chevron-down Created with Sketch Beta.

Business Law Today

May 2024

May 2024 in Brief: Internet Law & Cybersecurity

Juliet Marie Moringiello

May 2024 in Brief: Internet Law & Cybersecurity

Jump to:

Illinois Legislature Passes Bill to Amend Biometric Information Privacy Act

By Alan S. Wernick, Esq., Aronberg Goldgehn

The Illinois Biometric Information Privacy Act (“BIPA”) became effective in 2008. Alleged violations under BIPA have resulted in numerous lawsuits and defendants’ (businesses’) liability for substantial damages. On May 16, 2024, the Illinois State Legislature passed a bill, Senate Bill 2979, to amend BIPA. Assuming Illinois Governor J.B. Pritzker signs it, the BIPA amendments will take effect immediately. SB 2979 would limit BIPA damages and provide for electronic consent.

The BIPA proposed amendments in SB 2979 include:

  • A private entity that collects or discloses a person’s biometric data without consent can only be found liable for one BIPA violation per person regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient. Proposed 740 ILCS 14/20(b) and (c) modify the 740 ILCS 14/20(a) text “A prevailing party may recover for each violation....” interpreted by the courts as a “per scan” damages calculation.
  • Written consent for collection of biometric information will now include electronic signatures. 740 ILCS 14/10 (Definitions) as amended added a new definition: “electronic signature” and included it as part of a “written release.” This amendment highlights businesses’ need to review their contracts with vendors providing biometric devices. The review should include clarity of functional specifications, plus vendor warranties and indemnifications concerning the biometric device’s abilities to capture, record, and preserve electronic signatures.

It is important to note that SB 2979 does not eliminate all liabilities for violations under BIPA. Hypothetically, a business with a large number of employees or customers could still be liable for substantial damages. For example, if a business with 1,000 employees or customers for whom they collected biometric data was found to have intentionally or recklessly violated BIPA and is subject to liquidated damages of $5,000 or actual damages, then damages could be $5,000,000 (=$5,000 x 1,000) plus reasonable attorneys’ fees and costs. Of course this would be subject to the facts and the applicable law, but even with the SB 2979 BIPA amendments, BIPA violations can still result in substantial damages.

The bottom line is that the courts and the legislature will continue to have to address the tension between the 2008 Illinois legislative findings underlying BIPA and potentially excessive BIPA damages awards. This analysis should consider evolving artificial intelligence (“AI”) software’s potential to provide humanity with many benefits, but also risks, and AI’s use of biometric data (and ability to copy that biometric data). Legislators and the courts will need to consider the opportunities and risks these, and other, technologies present to society, and strive to achieve a judicial and legislative balance that will maximize the beneficial opportunities of these technologies, and contain, mitigate, or remove the risks.

© 2024 Alan S. Wernick and Aronberg Goldgehn.

For more information, please see Business Law Today’s forthcoming full-length article on this topic.

2nd Circuit Finds Subway’s Promotional Texts Are Not Illegal Autodialing

By Brian Jones, J.D. Candidate, Class of 2026, University of Chicago

In Soliman v. Subway Franchisee Advertising Fund Trust Ltd., Marina Soliman sued the sandwich chain after receiving automated texts offering promotional deals, alleging that these texts violated the federal Telephone Consumer Protection Act. The TCPA makes it illegal to call consumers using an “automatic telephone dialing system or an artificial or prerecorded voice,” with “automatic telephone dialing system” defined as “equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers.” On May 10, 2024, the Second Circuit held that Subway’s automatic texting technology did not violate these provisions. The Second Circuit’s reasoning is discussed below.

Subway’s texting does not use an automated dialing system.

Subway’s system uses “an algorithm whereby a random or sequential number generator, similar to a randomization formula or sequential dialing formula, selects which number to dial from the stored list of numbers, and sequences those numbers in order to automatically dial” them to send out promotional texts. The stored telephone numbers came from a preexisting list of customers’ numbers, which Soliman voluntarily added her number to when she participated in an earlier Subway promotion.

The issue that faced the court was whether a “using a random or sequential number generator” refers only to generating the telephone number itself, or to generating any number to use computer code to store or produce telephone numbers. The court noted that only three other circuit courts had considered this issue, with all finding that the TCPA only applies to the former; the court here agreed.

Context suggests the use of ‘number’ refers to telephone numbers.

The court noted that other references to “number” in the TCPA, outside of obvious references to quantity (e.g., the number of violations), made it clear that it referenced “telephone numbers” rather than coding or indexing numbers, such as those used in the “randomization formula” that selects and sequences numbers from Subway’s preexisting list.

Prior precedent supports this interpretation.

In Facebook v. Duguid, the United States Supreme Court held that to qualify as an automatic telephone dialing system, “a device must have the capacity either to store a telephone number using a random or sequential number generator, or to produce a telephone number using a random or sequential number generator.” Here, the court found that selecting telephone numbers from a preexisting list constituted neither storing nor producing.

Texts do not constitute ‘voice.’

Soliman had also alleged that Subway’s texts violated TCPA’s ban on using an “artificial or prerecorded voice.” The court found that the ordinary meaning of “voice” did not support this interpretation; dictionary definitions and common sense suggest it refers to a sound produced by a human being. The court also noted that other provisions of the TCPA distinguished between texts and voice as categories. For instance, the statute defines “caller identification information” as applying to “a call made using a voice service or a text message sent using a text messaging service.”