Biometrics — measurements of a person’s physical being, such as fingerprints, retinal or iris scans, or facial recognition — are being increasingly used in commercial settings. For example, many employers are using biometric timekeeping systems, allowing employees to clock in and out with a fingerprint.
While several states have passed legislation designed to protect consumers in the collection and retention of biometric data, the first was Illinois, in the Illinois Biometric Information Privacy Act (“BIPA”), in 2008. While there was very little litigation involving the statute for several years, over the last two years the plaintiffs’ bar has filed an increasing number of class action lawsuits for alleged violations of BIPA. Over thirty lawsuits alleging BIPA violations have been filed in Illinois state and federal courts in 2017 alone. As a result, businesses that collect or use biometric data of employees or consumers should become familiar with BIPA’s obligations and protections.
BIPA contains a comprehensive set of rules governing companies collecting biometrics, with several key elements. First, BIPA requires informed consent prior to the collection of biometrics. Second, BIPA prohibits profiting from biometric data. Third, BIPA prohibits the disclosure of biometric data except for in limited circumstances. And fourth, BIPA mandates protection and retention obligations — specifically, that businesses must protect biometric data in the same manner it would any other sensitive or confidential information in its possession, using the reasonable standard of care within its industry.
Importantly, BIPA creates a private right of action for statutory violations, and failure to comply with the statute can be costly. Where a violation is found to be negligent, liability is $1,000 per violation or actual damages, whichever is greater. Where a violation is found to be reckless or willful, liability increases to $5,000 per violation or actual damages. Companies may also be responsible for attorneys’ fees and certain costs if found to be in violation of the statute.
On November 7, 2017, United Airlines became the most recent company to be sued for alleged violation of BIPA, in the putative class action suit styled David Johnson et al v. United Airlines Inc. and United Continental Holdings, Inc., no. 2017-CH-14832, pending in the Circuit Court of Cook County. The lawsuit is illustrative of the types of claims being brought for alleged violation of BIPA.
In the suit, the putative plaintiff alleges that United Airlines required use of a fingerprint-based system for certain of its employees to clock in and out, but failed to provide those employees with its policy about the collection, retention and use of the biometric data collected. The lawsuit also alleges that United Airlines failed to properly obtain employees’ consent to collect biometric data as required by BIPA. The plaintiff alleges that the proposed class includes “thousands” of employees, and seeks $5,000 for each violation of BIPA.
Because BIPA is relatively new, there are many unresolved issues under the statute. For example, it is not yet clear if companies may be liable for mere statutory violations, or if plaintiffs must show actual injury. While there are currently no known cases applying BIPA outside of Illinois, several states, including Texas, have modeled their own biometrics protection laws based on the statute. It is clear, however, that the number of lawsuits alleging BIPA violations will continue to increase in the near future. Companies required to comply with BIPA should follow developments in interpretation of the law closely.