February 21, 2023
Illinois Supreme Court Favors Plaintiff on New BIPA Ruling
In accordance with the Illinois Biometric Information Privacy Act (BIPA), the Illinois Supreme Court has made it clear that companies that fail to adhere strictly to the state's significant biometric law could face substantial damages. On February 17, 2023, the court decided that, in accordance with the law, damages will accumulate every time data is unlawfully obtained and shared, rather than simply the first time which is expected to more litigation.
BIPA enforces the protection of the collection, use, and retention of biometric information. In order to collect such information, private entities must first provide notice to individuals and then obtain written consent for the collection of their biometric information from either the individual themselves or their authorized legal representative.
In a recent ruling, the court voted 4-3 that favor the plaintiff. According to the statute's plain language, a new scan is acquired every time an employee's fingerprint is scanned and stored in the scanner's database. The defense argued that requiring informed consent for each scan would lead to an absurd outcome. The plaintiff, on the other hand, claimed that a single consent would be sufficient as long as the company's collection and disclosure practices remained unchanged. The key difference is that if a company fails to obtain informed consent initially, a violation of BIPA will occur every time they collect a scan without consent.
New Health Breach Notification Rule of the Federal Trade Commission
On February 1, the Federal Trade Commission (FTC) announced a first-of-its-kind proposed order (the “Order”) enforcing its Health Breach Notification Rule. This includes the failure to notify of a breach of consumers' personal health information.
The order includes a $1.5 million civil penalty for violating the Rule for the healthcare entity’s disclosures of “sensitive personal health information” to Facebook, Google, Criteo, and other website tracking, marketing, and advertising vendors since at least 2017. Specifically, the FTC alleges that the healthcare entity in question shared personal health information with Facebook and Instagram to target ads and allowed third parties to use personal health information for their own purposes, including internal research, product development, and advertising improvements, among other alleged violations of FTC’s requirements.
With the new order, a penalty of $1.5 million is being imposed on the healthcare entity for breaking the Rule by disclosing "sensitive personal health information" to various website tracking, marketing, and advertising vendors such as Facebook, Google, and Criteo, dating back to 2017 or earlier. According to the FTC, the healthcare entity that shared personal health information with Facebook and Instagram to facilitate targeted ads and enabled third-party entities to utilize personal health information for various purposes, including internal research, product development, and advertising improvements. These actions are among the alleged violations of the FTC's regulations.
InfiniGlobe is a full-service consulting and software company. Our team of experts has 20+ years of industry experience working with top corporate legal departments and law firms. Contact us at info@infiniglobe.com or at (833) LGL-TECH.