Tanning salon used fingerprint access control, did no harm, but failed to obtain written consent
The Illinois Biometric Information Privacy Act was enacted way back in 2008 and is still considered the country’s most stringent oversight of corporate use of biometrics. On Dec. 1, the first settlement or judgment in a case filed under the law occurred. A class action group that sued L.A. Tan, a tanning salon franchise that used fingerprint biometrics for member access to facilities, will receive $1.5 million via the settlement.
The case did not involve a breach or nefarious use of the biometric data, but rather only required that L.A. Tan had not obtained written consent to use the biometric
The payout is just $125 per individual salon member, but the ramifications for the biometrics industry and companies that seek efficient and secure access control options are far more substantial.
The nature of the case did not involve a breach or nefarious use of the biometric data, but rather under the law only required that L.A. Tan had not properly informed its members and obtained written consent to use the biometric.
The Illinois law states:
“No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first:
- informs the subject … in writing that a biometric … is being collected or stored;
- informs the subject … in writing of the specific purpose and length of term for which a biometric is being collected, stored, and used; and
- receives a written release executed by the subject …”
In an article on the settlement, Bloomberg Law interviewed the plaintiff attorney who says he expects other states to enact similar legislation in the future. He also notes that his firm has filed suit against Facebook over its use of facial recognition technology, and Snapchat has also been sued under the Illinois law.
In August, an Illinois federal district judge dismissed a case filed against Smarte Carte for its failure to obtain consent from users of fingerprint-enabled lockers in a Chicago train station. According to the IllinoisPolicy.org, the judge cited lack of harm as the reason for dismissal suggesting that the Biometric Privacy Act might require more than just lack of consent to merit judgment.
The judge referred to the Supreme Court’s May 2016 ruling in Spokeo vs. Robins, likely giving hope to biometric industry advocates. The Spokeo ruling held that a man who sued a search engine for publishing false information about him failed to show actual harm and thus was not entitled to compensation.
This requirement to show actual harm, it seems, is extremely contentious and far from legally concluded. Thus, we will likely see more of these biometric-related cases and laws.
Read the Illinois Biometric Information Privacy Act online.