Face Significant Setback in Illinois **                                                                                                                                                                                                                 

In a growing number of states, biometric information has become a new type of protected data.  This form of information has been of particular concern to legislators spurred by its adoption in everyday uses — for example, in fingerprint scanners and facial recognition technology in smart phones — and its increasing use by employers tracking and verifying their employees’ hours.  The use of biometric information poses unique privacy and security challenges, not the least of which is that — unlike other types of personal identifiers (like a PIN or Social Security Number) — biometric information is permanent and cannot be changed if it falls into the wrong hands.

Background: Illinois was the first state to enact biometric data protections.  Its Biometric Information Privacy Act (740 ILCS 14) (BIPA) passed in 2008, created a “notice and consent” regime wherein: (i) private entities may collect, use or store biometric information only after obtaining a written release by the persons whose biometric information is sought; (ii) private entities are required to notice persons in writing about the specific purposes for and the length of time during which their biometric information will be collected, used or stored; and (iii) private entities must follow notice and consent requirements before disclosing a person’s biometric information to a third party.  Under BIPA, individuals have the right to sue private party violators and recover a minimum of $1,000 for a negligent violation and $5,000 for each violation recklessly or intentionally committed. Plaintiffs may also collect attorneys’ fees and costs.  Texas passed a similar law in 2009 (Capture or Use of Biometric Identifier Act) (Bus & Com § 503.001), and in 2017, Washington state passed a biometric law (H.B. 1493).  During the 2017 legislative session, bills dealing with biometric notice and consent regimes similar to BIPA were introduced in several states, including Alaska (H.B. 72), Arizona, Connecticut (H.B. 5522), Massachusetts (H.B. 1985 ), Montana (H.B. 518), Missouri, New Hampshire (H.B. 523) and New York – but all failed to pass.  The Washington and Texas statutes only allow for enforcement by the attorney general’s office.  Accordingly, Illinois remains the only state with a biometric statute that includes a private right of action – and it is thus the only state that has so far caught the attention of the class action bar.

While the Illinois statute has been in force since 2008, it received little attention until the last two years.  In 2016 and 2017, BIPA actions were brought against companies that use facial-recognition technology, such as FacebookShutterflyGoogleSnapchat, and others, as well as companies that use fingerprint scans, such as L.A. Tan.  Employee suits have also become popular, stemming from the use of biometric information in the workplace, such as fingerprint-operated time clocks.  Hotel chain InterContinental Hotels Group, broadband company Zayo Group, and convenience store chain Speedway LLC have all been the subject of employee lawsuits under BIPA.

For the defense bar dealing with BIPA claims, two major questions have been: (i) Can a company be sued for technical violations of the Act where no damages were sustained by the plaintiffs’ class? and (ii) Does BIPA have extraterritorial application?

The first question recently received attention by the Illinois Court of Appeals.  In Rosenbach v. Six Flags Entm’t Corp., 2017 WL 6523910 (Il. Ct. App., Dec. 21, 2017), Stacy Rosenbach, whose son’s thumbprint was taken by Six Flags after he purchased a season pass for one of its Great America theme parks, sued the company for violating BIPA based on her allegation that it failed to properly obtain written consent or disclose Six Flag’s plan for the collection, storage, use or destruction of her son’s biometric identifiers or information.  Six Flags moved to dismiss, arguing that under Section 20 of BIPA any right of action is limited to a “person aggrieved,” which excludes Plaintiff because she failed to allege any actual injury.  The lower court denied the theme park company’s motion to dismiss, but later certified to the appellate court two questions relating to whether individuals “aggrieved by a violation of the act” can rely solely on alleged violations of the notice and consent requirements or whether they must allege some actual harm.  In answering these questions, the Court of Appeals held that in order to meet the definition of an aggrieved person under the statute, plaintiffs must claim some actual harm. The Court noted, “if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word ‘aggrieved’ and stated that every violation was actionable.  A determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous. Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under section 20 of the Act.”  2017 WL 6523910 at ¶ 23. The court rejected Plaintiff’s argument that biometric privacy, itself, is a right that is injured by violation of the statute.  Id. at ¶ 20.  This decision has the potential to foreclose on scores of current BIPA class actions – specifically those that have recently been filed and are seeking statutory penalties for naked violations of BIPA without a clear nexus to any consequential harm or injury.

The second question remains unsettled. To be sure, courts appear clear that an Illinois “statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute” (Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 852 (2005)) and recognize that none of BIPA’s express provisions indicate that the statute was intended to have extraterritorial effect (see Monroy v. Shutterfly, Inc., No. 16 C 10984, 2017 WL 4099846, at *5 (N.D. Ill. Sept. 15, 2017) (finding that BIPA does not apply extraterritorially). But what does that mean in the internet age?  For example, in Monroy, Plaintiff was acknowledged to be a resident of Florida and Defendant Shutterfly was acknowledged to be a Delaware Corporation – but the allegations of the Complaint were that Plaintiff’s friend, located in Illinois, uploaded his photo to Shutterfly’s servers triggering the alleged biometric violation.  In those circumstances, was the Florida resident entitled to the protections of BIPA?  The federal district court could not decide, noting that it was unclear where the actual scan of plaintiff’s face geometry took place, where the scan was stored once it was obtained, and, when stored in cyberspace, how physical location is to be determined – thus finding that the ultimate answer to the extraterritorial question raised a question of fact not suited for dismissal under Rule 12.

Share this:

No Stopping Web eAccess Consumer Suits

** Web Accessibility Lawsuits Continue to Surge **                                                                                                                                                                                                              

We blogged last year about the rash of lawsuits surrounding accessibility of websites for the visually impaired – specifically suits bought under Title III’s requirement to provide “auxiliary aids and services” (42 U.S.C. § 12182(b)(2)(A)(iii); 28 C.F.R. § 36.303) for the disabled.  The litigation has not abated in 2017 — if anything reports have shown an up-tick: more ADA specific lawsuits have been filed in 2017 than 2016 and 2015 combined.

Witt the upswing in litigation, there are three questions we hear most often from website owners:

  1. Does my Website Need to be ADA Compliant?

It depends on what type of operation your website supports and where you operate (and therefore can be sued). As we blogged about in the past, the ADA applies to privates companies operating certain enumerated types of businesses deemed to be “public accommodations” (42 U.S.C. § 12181(7)).  When the ADA was enacted in the pre-internet world of 1990, the descriptions given were understandably to analog, brick-and-mortar establishments.  The Third, Fifth, Sixth, Ninth and Eleventh Circuit courts, therefore, apply the ADA only to websites that are the online version of one of these enumerated offline brick-and-mortar spaces.  The First, Second and Seventh Circuit courts apply the ADA more broadly – concluding that Title III is not intended to be stuck in time, and, therefore, a website need not have a nexus to a physical space to be a public accommodation.  So for example, Netflix, not liable for ADA compliance in one jurisdiction (Cullen v. Netflix, Inc., 600 F. App’x 508, 509 (9th Cir. 2015)), is in another (Nat’l Assoc. of the Deaf v. Netflix, Inc., 869 F. Supp. 2d 196 (D. Mass. 2012)) (see our prior post for other notable cases).  This circuit split has not yet made it to the Supreme Court for resolution.  The issue came close recently – the Supreme Court denied certiorari in Magee v. Coca-Cola Refreshments USA, Inc., 833 F.3d 530 (5th Cir. 2016).  See No. 16-668, 2017 WL 4339924 (U.S. Oct. 2, 2017).  This case concerned whether a Coca-Cola vending machine was a “sales establishment” under 42 U.S.C. § 12181.  The trial court and the Fifth Circuit Court of Appeals held that “establishment” denotes a “physical space” and that under the Act only the owner, lessor or operator of the physical space is liable.  Because Coca-Cola did not own, lease or operate the space, it was not liable.  While not directly dealing with an online seller, had certiorari been granted, the Supreme Court would have been required to weigh in on  the “physical space” issue that underlies the circuit split on the applicability of the ADA to websites.  That did not happen, and so the uncertainty remains.  Notably, Congressional action to amend the ADA to deal with this conflict is not on the radar.  Therefore, given the circuit split,, there is a risk of inaction.  While certain business in certain jurisdictions may be safe, the nature of borderless online commerce means those boundaries are porous.

  1. What Does my Website Need to do to be ADA Compliant?

Because there are no specific regulations on point, businesses with websites have the worst of both worlds: mandates without rules.

There are industry groups that offer some guidance.  For example, the World Wide Web Consortium (W3C) is an international body that develops open standards and guidelines for web developers – it outlines design options to make a website accessible such as providing links to definitions, removing time limits for activities, providing spoken word versions of text, and ensuring keyboard control for all website functions. W3C’s most recent standard is published as the Web Content Accessibility Guidelines (WCAG) 2.1 level AA Guidelines (WCAG 2.1).  In a recent case, these industry guidelines were adopted as a de facto standard.  In this case (which we believe to be the first to go to trial on these ADA web issues), the court looked at the lack of accessibility of supermarket chain Winn-Dixie’s website, finding the company violated the ADA.  Gil v. Winn-Dixie Stores, Inc., 257 F. Supp. 3d 1340, 1350 (S.D. Fla. 2017).  The court did not have difficulty determining whether Winn-Dixie’s website passed muster – because Winn-Dixie had not implemented any particular disability modifications.  (To be fair, it had set aside hundreds of thousands of dollars to make its website accessible – but the project had not been completed).  What is notable about the court’s decision was its willingness to adopt the WCAG guidelines. Indeed, in its order on injunctive relief, the court required that Winn-Dixie “adopt and implement a Web Accessibility Policy which ensures that its website conforms with the WCAG 2.0 criteria.”  257 F. Supp. 3d 1340, 1351.  A website owner can take some comfort that, at least in the eyes of one district court, complying with WCAG presents a defensible case that its site is ADA compliant – even absent a specific regulatory scheme.

  1. Should I wait for the DOJ to Issue Guidance Before Acting?

To quote the noted legal commentator, Dirty Harry, “You could ask yourself a question: ‘Do I feel lucky?’”  As we observed in the past, the Department of Justice issued an Advanced Notice of Proposed Rulemaking (“ANPRM”) on Accessibility of Web Information and Services of State and Local Government Entities and Public Accommodations that presumably would articulate specific requirements and technical standards for website accessibility.  75 Fed. Reg. 43,460 (July 26, 2010).  DOJ has yet to finalize this guidance, however. Instead, on May 9, 2016, DOJ issued a lengthy Supplemental ANPRM (SANPRM) for state and local government websites, and then extended the comment period.  It now appears that any rulemaking has been pushed to the backburner – web accessibility guidelines now being relegated to the Office of Information and Regulatory Affairs’ dreaded “inactive list.”

What to do in the absence of regulatory guidance? Some courts have taken from the fact that the regulatory process has begun (albeit stalled) as a signal that the primary jurisdiction doctrine prevents them from proceeding with a civil ADA web accessibility case.  Robles v. Dominos Pizza LLC, No. CV1606599SJOSPX, 2017 WL 1330216, at *8 (C.D. Cal. Mar. 20, 2017) (dismissing case).  However, more often courts have found the opposite.  In Access Now, Inc., v. Blue Apron, LLC, for example, the court found that there was no reason to believe DOJ would issue rules any time soon, and therefore, a dismissal or stay based on the primary jurisdiction doctrine was not appropriate.  No. 17-CV-116-JL, 2017 WL 5186354, at *9 (D.N.H. Nov. 8, 2017) citing Andrews v. Blick Art Materials, LLC, No. 17-CV-767, 2017 WL 3278898 (E.D.N.Y. Aug. 1, 2017) (“The court will not delay in adjudicating [plaintiff’s] claim on the off-chance the DOJ promptly issues regulations it has contemplated issuing for seven years but has yet to make significant progress on.”); see also Gorecki v. Hobby Lobby Stores, Inc., No. CV 17-1131-JFW(SKX), 2017 WL 2957736, at *1 (C.D. Cal. June 15, 2017) (denying motion to dismiss); Gorecki v. Dave & Buster’s, Inc., No. CV 17-1138 PSG (AGRx), (C.D. Cal. Oct. 10, 2017) (denying motion to dismiss).  It would be risky, indeed, to rely on the primary jurisdiction doctrine.  As we have blogged about in the past, the doctrine is inconsistently applied and often elusive.

Share this: