Data Privacy Law Update: Federal Law Preempted Illinois Biometric Law -- Up to a Point



by David Horrigan on March 18, 2020

Cyber Security & Data Privacy , Information Governance

The Illinois Biometric Information Privacy Act (BIPA) has changed the data privacy landscape—especially after the Illinois Supreme Court’s decision last year in Rosenbach v. Six Flags Ent. Corp., where the state’s high court held that a mere violation of the statute, the taking of a 14-year-old’s fingerprints without parental consent, was sufficient to state a claim—even if no other damages were proven.

Well, it turns out Six Flags wasn’t the only business in Illinois taking people’s fingerprints. Bimbo Bakeries USA used fingerprints instead of that 20th century antiquity, the timeclock, to record employee hours.

One of Bimbo’s employees, Lisa Peatry, alleged the company violated BIPA by the way it took her fingerprints. However, unlike in Rosenbach, Bimbo had another legal argument: federal preemption under federal labor law.

Would BIPA be gutted by federal preemption? One of the central questions for the court in Peatry v. Bimbo Bakeries USA, Inc., No. 19 C 2942 (N.D. Ill. Feb. 26, 2020), was whether the federal Labor Management Relations Act of 1947 preempted Peatry’s BIPA claims.

Biometrics at Bimbo Bakeries

Some readers may think there’s something salacious going on at Bimbo Bakeries USA. Actually, the company doesn’t produce adult novelty baked goods. In fact, Bimbo Bakeries is the largest bakery company in the United States. The US arm of the Mexican conglomerate Grupo Bimbo, the company produces well-known brands such as Entenmann’s, Sara Lee, Bays and Thomas English muffins, and Ball Park buns.

Lisa Peatry worked as a machine operator at a Cicero, Illinois, facility Bimbo acquired in February 2018. Bimbo executed a collective bargaining agreement with the Chemical and Production Workers Union Local No. 30, AFL-CIO, which became effective May 8, 2018.

During her employment with Bimbo, Peatry used a Bimbo timeclock system from a third-party vendor that used employees’ fingerprints to record when they started and ended work.

Bimbo never informed Peatry of the purposes or length of time for which Bimbo collected, stored, used, and disseminated her biometric data. The company also never informed her of a biometric data retention policy or whether Bimbo would at some point permanently delete her biometric data. In addition, Peatry never received or signed a written release authorizing the collection, storage, use, and dissemination of her biometric data.

BIPA and Bimbo

Peatry filed a putative class action against Bimbo, arguing the company’s use of the biometric fingerprint system violated BIPA. Specifically, Peatry argued Bimbo violated BIPA by its failure to have a retention system, its failure to obtain informed consent, and Bimbo’s dissemination of the data to the third-party vendor without consent.

Among various legal arguments, Bimbo countered that § 301 of the Labor Management Relations Act of 1947 (LMRA) and the National Labor Relations Act of 1935 (NLRA) preempted Peatry’s claims.

The Bimbo court cited the Seventh Circuit’s decision in Miller v. Southwest Airlines Co., Nos. 18-3476 and 19-1785 (7th Cir. June 13, 2019), which dealt with federal preemption under the federal Railway Labor Act, which also governs airlines. Miller had a similar fact pattern: the use of biometric fingerprint data, and a claim of BIPA violations.

Following Miller, the Bimbo court held that federal law preempted any BIPA claims on or after the effective date of Bimbo’s collective bargaining agreement with the union.

“Because dispute about collection and use of biometric information required interpretation of CBA’s management rights and wage provisions, the ‘state law is preempted to the extent that a state has tried to overrule the union’s choices on behalf of the workers.’”

However, that wasn’t the end of the legal story.

The court rejected Bimbo’s federal preemption arguments vis-à-vis her claims prior to the May 8, 2018 effective date of the collective bargaining agreement, holding the National Labor Relations Act of 1935 did not preempt the pre-May 18, 2018 claims. 

In addition to federal preemption, the court held the Illinois Workers Compensation Act did not preempt the pre-May 18, 2018 claims because data privacy violations were not “injuries” as envisioned by the workers comp act.

Why Bimbo Matters

With the lack of comprehensive federal data privacy and data protection law, US states have often been a driving force in data privacy and protection, passing laws and regulations that—at least to some extent—fill the vacuum created by the lack of comprehensive federal law.

There is no comprehensive federal biometric information protection law. Thus, one might think BIPA was not at risk of federal preemption.

The lesson of Bimbo is that such preemption analysis is wrong.

In the case of Bimbo, it was federal labor and employment law jumping in to preempt BIPA. Such preemption won’t apply in all cases—such as young Alexander Rosenbach’s trip to Six Flags Great America. However, labor and employment matters, as seen in Bimbo and Miller, can be a hotbed of potential biometric data claims.

Another point of interest was the court’s determination that the “loss of the ability to maintain privacy rights … is neither a psychological nor physical injury and is not compensable” under Illinois workers compensation law.

This argument is somewhat similar to the argument in Rosenbach, where Six Flags claimed Rosenbach was not an “aggrieved” party under the statute because nothing had been done with his data.

Does something have to be a psychological or physical injury to compensable under the law? At least according to the Bimbo court, it does if the law in question is the Illinois Workers Compensation Act. Of course, that holding worked out nicely for Lisa Peatry.

With data privacy violations and data breaches becoming one of the biggest issues for businesses and society in general, the question of damages is a developing area of the law.

Another big takeaway from the tale of the biometrics at Bimbo Bakeries?

In 2020, make sure your contractual agreements have data law provisions, such as data breach notification and biometric data protection agreements. Although, as always, this is friendly advice, not legal advice, the biometric battle at Bimbo Bakeries might have had a different ending if the collective bargaining agreement had biometric law provisions.

David Horrigan is discovery counsel and legal education director at Relativity. A former reporter and assistant editor at The National Law Journal and analyst and counsel at 451 Research, he was First Runner-Up for Best Legal Analysis in the 2019 LexBlog Excellence Awards. 

Data Privacy and Data Protection: You Can't Have it Both Ways ... Yet

Comments

Post a Comment

Required Field