On May 5, 2020, the Seventh Circuit held that violations of the section 15(b) disclosure and informed consent provisions of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) constitute “an invasion of personal rights that is both concrete and particularized” for the purposes of establishing Article III standing to sue in federal courts.  However, the Seventh Circuit also held that the alleged harms associated with violations of section 15(a) of BIPA were insufficient to establish Article III standing.  Section 15(a) mandates public disclosure of a retention schedule and guidelines for permanent destruction of collected biometric information.

Covington has previously discussed developments in BIPA litigation, which has proliferated in recent years with the advancement of relevant technologies.  The increase in BIPA litigation has been accompanied by a rise in disputes over the nature of the harm required to sustain an action, both in state and federal courts.  Although this issue was seemingly resolved at the state-level by the Illinois Supreme Court’s 2019 Rosenbach decision, federal courts have continued to grapple with the issue for the purposes of Article III standing.
Continue Reading Seventh Circuit Rules on Article III Standing Issues in Illinois BIPA Lawsuit, Allowing Case to Proceed in Federal Court

On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute.  The law prohibits any “person” from “enroll[ing] a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”  It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers.  With the new law, Washington has become only the third state after Illinois and Texas to enact legislation that regulates business activities related to biometric information.  Although the three laws seek to provide similar consumer protections around the collection, use, and retention of biometric data, the Washington law defines the content and activity it regulates in different terms, and, similar to Texas, but unlike Illinois, the Washington law does not provide a private right of action.

The Washington statute, as compared to existing biometrics laws, is notable for its definition of “biometric identifier.”   In the law, a “biometric identifier” is “data generated by automatic measurements of an individual’s biological characteristics,” including “fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.”  Washington’s definition of “biometric identifier” may be broader than that in the Texas statute, but Washington’s definition does not specifically provide for a “scan of hand or face geometry,” as is the case in the Illinois statute.  Washington’s definition of “biometric identifiers” specifically excludes “physical or digital photograph, video or audio recording or data generated therefrom” (in addition to certain health-related data), suggesting the statute will have limited application in the context of facial recognition technology.
Continue Reading Washington Becomes the Third State with a Biometric Law

California is the latest state to enact legislation restricting the circumstances under which employers or schools can demand access to employees’ or students’ personal social media accounts.

California Gov. Jerry Brown signed two bills into law on Sept. 27.  The first, A.B. 1844, bars employers from requiring or requesting that employees or job applicants disclose personal social media usernames or passwords, access personal social media accounts in the employer’s presence, or otherwise “[d]ivulge any personal social media.” Employers are barred from firing or otherwise retaliating against anyone who refuses to comply with a request that is prohibited under the law. Employers may require employees to disclose information needed to access employer-issued devices and may request access to personal social media the employer reasonably believes is relevant to a misconduct investigation.

S.B. 1349 creates parallel protections for students, prospective students and student groups at public and private colleges and universities.


Continue Reading New California Laws Restrict Employer, College Access to Personal Social-Media Content

Late last month — in a decision that seems to have been largely overlooked in the privacy trade press — a federal judge in Illinois held [PDF] that the Wiretap Act did not prohibit the interception of communications sent over unsecured Wi-Fi networks provided by hotels, restaurants, coffee shops and other commercial entities.  The decision came in a case, In re Innovatio Ventures, LLC Patent Litigation, that does not involve an alleged violation of the Wiretap Act.  Rather (as its name suggests), In re Innovatio is an infringement suit in which Innovatio has accused various commercial entities that provide Wi-Fi to their customers of violating its patents in Wi-Fi technology.  To gather evidence about the defendants’ alleged infringing uses, Innovatio has used “commercially available Wi-Fi network analyzers” to “intercept data packets that are travelling . . . between the Wi-Fi router[s] provided by [the Defendants] and any devices that may be communicating with [the routers].”  Innovatio apparently grew concerned that its activities violated the Wiretap Act and sought a preliminary ruling on the admissibility of the evidence it obtains through its “proposed sniffing protocol.”


Continue Reading Court Holds Interception of Unsecured Wi-Fi Communications Does Not Violate the Wiretap Act

On August 1, Illinois became the second state in the country to prohibit employers from requesting or requiring employees to provide their passwords for social networking accounts.  As reported in this blog, Maryland adopted similar legislation in April.  The bill (HB 3782) was signed into law by Illinois Governor Pat Quinn and will become

Rep. Eliot Engel (D-NY) recently introduced a bill in the U.S. House of Representatives that would prohibit employers from requiring current and prospective employees to disclose website usernames, passwords, and other online content.  The Social Networking Online Protection Act (SNOPA), H.R. 5050, also would apply to students at colleges, universities, and K-12 schools, and impose

Lawmakers in Maryland and Illinois have introduced bills that would prohibit employers from requiring job applicants or employees to grant access to their social networking accounts.  The bills arose from reports that employers have impliedly or explicitly required access to social networking accounts as a condition of hiring or employment.

A few bills have been

As we’ve previously noted (here and here), California and Illinois recently enacted amendments to their data security breach notification laws.  The amendments took effect this week. 

California’s changes are the more notable.  For example, businesses that are required by California’s breach notice statute to notify more than 500 California residents now must also notify

The Illinois legislature has passed a bill that would require data owners to include specific information in a letter notifying an Illinois resident of a data breach affecting that resident’s personal information.  The bill, which still must be signed by Governor Pat Quinn, would require notice letters to include “(i) the toll-free numbers and addresses