BIPA Claims Against United Airlines Must be Arbitrated Due to Collective Bargaining Agreement
Posted on September 5, 2018
Last month a federal district court dismissed a putative class action lawsuit against United Airlines challenging its use of fingerprint scanning timeclocks. The lawsuit brought by United employee David Johnson alleged that the company’s collection and use of employees’ fingerprints violated the Illinois Biometric Information Privacy Act (BIPA) because the company failed to get the requisite consent from its employees for fingerprint collection and use.
In dismissing the lawsuit, the court found it lacked federal jurisdiction to resolve the dispute on two grounds. In the first instance, the court observed that the federal Railway Labor Act (RLA) creates a mandatory and exclusive arbitration process for resolving labor disputes that require interpretation of a collective bargaining agreement (CBA). The CBA between United and its employees gave United the “sole and exclusive right to manage, operate, and maintain the efficiency” of the workplace. Therefore, any resolution of Plaintiff’s challenge under BIPA of United’s collection and use of fingerprints as part of its timekeeping technology necessarily requires interpretation of the scope of the CBA. And, thus, “[b]ecause there is no way for the Plaintiff to pursue a BIPA claim without interpreting the existing CBA,” the court concluded that its resolution of Plaintiff’s BIPA claim was preempted by the RLA’s mandatory arbitration requirement, and that the court lacked jurisdiction to decide the claim.
In the second instance, echoing two other recent federal BIPA cases, the court concluded that violation of BIPA’s notice and consent requirement alone is not adequate injury to establish standing to sue in federal court under Article III of the U.S. Constitution. The court found that a lack of consent, while a technical violation of the statute, does not itself alone increase the risk of disclosure that could result in injury or harm to the individual. Absent any actual compromise of the biometric information, or an increased risk of such compromise, there was no injury-in-fact, and thus no federal jurisdiction. While the court’s ruling in this regard continues the trend of other federal courts, it’s worth noting that standing to sue in Illinois state court is unaffected by these decisions. Whether a plaintiff or class action may succeed in state court based upon a mere technical violation of BIPA’s requirements—without more— remains an open question the Illinois Supreme Court is expected to answer in its next session.
PUTTING IT INTO PRACTICE: Companies negotiating collective bargaining agreements should be aware that the right language may allow for resolution of many labor disputes, including disputes arising under BIPA, through mandatory arbitration rather than through the courts. When collecting and using biometric information, companies should continue to pay attention to BIPA’s requirements regarding consent, notice, and disclosure because although federal courts have dismissed suits predicated only on mere technical violations of the statute, other avenues of recourse may still be available to plaintiffs in state court and via arbitration.
Vermont Is First Mover Regulating Data Brokers
Posted on July 16, 2018
Vermont recently enacted a data broker security law, one of the first of its kind. The law, which went into in May, requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship.
Programs need to have at least one employee that maintains it, and the program should identify and evaluate potential risks. Data brokers must also have security policies in place, which policies include disciplinary action for non-compliance. They must also, under the law, monitor and document both the program and security breaches. The law includes a variety of technical standards to which a comprehensive security program must adhere. This is very similar to the program set forth in the FTC’s BLU settlement we reported on recently.
                 Eye on Privacy 2018 Year in Review 6