In This Issue
1 Biometrics in the Workplace: Key Lessons from Emerging Case Law Under the Illinois BIPA
In 2019, we can presume familiarity with the once-futuristic concept of identity authentication via biometric data. Our faces or fingerprints are scanned countless times each day when we unlock our smartphones, and employers are increasingly taking advantage of the security and efficiency benefits of biometric authentication of employees. But the laws governing the collection of biometric data, and court interpretations of those laws, are still catching up. In 2008, the Illinois General Assembly passed the Biometric Information Privacy Act (BIPA), making it the first state to regulate the collection of biometric data, which the BIPA defines to include fingerprints, eye scans, voiceprints, or scans of hand or face geometry. In general, the Act requires private companies to notify individuals and obtain consent for biometric data collection and issue related policies, obligates companies to employ measures to safeguard such information, and prohibits companies from disclosing that information except in specific circumstances. While the BIPA remains the only such law in the United States that provides for a private right of action, it has spawned significant litigation, including in the employment context, and diligent employers should review its provisions and analyze the case law interpreting BIPA to date in order to stay ahead of what is sure to be an expanding area of compliance and litigation risk.
Biometric data generally refers to personal data relating to physical, physiological, or behavioral characteristics that may be used to identify an individual. Common statutory definitions include fingerprints, facial recognition scans relying on facial geometry, iris scans, voice recognition, and medical measurements like glucose levels or heart rhythms, while more familiar low-tech characteristics like written signatures, photographs, or physical descriptions like height, weight, hair color, or eye color may be excluded. As the Illinois General Assembly highlighted in its legislative findings, biometrics are biologically unique to each individual and cannot be changed. Thus, unlike the theft of social security numbers or security passcodes, for example, which can be changed if compromised, a one-time victim of biometric identity theft risks being forever compromised and left without recourse. This concern, coupled with the fact that the "full ramifications of biometric technology are not fully known" despite its increasing use, have caused legislators, regulators, courts, privacy advocates, and, increasingly, the plaintiffs' bar to focus on biometric issues.
Growth of Biometric Regulation and Litigation
Although no federal statute specifically governs the collection of biometric data currently, a growing number of state legislatures have recognized the increasing importance of biometric data issues. A number of states have expanded the definition of personal information under data breach statutes to include biometric information, for example. A smaller number have followed in Illinois' footsteps and have enacted similar biometric-specific statutes as well. In addition, as is often the case in the fast-moving privacy arena, various foreign jurisdictions have been early movers in enacting laws that implicate the collection and use of biometric data. The sweeping General Data Protection Regulation enacted in the European Union includes biometric data within its heightened classification of "sensitive personal information" which imposes more stringent data processing conditions in addition to the conditions already set forth for "personal information." Similarly, the recently-enacted Chinese Cybersecurity Law also categorizes biometric data as "sensitive personal information" and imposes more stringent requirements.
While other state biometric data statutes allow for enforcement by state attorneys general, the BIPA is unique in its allowance for a private right of action, and Illinois has become an early frontier for biometric litigation as a result, with both consumer and employee plaintiffs alleging that biometric data was improperly collected or used without consent. Notably, the BIPA allows successful private plaintiffs to obtain the higher of actual damages or statutory damages of $1,000 per violation and $5,000 per intentional or reckless violation, in addition to attorneys' fees.
Compounding this potential for significant damages where large numbers of individual violations may be at issue, early in 2019, the Supreme Court of Illinois held that plaintiffs are "aggrieved" and have standing to proceed under the BIPA by virtue of a defendant's violation of the act itself even if plaintiffs have suffered no additional damage or adverse effect. In
Rosenbach v. Six Flags Entm't Corp., Six Flags collected customer thumbprints to more quickly verify season pass ticket holders and to prevent fraudulent re-use of another customer's pass in its theme parks. The mother of a child whose thumbprint was collected sued Six Flags for failing to follow the BIPA's procedures for obtaining consent. After the trial court denied Six Flags' motion to dismiss, Six Flags appealed, arguing that the BIPA required some additional injury or adverse effect beyond mere violation of the statute. The appellate court agreed with Six Flags, but the Supreme Court reversed, holding that "when a private entity fails to comply with one of [the BIPA's consent] requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach." Counsel experienced in defending privacy class actions in federal court may recognize the immediate contrast this decision draws with the "concrete and particularized" harm required to show Article III standing in federal court under Spokeo v. Robins, 136 S.Ct. 1540 (2016). Indeed, this distinction in standing requirements will require defendants to think carefully before asserting a Spokeo challenge to BIPA claims in federal court at the risk of being "trapped" in what may be perceived as more plaintiff-friendly state court jurisdictions if the motion is granted. In any event, it is clear that this early Illinois precedent, combined with the availability of per-violation statutory damages and the uncertainty created by a patchwork of new and underdeveloped areas of law, means that companies subject to BIPA must take seriously the risk of BIPA class actions and plan accordingly.
Biometric Data in the Employment Context
Given the now-widespread use of biometrics in the workplace, employers should pay special attention to the general trends above, and the increase in BIPA litigation in particular. A 2018 survey of IT professionals in North America and Europe, for example, showed that 62% of companies were currently utilizing biometric authentication, and an additional 24% planned on using it by 2020.
The scope of employee lawsuits under the BIPA has matched the myriad uses that employers make of biometric data. One common alleged BIPA violation stems from employers' use of fingerprint scans for timekeeping in lieu of classic clock-punching. Employers using such technologies have been subject to dozens of class-action lawsuits where plaintiff employees allege failure to comply with the BIPA, with some resulting in significant settlements. The alleged violations in these suits may include an employer's failure to notify or obtain consent for fingerprint collection, failure to issue a policy on biometric data collection, and, to the extent third-party vendors are used to administer the system, a failure to obtain consent for disclosure of the information. Importantly and perhaps of particular interest given recent U.S. Supreme Court jurisprudence upholding the use of class-action waivers in arbitration agreements under the NLRA courts have held that employee arbitration agreements may not cover BIPA claims where such claims are not specifically enumerated in the agreement.
In recognition of these trends, the Illinois state legislature has proposed legislation to restrain the litigation stemming from the Act, albeit in the face of resistance by privacy advocates. One recent proposal excludes from the private right of action collection "by an employer for employment, human resources, fraud prevention, or security purposes" and instead provides for enforcement by the Department of Labor. Although passage of this or similar amendments in Illinois could soften the impact of the BIPA on employers, the increased scrutiny of biometric data collection makes it unlikely that a meaningful reversal of the trend will take place in the near future, and indeed there are already signs that more state legislatures will follow Illinois in allowing for a private right of action.
Given the rise of employers utilizing biometric data and ever-increasing litigation in this unsettled area of law, companies potentially subject to the BIPA and similar laws must proactively work to comply and reduce litigation risks. While the nature of actions a company must take will necessarily scale with the size of the enterprise and the scope of its data collection, at a high level, companies should at least consider the following steps:
- Take stock of biometric data collection practices at the company; determine what is being collected, from whom, and for what purposes.
- Assess the company's practical and technological measures for safeguarding biometric data and ensure at a minimum compliance with industry standards.
- Immediately draft policies that cover the collection and use of biometric data under the guidelines set forth in the BIPA or review existing policies to ensure compliance.
- Review the company's policies and practices on obtaining consent from employees, and implement an appropriate system for tracking consent.
- Draft employment agreements and arbitration clauses with biometric data laws in mind.
- Continue to monitor trends in state and federal legislation, as well as the rapidly developing case law interpreting the BIPA.