LA Tan settles case under Illinois privacy law for $1.5M

L.A. Tan has settled a class action lawsuit in which plaintiffs alleged the company stored customers’ fingerprint data in violation of Illinois’ Biometric Information Privacy Act, or BIPA. Whether this settlement opens the gates to a flood of BIPA litigation remains to be seen.

On Dec. 1, a Cook County Circuit Court judge entered an order approving the settlement of the case Sekura v. L.A. Tan, in which a class of tanning salon customers sued under Illinois’ Biometric Information Privacy Act, or BIPA, over L.A. Tan’s storage and handling of customer fingerprint data, according to Bloomberg Law.

This outcome is reassuring for anyone concerned about the handling of private information like facial-recognition data and fingerprints, but it also could signal a flood of similar lawsuits to come.

The plaintiffs in the L.A. Tan case alleged that the company, which used customers’ fingerprint scans in lieu of key fobs for tanning membership ID purposes, violated the BIPA by failing to obtain the customers’ written consent to use the fingerprint data and by not disclosing to customers the company’s plans for storing the data or destroying it in the event a tanning customer terminated her salon membership or a franchise closed. The plaintiffs did not claim L.A. Tan illegally sold or lost customers’ fingerprint data, just that it did not handle the data as carefully as the BIPA requires.

How Illinois’ Biometric Information Privacy Act works

The Illinois General Assembly passed the BIPA in 2008 to regulate private entities’ collection, use and storage of biometric data. The BIPA includes as “biometric information” data derived from a “biometric identifier” such as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”

Illinois’ BIPA makes it illegal for a private entity to obtain a person’s biometric identifier or information, unless the entity first informs the person in writing and discloses the specific purpose and length of time for which the data is being collected, stored or used. The entity must then obtain written consent from the person to use or store the biometric information.

The act further requires the party in possession of the data to protect the security of the information.

Under the BIPA, Illinoisans “aggrieved” by violations of the act have the right to sue private parties for violations of the act and to collect the greater of $1,000 or actual damages for each violation negligently committed, and the greater of $5,000 or actual damages for each violation recklessly or intentionally committed.

L.A. Tan settlement in context of other BIPA cases

Pursuant to the settlement, L.A. Tan will establish a $1.5 million fund from which the plaintiffs will each receive a check for $125. L.A. Tan will also establish procedures for complying with the BIPA’s requirements or will destroy all the fingerprint data it has collected from its customers, according to Bloomberg Law.

Although media outlets have described the L.A. Tan case as the first settlement under the BIPA, parties reached a settlement in another BIPA-related case, Norberg v. Shutterfly, in 2016, according to the Chicago Tribune. The plaintiff in the case against Shutterfly alleged that the online photo site used facial-recognition software that measures a person’s unique facial geometry (e.g., the distance between a person’s eyes, nose and ears) to allow the plaintiff’s photo to be identified and marked with his name without his consent. Although a federal district judge in Chicago ruled in January that the Shutterfly case could proceed, the parties settled for an undisclosed amount in April.

The L.A. Tan settlement, and the Shutterfly settlement before it, have occurred against the backdrop of a class action BIPA case that is pending against Facebook in federal district court in California. In the Facebook case, plaintiffs sued over Facebook’s “tag suggestions” program, which uses facial-recognition technology to identify people in photographs. Facebook filed a motion to dismiss the case in June, saying that, under the requirements of the U.S. Supreme Court’s May decision in Spokeo v. Robins, the plaintiffs had failed to allege they suffered any actual harm from Facebook’s tagging program, as opposed to merely alleging a statutory violation. The court has not yet ruled on Facebook’s motion to dismiss.

Implications of L.A. Tan settlement

Whether the L.A. Tan settlement will open the gates to a flood of multimillion-dollar settlements and verdicts, or whether such claims are reined in by courts requiring more proof of actual harm, may depend in part on the outcome of the Facebook case.

An exceedingly pro-plaintiff litigation climate can drive professionals and businesses out of a state. For example, a 2010 study by the Northwestern University School of Medicine found that half of Illinois’ medical school graduates leave the state due in part to its “toxic medical malpractice environment.” And Madison County, Ill., has established a reputation as a “judicial hellhole” for being the nation’s asbestos litigation capital. Illinois policy makers may want to avoid giving companies yet another reason to balk at doing business in the state. Thus, in the event of a big uptick in litigation – or in anticipation of one – Illinois lawmakers might seek to limit companies’ liability under the BIPA by excluding, at a minimum, some photo-related images from the BIPA. This was the idea behind an amendment proposed, and then withdrawn, by Illinois state Sen. Terry Link, D-Waukegan, in May.

BIPA liability and the importance and value of biometric information are relatively new areas of concern, and much uncertainty surrounds these matters. As the parameters of the law are still unsettled, attorneys have advised businesses to carefully protect biometric information in their possession and to obtain adequate consent before storing or using such data to avoid privacy litigation. It remains to be seen what burdens the uncertainty and threat of BIPA litigation will ultimately impose on businesses, or what additional hassles and extra costs will be passed on to consumers. And no one knows yet whether the BIPA’s requirements will adequately protect people’s biometric information, or just how critical such protection might be.