Illinois

In a new post on the Inside Class Actions blog, our colleagues discuss a new Illinois federal court decision, Gregg v. Cent. Transp. LLC, 2024 WL 4766297, at *3 (N.D. Ill. Nov. 13, 2024), which holds that the state’s recent amendment to its Biometric Information Privacy Act capping

Continue Reading Illinois Federal Court Rules BIPA Single-Violation Amendment Applies Retroactively

On August 2, 2024, Illinois’ governor signed into law S.B. 2979, a significant amendment to the Illinois Biometric Information Privacy Act (BIPA). The law states that an entity that, in more than one instance, obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of BIPA’s notice and consent requirement has committed a single violation. As a result, each aggrieved person is entitled to, at most, one recovery for a single collective violation.Continue Reading Illinois Enacts BIPA Amendment Limiting Violation Accrual

On Thursday, the Illinois Supreme Court unanimously ruled in McDonald v. Symphony Bronzeville Park LLC that the exclusivity provisions of the state’s workers’ compensation statute do not preclude liquidated damages claims under the Biometric Information Privacy Act.  The decision narrows the defenses available to employers facing employment-related BIPA claims.

Illinois’s Workers’ Compensation Act generally provides the exclusive means by which an employee can recover against an employer for a work-related injury and requires such claims to be adjudicated before the Illinois Workers’ Compensation Commission, subject to several exceptions.  One of those exceptions is for injuries that are not compensable under the Workers’ Compensation Act.  At issue in McDonald was whether an alleged employment-based BIPA violation—here, the alleged use of a fingerprint-based timekeeping system without the required disclosures or consent—was the type of injury covered by the Workers’ Compensation Act.
Continue Reading Illinois Supreme Court Rules Workers’ Compensation Act Does Not Bar BIPA Liquidated Damages Claims

On May 5, 2020, the Seventh Circuit held that violations of the section 15(b) disclosure and informed consent provisions of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) constitute “an invasion of personal rights that is both concrete and particularized” for the purposes of establishing Article III standing to sue in federal courts.  However, the Seventh Circuit also held that the alleged harms associated with violations of section 15(a) of BIPA were insufficient to establish Article III standing.  Section 15(a) mandates public disclosure of a retention schedule and guidelines for permanent destruction of collected biometric information.

Covington has previously discussed developments in BIPA litigation, which has proliferated in recent years with the advancement of relevant technologies.  The increase in BIPA litigation has been accompanied by a rise in disputes over the nature of the harm required to sustain an action, both in state and federal courts.  Although this issue was seemingly resolved at the state-level by the Illinois Supreme Court’s 2019 Rosenbach decision, federal courts have continued to grapple with the issue for the purposes of Article III standing.
Continue Reading Seventh Circuit Rules on Article III Standing Issues in Illinois BIPA Lawsuit, Allowing Case to Proceed in Federal Court

On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute.  The law prohibits any “person” from “enroll[ing] a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”  It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers.  With the new law, Washington has become only the third state after Illinois and Texas to enact legislation that regulates business activities related to biometric information.  Although the three laws seek to provide similar consumer protections around the collection, use, and retention of biometric data, the Washington law defines the content and activity it regulates in different terms, and, similar to Texas, but unlike Illinois, the Washington law does not provide a private right of action.

The Washington statute, as compared to existing biometrics laws, is notable for its definition of “biometric identifier.”   In the law, a “biometric identifier” is “data generated by automatic measurements of an individual’s biological characteristics,” including “fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.”  Washington’s definition of “biometric identifier” may be broader than that in the Texas statute, but Washington’s definition does not specifically provide for a “scan of hand or face geometry,” as is the case in the Illinois statute.  Washington’s definition of “biometric identifiers” specifically excludes “physical or digital photograph, video or audio recording or data generated therefrom” (in addition to certain health-related data), suggesting the statute will have limited application in the context of facial recognition technology.
Continue Reading Washington Becomes the Third State with a Biometric Law

California is the latest state to enact legislation restricting the circumstances under which employers or schools can demand access to employees’ or students’ personal social media accounts.

California Gov. Jerry Brown signed two bills into law on Sept. 27.  The first, A.B. 1844, bars employers from requiring or requesting that employees or job applicants disclose personal social media usernames or passwords, access personal social media accounts in the employer’s presence, or otherwise “[d]ivulge any personal social media.” Employers are barred from firing or otherwise retaliating against anyone who refuses to comply with a request that is prohibited under the law. Employers may require employees to disclose information needed to access employer-issued devices and may request access to personal social media the employer reasonably believes is relevant to a misconduct investigation.

S.B. 1349 creates parallel protections for students, prospective students and student groups at public and private colleges and universities.Continue Reading New California Laws Restrict Employer, College Access to Personal Social-Media Content

Late last month — in a decision that seems to have been largely overlooked in the privacy trade press — a federal judge in Illinois held [PDF] that the Wiretap Act did not prohibit the interception of communications sent over unsecured Wi-Fi networks provided by hotels, restaurants, coffee shops and other commercial entities.  The decision came in a case, In re Innovatio Ventures, LLC Patent Litigation, that does not involve an alleged violation of the Wiretap Act.  Rather (as its name suggests), In re Innovatio is an infringement suit in which Innovatio has accused various commercial entities that provide Wi-Fi to their customers of violating its patents in Wi-Fi technology.  To gather evidence about the defendants’ alleged infringing uses, Innovatio has used “commercially available Wi-Fi network analyzers” to “intercept data packets that are travelling . . . between the Wi-Fi router[s] provided by [the Defendants] and any devices that may be communicating with [the routers].”  Innovatio apparently grew concerned that its activities violated the Wiretap Act and sought a preliminary ruling on the admissibility of the evidence it obtains through its “proposed sniffing protocol.”Continue Reading Court Holds Interception of Unsecured Wi-Fi Communications Does Not Violate the Wiretap Act

On August 1, Illinois became the second state in the country to prohibit employers from requesting or requiring employees to provide their passwords for social networking accounts.  As reported in this blog, Maryland adopted similar legislation in April.  The bill (HB 3782) was signed into law by Illinois Governor

Continue Reading Illinois Prohibits Employers from Requesting Employees’ Social Networking Passwords

Rep. Eliot Engel (D-NY) recently introduced a bill in the U.S. House of Representatives that would prohibit employers from requiring current and prospective employees to disclose website usernames, passwords, and other online content.  The Social Networking Online Protection Act (SNOPA), H.R. 5050, also would apply to students at colleges, universities

Continue Reading Rep. Engel Introduces Federal Bill to Limit Access to Social Networking Accounts

Lawmakers in Maryland and Illinois have introduced bills that would prohibit employers from requiring job applicants or employees to grant access to their social networking accounts.  The bills arose from reports that employers have impliedly or explicitly required access to social networking accounts as a condition of hiring or employment.

Continue Reading Maryland and Illinois Introduce Bills to Limit Employer Access to Employees’ Social Networking Accounts