Photo of David Oberly

David Oberly

Welcome to the 2022 Q3 edition of the Artificial Intelligence & Biometric Privacy Report, your go-to source for keeping you in the know on all recent major artificial intelligence (“AI”) and biometric privacy developments that have taken place over the course of the last three months. We invite you to share this resource with your colleagues and visit Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets and Privacy & Data Breach Litigation homepages for more information about our capabilities and team.

Also, we are extremely pleased to announce that our own Kristin Bryan was named as a 2022 Law360 Cybersecurity & Privacy MVP. As Law360 notes, “[t]he attorneys chosen as Law360’s 2022 MVPs have distinguished themselves from their peers by securing hard-earned successes in high-stakes litigation, complex global matters and record-breaking deals.” You can read more about Kristin’s Law360 award here: Law360 MVP Awards Go to 188 Attorneys From 78 Firms.

Continue Reading 2022 Q3 Artificial Intelligence & Biometric Privacy Report

For almost four years now, attorneys have remained relentless in their quest to extend the outer boundaries of the Illinois Biometric Information Privacy Act (BIPA) as far as courts are willing to allow. During this period, many defendants have struggled with procuring dismissals of BIPA class claims.

One particular defense, however, has developed into an extremely robust tool for companies engaged in biometric privacy class suits: BIPA’s “financial institution” exemption. Contrary to what its name suggests, the benefits of this entity-level carve-out extend to a range of entities well beyond traditional banks and financial institutions. A recent BIPA opinion issued by a Northern District of Illinois court demonstrates the expansive scope of the exemption and provides several key takeaways for defendants to defend against—and outright defeat—BIPA claims at a time when biometric privacy class action exposure continues to grow.

Continue Reading Federal Court Dismisses Biometric Privacy Class Action Brought Against University, On Basis It Was a Regulated “Financial Institution”

While the Illinois Biometric Information Privacy Act (BIPA) remains one of the hottest areas of class action litigation today, many core issues underlying BIPA disputes remain unsettled and uncertain at this time. And as the recent decision by the Northern District of Illinois in Kukovec v. Estee Lauder Co., Inc., No. 22 CV 1988, 2022 U.S. Dist. LEXIS 202212 (N.D. Ill. Nov. 7, 2022) shows, courts are often in disagreement on many of these key matters—underscoring the need for compliance with the statutory requirements of the Illinois biometrics law.  

Plaintiff Kukovec used a makeup try-on tool (“VTO Tool”) on the website of Too Faced Cosmetics, owned by Estee Lauder. The plaintiff claimed that the VTO Tool collected her facial geometry in violation of Sections 15(a) and (b) of BIPA. Estee Lauder subsequently moved to dismiss the complaint based on (among other things) the existence of an agreement to arbitrate and failure to plead a cognizable claim.

Continue Reading Recent BIPA Opinion Illustrates Continued Uncertainty Underlying Core Issues in Biometric Privacy Class Action Litigation

In January 2019, the Illinois Supreme Court opened the floodgates to class action litigation pursued under the Illinois Biometric Information Privacy Act (“BIPA”) when the state’s highest court held in Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), that plaintiffs do not have to allege any actual injury or damages to pursue claims under the state’s biometric privacy statute; instead, mere technical violations of the law are sufficient. Today, the world of biometric privacy litigation experienced a development noteworthy enough to put it on equal footing with Rosenbach, with a jury finding in favor of a class of Illinois truck drivers in the first BIPA class action to be tried to verdict.

Continue Reading BREAKING: Plaintiff Prevails In First BIPA Class Action Jury Trial

On September 30, 2022, the Colorado Attorney General’s Office (“Colorado AG”) issued its proposed draft Colorado Privacy Act (“CPA”) Rules (the “CPA Rules” or “Rules”). The draft Rules, which add significant complexity and obligations on businesses, go far beyond what was expected of the Colorado AG and, despite the repeated insistence for interoperability with other

In the absence of any progress at the federal level, states have taken matters into their own hands with the introduction of proposed consumer privacy legislation geared toward placing greater protections over consumers’ sensitive personal data. 2021 was a busy year for state legislatures, with both Virginia and Colorado enacting new consumer privacy statutes of their own. 2022 brought more of the same, with Utah and Connecticut adding their names to the growing list of states that now have laws on the books granting consumers extensive rights regarding the collection and use of their personal data while at the same time imposing wide-ranging obligations on companies that handle that same data.

Continue Reading CPW’s David Oberly Examines Recent Major Changes to Consumer Privacy Legal Landscape in Latest Issue of the Cincinnati Bar Association’s CBA Report Magazine

Recently, eyewear brands that offer virtual try-on (“VTO”) tools—which allow website visitors to “try before they buy” while shopping online—have faced a barrage of class action lawsuits alleging violations of the Illinois Biometric Information Privacy Act (“BIPA”). Importantly, however, BIPA suits are not the only legal risks that continue to increase for eyewear retailers today,

By now, most CPW readers are very familiar with the term “BIPA”—the acronym used for Illinois’s game-changing biometric privacy law, which has led to a barrage of class action litigation pursued against companies that use biometric data in their commercial operations. BIPA is not, however, the only biometric privacy law on the books that presents

Earlier this month, a federal court in Illinois dismissed a BIPA fingerprint timekeeping class action that had been pending for over three years, finding that Plaintiff failed to adequately allege a claim under Section 15(b) of the Illinois Biometric Information Privacy Act. Stauffer v. Innovative Heights Fairview Heights, LLC, 2022 U.S. Dist. LEXIS 140010 (S.D. Ill. Aug. 5, 2022). This ruling was based on the Court’s primary conclusion that:

Nowhere in her complaint does Plaintiff allege that [Defendant] itself stored biometric information on its own computers or servers, or that [Defendant] used the biometric information for its own purposes. In fact, Plaintiff does not allege that [Defendant] actually accessed this information. Plaintiff” allegations are simply that [Defendant] could access the biometric information one day. But equally as plausible as [Defendant] accessing the information one day is that [Defendant] never accessed the information.

As reported earlier in CPW’s 2022 Q1 AI/Biometric Litigation Trends by Kristin BryanDavid Oberly and Christina Lamoureux, the majority of BIPA cases filed thus far in 2022 arise under the circumstances analogous to the Stauffer litigation in the timekeeping context. As such, the Court’s ruling in this case is anticipated to bear upon other pending and future filed cases.  

In this instance, the Court rejected the Plaintiff’s allegations that the use of a uniform franchise agreement which (i) required franchisees adopt a common timekeeping system (“POS System”) that “collect[ed] employee fingerprints and information used to identify such employees based on their fingerprints” and (ii) and gave the Defendant “the right to have independent access to all information or data” on the POS System used by franchisees sufficient for purposes of a pleading a cognizable Section 15(b) BIPA claim.

Read on to learn more about the particular facts of this case and the Court’s analysis.

Continue Reading Federal Court Rejects Terms in Franchise Agreement Retaining Data Access Rights As Sufficient to Plead Section 15(b) BIPA Claim

Welcome to the 2022 Q2 edition of the SPB Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter, your go-to source for keeping you in the know on all recent major artificial intelligence (“AI”) and biometric privacy developments that have taken place over the course of the last three months. We invite you to share this resource with your colleagues and visit Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets and Privacy & Data Breach Litigation homepages for more information about our capabilities and team. 


Q2 did not disappoint in the AI and biometric privacy space, with a number of noteworthy litigation, legislative, and regulatory developments having taken place in these two rapidly developing areas of law. Read on to see what has transpired over the last quarter and what you should keep your eyes on as we head into the second half of 2022.

Continue Reading SPB 2022 Q2 Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter