On November 3, 2022, an Illinois circuit court judge dismissed a Biometric Information Privacy Act (Privacy Act or BIPA) putative class action against Samsara, Inc., a DashCam developer. DashCam is a safety technology for trucking companies such as Samsara’s customer and co-defendant, Beelman Truck Co. The DashCam device points an internet-connected dashboard camera at the driver to detect risky driving behaviors. The device also has a “Camera ID” feature, which allegedly scans the driver’s facial geometry to assign trips and to identify the driver to the DOT-mandated electronic logging device (ELD) system used to comply with federal hours of service regulations.
The Guszkiewicz v. Beelman Truck Co. lawsuit alleged that Beelman (the plaintiff’s employer) and Samsara (a third-party technology developer with no direct relationship with the plaintiff) were both responsible for providing written notice and obtaining signed consents from Beelman’s Illinois drivers under Section 15(b) of BIPA.
Samsara argued that requiring third-party technology developers and vendors to provide notice and obtain consent leads to absurd results. Samsara explained that it was not in a position to know which of its customers’ employees drive in Illinois or to obtain their signed consent. According to Samsara, Section 15(b) applies only to the employer because the employer is the one with the relationship with the employees who use the technology, controls and directs the collection of biometric information, and is, therefore, the entity that can provide the required written notice and obtain the executed release.
Samsara instead advised its customers in writing that BIPA could potentially apply to its technology—specifically its Camera ID feature. It provided its customers with a sample BIPA policy and consent form and required customers to twice certify to Samsara that they had complied with BIPA and obtained signed consent forms from their drivers, before it activated the Camera ID feature. Samsara’s motion to dismiss pointed to a line of federal court cases that suggest, in dicta, that technology developers or vendors may discharge their obligations under Section 15(b) by contractually requiring their customers to obtain their employees’ informed consent as a precondition to use of the technology.
DuPage County Circuit Judge Neal Cerne agreed and held that Samsara discharged its notice and consent obligations under Section 15(b), dismissing the BIPA claims against Samsara. The November 3, 2022, dismissal did not include a written opinion but was stated on the record in court. The court found that Samsara complied with BIPA by (a) putting its customers on notice of BIPA’s requirements and possible application to its technology, (b) providing customers with a sample BIPA policy and consent form, and (c) contractually requiring customers to certify twice that they had obtained written consents from their Illinois drivers before activating the Camera ID feature. The court then set a hearing date to consider a proposed class action settlement between plaintiff and Beelman, the trucking company employer.
The Privacy Act
Illinois’s Privacy Act was enacted in 2008 and governs the collection, use, and storage of biometric data such as fingerprints, voiceprints, and scans of the retina, iris, hand or facial geometry. Specifically, it prohibits private entities from collecting or capturing a person’s biometric identifiers or biometric information without first informing them what data is being collected and stored, the reason for doing so, and the length of time for the data collection, and then obtaining that person’s signed consent or “written release.”
The Guszkiewicz case is the latest to review the bounds of the Privacy Act amid evolving technologies that are increasingly able to collect data. The grant of Samsara’s motion to dismiss furthers the argument that technology developers and vendors may avoid liability under the Privacy Act by requiring their clients, as a precondition to the use of the technology, to meet Section 15(b)’s notice and consent requirements.
However, it is not clear that courts will allow developers and vendors to contract away their Privacy Act compliance obligations in all situations. Developers or vendors may wish to plainly assert in their client contracts that they are not collecting or storing biometric data and have no access to any biometric data collected by the customer.
Companies should benefit from this ruling as it should focus developers and vendors on alerting their customers to devices with biometric capability. The plaintiff’s bar appears to be running out of biometric time clock cases to bring and is instead filing suit on new technologies where the biometric capability is either unknown or in dispute. Thus, companies may want to watch for such provisions in their vendor contracts, which should help in identifying biometric devices. Companies presented with such provisions may then need to ensure they are in compliance with the Privacy Act, no further revisions are needed to existing policies and consent forms, and consents are being timely signed.
Ogletree Deakins will continue to monitor and report on developments with respect to the Privacy Act cases before the Supreme Court of Illinois and will post updates on the firm’s Illinois, Class Action, and Cybersecurity and Privacy blogs as additional information becomes available. Important information for employers is also available via the firm’s webinar and podcast programs.