Even though Washington passed its own biometric privacy law last month (HB 1493), and other states are currently debating their own bills, Illinois’s Biometric Information Privacy Act (BIPA) is still the crux of biometric and facial recognition privacy-related litigation. Such suits have typically involved social media services, video game makers or businesses that collect biometric data to authenticate customers. In a slight twist, on May 11, 2017, a putative class of employees filed suit against Roundy’s Supermarkets alleging violations of BIPA surrounding the collection and retention of employees’ fingerprints – as opposed to using last century’s analog time cards, Roundy’s requires employees to scan their fingers each time they clock “in” and “out” of their work shifts to verify their identities. In the suit, plaintiffs claim that Roundy’s failed to offer notice and obtain written consent prior to capturing employees’ fingerprints, or post a retention policy about how long the company stores the biometric data. (See Baron v. Roundy’s Supermarkets, Inc., No. 17-03588 (N.D. Ill. filed May 11, 2017)).
Generally speaking, under BIPA an entity cannot collect, capture, purchase, or otherwise obtain a person’s “biometric identifier” or “biometric information,” unless it first:
- informs the subject in writing that a biometric identifier is being collected;
- informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
- receives a written release executed by the subject. Under the statute, “written release” means “informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.”
BIPA also requires private entities to “store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry,” and to treat such identifiers and information as they would other sensitive and confidential information. Notably, the statute provides for a private right of action, and potential awards of $1,000 in statutory damages for each negligent violation ($5,000 for each intentional or reckless violation), as well as injunctive relief and attorney’s fees.
In the complaint, plaintiffs specifically assert that Roundy’s has not: (1) informed its employees in writing that biometric information is being recorded and stored, (2) notified employees about the specific purpose and length of term for which biometric information is being collected and used, or (3) obtained employees’ written consent (or executed written release as a condition of employment) to the collection and storage of their biometric information. According to the complaint, Roundy’s imposed the biometric timekeeping system upon the named plaintiff after plaintiff had begun working at the supermarket, and not as a condition of employment. The plaintiffs also claim that Roundy’s has not publicly posted its retention schedule and guidelines for destruction of the employees’ biometric data. Plaintiffs seek statutory damages under the Act for the defendant’s alleged negligent violations of BIPA and an order requiring Roundy’s to comply with BIPA and otherwise make the proper public disclosures about its biometric retention and collection policies, including its standard of care used to secure such sensitive data. The defendant’s Answer is due at the end of the month.
Unlike other ongoing biometric privacy litigation, the Roundy’s dispute does not, at first blush, appear to involve jurisdictional issues or statutory construction debates about whether BIPA’s definition of “biometric identifier” or “biometric information” applies to the data at issue. As fingerprints are expressly included in definition of “biometric identifier,” the pertinent legal issues in the dispute appear to center on whether Roundy’s complied with BIPA. Perhaps relevant, it will be interesting to see if the defendant offer any evidence of employment agreements which may have provided some form of notice about their biometric data collection practices with respect to timekeeping for employees. Most importantly, however, the court will have to determine whether a procedural violation of the statute’s notice and consent provisions (absent any allegations of wrongful misuse or disclosure) is enough to plead a concrete harm and establish that plaintiffs have Article III standing. It should be noted that earlier this year, a New York district court dismissed BIPA claims against a videogame maker based upon bare procedural violations of the statute and no allegations of any data mishandling, holding that: “The alleged failure to give the plaintiffs more extensive notice and consent is not a material risk to a concrete BIPA interest where no material risk of biometric data misuse ever materialized.”
We will continue to watch this dispute closely and monitor developments in biometric privacy and technology, including other ongoing litigation and pending legislative efforts in other states.