Suppose you blithely swipe your fingerprint to enter your tanning salon or scan your face for faster service at a burger kiosk. Then suppose someone hacks your data to steal your identity.
"The thing that’s interesting about biometrics is, there’s not a 1-800 number you can call and say you’d like your fingerprints replaced," said Michael Cohen, a privacy and data security attorney at Lathrop GPM (formerly Gray Plant Mooty). And with that pithy sound bite, he gets to the crux of the latest issue vexing franchises—new laws popping up in many states over biometric personal data and their attendant lawsuits.
"In today’s world of privacy laws, even if you lose your credit card, for you to try to bring up a privacy claim you have an uphill battle, because there’s very few laws where you don’t have to prove some kind of harm," he notes.
In Illinois, however, a law governing biometric data on the books since 2008 was one of the few that allowed a private right of action.
"That means, instead of a person or a business waiting for the attorney general or possibly the FTC to come after them," an individual can bring a claim, and there were a handful of class-action lawsuits brought under the law, most in 2015.
But then came the Rosenbach decision, when the Illinois Supreme Court in January 2019 ruled that plaintiffs did not have to prove actual harm, as they do in other privacy breaches. "And that opened the floodgates," Cohen said.
"We went from only five in 2015 to 161 class actions just in 2019," as of early December, "just on the biometrics issue, just under the Illinois act," he said. Washington and Texas have biometrics laws as well, but they do not include the private right to action.
Enter the newcomer to the fray, the California Consumer Privacy Act or CCPA in effect as of January 1, 2020. Enforcement will not begin until July 1 of this year, but franchises should not think they can wait until then to act. That’s because California’s law, like Illinois’, contains the private right to action, and it includes statutory damages of $750 per incident.
Do the math
Plaintiffs’ lawyers will jump on board right away, he believes. "As soon as there’s a possible claim to be brought under the California law they will start filing those. So let’s say you have 5,000 personal records of California residents and those have been subject to a data breach and you have not complied with the CCPA," he said. "That is the opening to your being sued for non-compliance," and he lets his listeners do the math on 5,000 records at $750 a pop. "You’re opening yourself up to those extensive statutory damages."
Already copycat laws are popping up. "There are about 14 states that have introduced laws that are virtually identical to the CCPA," he said.
Dawn Johnson, an attorney with Greensfelder in St. Louis who works with franchisors, says her clients are "being cautious" with biometric technology but they’re very attracted to it as well. "You have this advanced technology ramping up and I think it offers a lot of exciting opportunities for franchise companies to collect the data and use it to favorably influence the customer experience, and that’s what customers are demanding. But that is bumping up against all these privacy concerns that we’re seeing."
She, too, notes "the huge increase in lawsuits" over biometrics, primarily in Illinois. "I get notices every day of lawsuits that are filed in Illinois, and every day there’s one more of these cases that are popping up," she said. "That’s the scary part really for businesses, if you’re not using the information correctly, or not following the statutes that apply to you, with notice and consent."
The only franchise case she’s seen so far is LA Tan, in which an Illinois customer swiped a fingerprint to gain access to the tanning salon, but then when the franchise ran into financial problems sued over the whereabouts of her DNA. The case settled for $1.5 million in 2018 but then was revived after the Rosenbach decision noted above.
Notice and consent
Johnson emphasizes the "two most important things: notice to the customer; and getting consent. So giving notice to your customers that you’re collecting the data and how you’re going to use it, and there usually have to be some guidelines in place for how long you’re going to keep it; and how and when you’re going to destroy it."
Today’s joint employer atmosphere, in which franchisors are reluctant to get too close to their franchisees for fear of being held jointly liable for labor violations, spooks many brands. "But I think this is a really dangerous area they need to be aware of, to make sure they’re following the appropriate state laws in their jurisdictions. The franchisor could easily get pulled into this kind of lawsuit," she said.
As for whether Cohen himself likes to use his own biometric data as a consumer, so far he’s limiting it to using Clear to speed through the airport. "I personally still prefer the password and security code approach" and the use of multi-factor authentication.
"Going back to what I said earlier, if I forget the password that can easily be fixed, or credit cards they can issue me a new one. But if someone accesses my fingerprint or retina, how do I take care of that?" Cohen said.
"It’s kind of scary and interesting at the same time."
Beth Ewen is senior editor of Franchise Times, and writes the Continental Franchise Review® column in each issue. Send interesting legal and public policy cases to firstname.lastname@example.org.