CURRENT MONTH (September 2021)
Illinois Law Protects Household Data
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
Illinois has passed the Protecting Household Privacy Act, which takes effect January 1, 2022. Under the Act, law enforcement officials cannot obtain “household electronic data” from third parties without a warrant or consent. The law protects data provided to devices that are primarily intended for use within a single- or multi-family dwelling, but such devices do not include personal computers, smart phones, tablets, modems, routers, wireless access points, or cable set-top boxes. Certain exceptions to the prohibition on access will apply in emergency situations, but law enforcement would be required to apply for a search warrant within 72 hours.
Information obtained in violation of the Act will be presumed inadmissible. Persons who provide household electronic data to law enforcement must take steps to protect the confidentiality, integrity, and security of the data during transmission and limit production to what is responsive to the request.
NYC Passes Law on Sharing of Food-Delivery Customer Data
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The New York City Council has enacted a law regarding access to customer data submitted through online food-delivery services. Under the law, a food-delivery service must provide a conspicuous way for customers to request that their data not be shared. The delivery service must provide the customer data to a food-service establishment upon request, unless the customer requested that their information not be shared. A food-service establishment can request customer data from the food-delivery service, but it cannot sell, rent, or disclose the customer data unless the customer consented when the data was collected.
When sharing customer data, the food-delivery service must provide the data in “machine-readable format, disaggregated by customer, on an at least monthly basis.” The service cannot prevent the food-service establishment from downloading, retaining, or using the data for marketing or other purposes. The law will take effect in December 2021.
Biometric Information Privacy Act and Collective Bargaining Agreements
By Alan S. Wernick, Esq., Aronberg Goldgehn
In a September 20, 2021, decision, the U.S. Court of Appeals, 7th Circuit, held that a business that has entered into a Collective Bargaining Agreement (“CBA”) governed by the Labor Management Relations Act (“LMRA”) may look to the CBA to determine whether the union has consented on the employees’ collective behalf regarding how the business (the employer) acquires and uses fingerprint (or other biometric) information of its employees subject to the CBA.
The plaintiffs in Fernandez, et al., v Kerry, Inc., 2021 WL 4260667 (CA7, 20210920), were five persons who used to work for Kerry, Inc., in Illinois, and were seeking damages under the state’s Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/5 to 14/25. Among other things, BIPA requires private entities to obtain consent before collecting or using biometric information, including fingerprints. The lawsuit alleged, inter alia, that in 2011 Kerry began requiring workers to use their fingerprints to clock in and out of work. Initially filed in state court as a class action, the case was removed to federal court under 28 U.S.C. §1453, asserting that the class’s total damages could exceed $5 million and that the statutory requirement of some diverse citizenship is satisfied. The U.S. District Court, in granting defendant’s (Kerry’s) motion to dismiss, held that §301 of the LMRA, 29 U.S.C. §185, preempts a state law claim if resolution of the claim “requires the interpretation of a collective-bargaining agreement.”
The Court of Appeals stated, “After all, the statute [LMRA] says that a certified union is each worker’s exclusive representative on collective issues. 29 U.S.C. § 159(a).” (Emphasis in the original.) Based on that premise, the Court concluded:
Here, as in Miller [Miller v. Southwest Airlines Co., 926 F.3d 898, 903–05 (7th Cir. 2019)], the employer invokes a management-rights clause. We remarked in Miller: “Whether [the] unions did consent to the collection and use of biometric data, or perhaps grant authority through a management-rights clause, is a question for [decision under the agreement]. Similarly, the retention and destruction schedules for biometric data, and whether [employers] may use third parties to implement timekeeping and identification systems, are topics for bargaining between unions and management. States cannot bypass the mechanisms of [federal law] and authorize direct negotiation or litigation between workers and management.” (emphasis in original). “It is not possible even in principle to litigate a dispute about how an [employer] acquires and uses fingerprint information for its whole workforce without asking whether the union has consented on the employees’ collective behalf.” We held in Miller that it was for an adjustment board—as here it is for an arbitrator—to decide whether the employer properly obtained the union’s consent.
(internal citations omitted)
The Court also noted that plaintiffs did not contend that Local 781 of the Miscellaneous Warehousemen, Airline, Automotive Parts, Service, Tire and Rental, Chemical and Petroleum, Ice, Paper, and Related Clerical and Production Employees Union choices violate its duty of fair representation, nor had they joined Local 781 as a defendant. The Court therefore affirmed the District Court’s opinion that the plaintiffs’ claims are preempted by §301 of the LMRA, 29 U.S.C. §185.
The bottom line is that employers who have a unionized workforce, and who are using, or plan to use, biometric processes/devices in connection with their employees, should carefully review and analyze their CBAs to determine whether or not the CBA appropriately, in light of the applicable law, addresses the employer’s biometric processes/devices impacting their employees.
© 2021 Alan S. Wernick and Aronberg Goldgehn.
