Biometric Data Privacy
Biometric data privacy is slowly but surely becoming the next battleground
in U.S. privacy law. While there is currently a lack of federal legislation regulating the collection and use of biometric data, an increasing number of states have taken it upon themselves to protect their citizens, Illinois being the leading example.1
Moreover, litigation relating to biometric data is on the rise. Recently, a class action lawsuit was filed against TikTok for failing to inform its users that it was collecting biometric data.2 Even though most cases are filed in Illinois due to its unique privacy law, the rest of the states are following suit by enacting legislation addressing biometric data privacy. Therefore, it is important that attorneys familiarize themselves with this type of data and the claims associated with it.
Biometric data is any data that relates to human features and is used in a variety of ways to establish an individual’s identity.3 Some examples of biometric data include iris scans, fingerprints, and facial recognition.4 Biometric data is not like a password or social security number—it is immutable and cannot be changed. This makes it highly sensitive information and companies must use heightened caution when collecting and storing it. For example, if a company uses facial recognition to verify the identity of its users, and there is a data breach, there is no way that the person whose data has been compromised can change their face to restore security.
As the use of biometric data becomes more and more prevalent, states are beginning to recognize that legislation is necessary to address the specific risks associated with this type of sensitive data. Illinois was the first state to enact legislation aimed at biometric data when it passed the Biometric Information Privacy Act (BIPA) in 2008.5. BIPA requires entities to inform individuals in writing that biometric data will be collected, how it will be collected, and for what that data will be used. An entity is prohibited from using any biometric data it collects without obtaining a written release from the individual.6 BIPA also prohibits entities from profiting off of biometric data, although dissemination of such data is not entirely prohibited.7
BIPA allows an entity to disseminate biometric data under a limited number of circumstances.8 Disclosure is permissible if the individual gives consent, the disclosure is required by law, or the information is disseminated pursuant to a valid search warrant.9. BIPA also requires entities to use the reasonable standard of care of the respective private industry to store the information, as well as using more caution for biometric data storage than other types of data internally.10
BIPA is unique, because it gives any individual plaintiff standing to sue for a violation.11 It also provides that an individual plaintiff is entitled to the greater of liquidated damages or actual damages based on recklessness or negligence, reasonable attorney’s fees, and other relief, such as an injunction, if the court sees fit.12 This provision of BIPA has allowed many lawsuits to proceed against entities using biometric privacy data.13 Two hundred cases were filed in the state of Illinois from 2018 to 2019 alone, and that number is sure to rise in 2020.14 Futhermore, these class actions can lead to large settlements. For example, Facebook recently agreed to pay $550 million to Illinois users who had alleged in a class action lawsuit that the platform was unlawfully collecting biometric data.15
Other states are following suit. Washington16 and Texas17 have enacted legislation that prevents capturing or selling biometric information without consent or unless required by law. California’s Consumer Privacy Act (CCPA)18 went into effect this year and includes biometric data in its definition of personal information. The CCPA requires that entities provide notice of data being collected and that they specify if the data is being sold or disclosed to third parties.19 A unique feature of the CCPA is that it requires entities to give consumers the ability to choose to opt out of their data being collected, request access to their data and also request that their data be deleted. New York also recently amended its laws dealing with hacking and electronic surveillance.20 These are only a few examples of states that are taking biometric data privacy seriously. As consumers become increasingly aware of what biometric data is and how it should not be used, the number of lawsuits and states legislating to address these issues is likely to rise.
Copyright Trolling Still on the Rise
Celebrities continue to be targeted by photo agencies claiming copyright infringement for posting photos of themselves on social media. Some recent targets have been Kendall Jenner,21 Katy Perry,22 Gigi Hadid,23 and Justin Bieber,24 all for posting photos of themselves on Instagram. Kendall Jenner’s case is pending and Justin Bieber seems to have settled out of court, while Katy Perry’s case is in process. Katy Perry was sued by Back-Grid USA for posting a paparazzi photo of herself dressed as Hillary Clinton at a Halloween Party in 2016 on her Instagram page. The main arguments raised in the motion to dismiss were fair use and that the photo was an unau- thorized derivative work. The motion was not granted, and the case will proceed to trial; however, U.S. District Judge Andre Birotte Jr. strongly urged the parties to reach a settlement, emphasizing that this case would needlessly take up the valuable time and resources of the court.25 Although it is rare, it is not impossible to defeat a copyright claim in this context. For example, a lawsuit against Gigi Hadid was recently dismissed because the photo agency suing her had not adequately registered the copyright of the photo at issue.26
Practice Note: Attorney’s Fees Clauses
Under the “American Rule,” attorney’s fees may not be collected from the losing party by the winning party unless an award is authorized by express agreement between the parties, any applicable state statute or court order. The simplest way of ensuring payment of attorney’s fees is to include in the agreement between the parties an attorney’s fees clause. In California, attorney’s fees are not recoverable unless there is an attorneys’ fees clause in the agreement, or required by law or by statue.27 New York also follows the American Rule.28 For lawyers practicing in any state, it is good practice to utilize these clauses in agreements in the event that a dispute between the parties occurs, as often the availability of attorneys’ fees will determine whether taking on a case is worthwhile. Many entertainment companies refuse such clauses, figuring that a plaintiff will not want to risk the expense if there is no such clause.
Good practice requires any attorney to advise clients entering into transactions of the pros and cons of such clauses. Similarly, in copyright infringement actions, attorneys’ fees can be awarded to the prevailing party.29 Failure to advise a client of the risks arguably could be malpractice.
Beware of Arbitrator Partiality: Monster Energy Co. v. City Beverages, LLC
The Ninth Circuit recently vacated a final arbitration award in favor of Monster Energy Co. in its dispute with City Beverages, LLC because of the arbitrator’s failure to disclose his ownership interest in JAMS.30 Although the arbitrator had disclosed that he had an overall interest in the financial success of JAMS, the omission of his ownership interest in addition to the volume of business between JAMS and Monster in the past five years31 was enough to demonstrate that the arbitrator had not acted impartially. While the ABA has stated that the decision likely will not have much of an effect beyond JAMS adjusting its disclosure policies,32 it is a reminder to approach arbitration with caution and to ensure prior to the commencement of proceedings that the arbitrator chosen by the parties is properly vetted. The Supreme Court denied Monster’s writ of certiorari.33
1. Natalie A. Prescott, The Anatomy of Biometric Laws: What U.S. Companies Need to Know in 2020, The National Law Review (Jan. 15, 2020), https://www.natlawreview.com/article/anatomy- biometric-laws-what-us-companies-need-to-know-2020 (last visited May 29, 2020); Status of Internet Privacy Legislation by State, American Civil Liberties Union, https://www.aclu.org/issues/ privacy-technology/internet-privacy/status-internet-privacy- legislation-state (last visited May 29, 2020).
2. This lawsuit was filed in California, but alleges a violation of the Illinois law and is seeking class certification. M.E. v. TikTok, Inc., Docket No. 4:20-cv-03555 (N.D. Cal. May 27, 2020).
3. Milone, Information Security Law, § 1.01.
5. Biometric Information Privacy Act, 740 ILCS § 14, http://www. ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
6. 740 ILCS § 15(a)-(b). 7. 740 ILCS § 15(c).
8. 740 ILCS § 15(d).
9. See id.
10. 740 ILCS § 15(e).
11. 740 ILCS § 20.
12. 740 ILCS § 20(1)-(2). 13. Prescott, supra, note 1.
14. Natalie A. Prescott, The Anatomy of Biometric Laws: What U.S. Companies Need to Know in 2020, The National Law Review (Jan. 15, 2020), https://www.natlawreview.com/article/anatomy- biometric-laws-what-us-companies-need-to-know-2020 (last visited May 29, 2020).
15. Natasha Singer & Mike Isaac, Facebook to Pay $550 Million to Settle Facial Recognition Suit, N.Y. Times (Jan. 29, 2020), https://www. nytimes.com/2020/01/29/technology/facebook-privacy-lawsuit- earnings.html
16. Wash. Rev. Code Ann. § 19.375.020.
17. Tex. Bus. & Com. Code § 503.001.
18. California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100-199.
19. Danielle Ochs, The Latest on California’s Approach to Biometrics in the Workplace, The National Law Review (October 10, 2019), https://www.natlawreview.com/article/latest-california-s- approach-to-biometrics-workplace (last visited May 29, 2020).
20. Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), 2017 Bill Text NY S.B. 6933, https://legislation.nysenate.gov/ pdf/bills/2019/S5575B. See also Prescott, supra note 8.
Angela Ma v. Kendall Jenner, Inc., Docket No. 2:20-cv-03011 (C.D. Cal. Mar 31, 2020).
BackGrid USA, Inc. v. Katheryn Hudson, Docket No. 2:19-cv-09309 (C.D. Cal. Oct 29, 2019).
Xclusive-Lee, Inc. v. Hadid, No. 19-CV-520 (PKC) (CLP), 2019 U.S. Dist. LEXIS 119868, at *10 (E.D.N.Y. July 18, 2019).
Barbera v. Justin Bieber Brands LLC, Docket No. 1:19-cv-09532 (S.D.N.Y. Oct 16, 2019).
Order Denying Motion to Dismiss at 1, BackGrid USA, Inc. v. Katheryn Hudson (No. 2:19-cv-09309).
Xclusive-Lee, Inc., supra, note 23.
Cal. Civ. Proc. Code § 1033.5(a)(10).
Krodel v. Amalgamated Dwellings, Inc., 88 N.Y.S.3d 31 (2018).
17 U.S.C. § 505.
30. Monster Energy Co. v. City Beverages, LLC, No. 17-55813 (9th Cir. 2019).
31. 97 arbitrations for Monster in the past five years.
32. https://www.americanbar.org/groups/litigation/committees/ alternative-dispute-resolution/practice/2020/ninth-circuits-new- disclosure-rules-for-owner-neutral/.
33. Monster Energy Co. v. City Beverages LLC, No. 19-1333, 2020 WL 3492685, at *1 (U.S. June 29, 2020).
Neville L. Johnson and Douglas L. Johnson are partners at Johnson & Johnson LLP, in Beverly Hills, CA, practicing entertainment, media, business and class action litigation. Suna Izgi, a third-year law student
at Southwestern Law School, is a law clerk there who helped write this article.