Are laws that govern how companies store and handle biometric data, such as fingerprints, the next frontier for the plaintiff’s bar?
Possibly, although it’s still early days.
On Thursday, a judge in Cook County Circuit Court in Chicago issued final approval for a $1.5 million settlement between L.A. Tan Enterprises Inc. and a class of the franchise’s customers who claim it failed to properly handle their biometric information. Biometric data refers to fingerprints, DNA and other often physiological characteristics that can be used to identify a human being.
Lawyers from the firm Edelson say it is the first settlement reached under Illinois’ Biometric Information Privacy Act, which requires companies to gain consent before collecting a person’s biometric data.
In the case, Sekura v. L.A. Tan , Edelson’s Ben Richman represented a class of the tanning salon’s customers. According to the suit, the franchise L.A. Tan used fingerprint scanning technology rather than a key fob to identify its customers in a membership database. The lawsuit claimed L.A. Tan failed to obtain written consent from customers to use this data, or provide information about how it would store their biometric data and when, if ever, that data might be destroyed if customers dropped their membership, the franchise closed or other circumstances arose.
Richman said that the suit did not accuse L.A. Tan of doing anything nefarious or losing or selling its customers’ biometric fingerprint data. Rather, the company did not treat the data as carefully as the law requires, the suit claimed.
“That type of information is incredibly sensitive,” he said. “You can get a new social security card if it’s stolen, but you can’t go get a new fingerprint or a new face. This information was incredibly sensitive and it should be treated as such.”
L.A. Tan’s attorney Paul G. Karlsgodt, of Baker & McKenzie, was not available for comment.
Richman said there is still a suit pending against an owner of an individual L.A. Tan franchise outlet.
Under the settlement, L.A. Tan will use the $1.5 million fund to provide each class member who filed a claim with a check for $125, and also will put processes in place to comply with the Illinois statute or destroy all biometric data it still holds.
The consequences of losing biometric data are not yet totally clear. In 2015, hackers breached the federal government’s Office of Personnel Management and stole the fingerprints of 5.6 million government employees. Bruce Schneier, a cyber security expert and Fellow at Harvard’s Berkman Center, wrote a blog post in which he tried to imagine what this theft may mean in the future:
“5.6 million US government employees need to remember that someone, somewhere, has their fingerprints. And we really don’t know the future value of this data. If, in twenty years, we routinely use our fingerprints at ATM machines, that fingerprint database will become very profitable to criminals. If fingerprints start being used on our computers to authorize our access to files and data, that database will become very profitable to spies.”
Although many states have passed laws barring companies from collecting biometric data from minors in an educational setting, Richman said Illinois is unique in that it passed a biometric law that allows for private citizens to sue companies that collect their data without consent and notification. Texas has also passed a law related to how companies must handle biometric data, but it only allows state prosecutors to sue, he said.
“I wouldn’t be surprised if we see other state legislatures focus on this sort of thing,” Richman said.
This July, the social media company Snapchat was sued under the Illinois law for allegedly collecting biometric information without user consent although the company denied the claims.
Only a dozen lawsuits have been brought under the Illinois law, according to Richman. His firm has also filed suits against Facebook related to the way its facial recognition algorithm suggests users tag people in photos. The suits, which are pending in federal court in Northern California, accuse Facebook of failing to notify users that their facial recognition software was collecting biometric data.
Biometric technology is becoming more common as biometric technology proliferates in applications such as fingerprint scanning technology in smart phones, voice recognition and retina scanning. Richman suggested there could be more suits on the horizon if companies are not careful about how they handle such data.
“Whether something nefarious is actually going on in the data, everyday there’s a new hack here or there,” he said, “and once that information is out there and compromised, there’s no going back.”