The recent onslaught of putative class actions alleging violations of Illinois’ Biometric Information Privacy Act (“BIPA”), codified at 740 ILCS 14/1 et. seq., has left many Illinois companies scrambling to find answers (and defense lawyers).

While BIPA putative class actions have been filed against web-based companies like Shutterfly, Google, and Facebook, more recently it has been used to haul into court employers using the increasingly-popular “biometric time clocks.” Biometric time clocks allow employees to clock in and out using a scan of their fingerprint or retina and have the advantage of providing efficiency and reliability, since they eliminate paper punch-cards, allow for real-time reports, and prevent fraudulent “buddy-clocking.” However, Illinois companies using these time clocks must adhere to the guidelines espoused in BIPA.

What does BIPA require?

BIPA regulates the collection, use, safeguarding, and storage of biometric information and biometric identifiers (such as fingerprints, retina scans, or face scans) (herein referred to as “biometric information”). It requires any private entity in possession of biometric information to: (1) develop a written policy governing management of the biometric information; (2) inform the owner of the biometric information; and (3) obtain consent from the employee to gather the biometric information.

  • Develop a written policy. The policy must be available to the public and establish a retention schedule and guidelines for permanently destroying the biometric information. The private entity must destroy the biometric information when the purpose for its use has been satisfied or within three years of the individual’s last interaction with the entity (whichever occurs first).
  • Inform the individual. The individual must be informed in writing that his or her biometric information is being collected, the purpose of the collection, and the length of time the biometric information will be collected, stored, and used.
  • Obtain a Written Release. The entity must obtain a written release from the individual.

Private entities storing an individual’s biometric information must use a “reasonable standard of care” and treat the information in the same manner as they treat other confidential and sensitive information. Profiting from an individual’s biometric information (such as selling, leasing, or trading the information) is prohibited. Before disclosing biometric information, an entity must obtain consent from the individual. (There are exceptions to this requirement, including when mandated by law or in response to a warrant or subpoena).

Damages Under BIPA

BIPA provides for a private right of action, meaning individuals “aggrieved by a violation” of the Act may sue and, if the individual prevails, may receive:

  • $1,000 in liquidated damages or actual damages (whichever is higher) for each negligent violation
  • $5,000 or actual damages (whichever is higher) for each intentional or reckless violation
  • attorneys’ fees and costs
  • injunctive or other relief

Questions Remain

Because Illinois was the first state to enact a biometric privacy law, there are many legal issues that have yet to be resolved. For example, what constitutes a violation of the Act? In the context of biometric time clocks, does a separate violation occur every time an employee clocks in or out using a fingerprint or retina scan? If so, an employer could face considerable damages if sued by an employee.

Also, will actual damages be necessary to prevail? What constitutes injury-in-fact under Article III? While the court in Monroe v. Shutterfly, 2017 U.S. Dist. LEXIS 149604, *30 (N. D. Ill. Sept. 15, 2017), agreed that whether a plaintiff needs to show actual damages under BIPA was not “free from doubt,” it declined to hold that a showing of actual damages was necessary to state a claim. Further litigation on this issue, including possible appeals to the Seventh Circuit, may add clarity.

As for Article III standing, the Monroe court concluded, sua sponte, that the plaintiff had standing because he was able to show an invasion of privacy. The court differentiated Monroe from prior BIPA cases where there was no injury-in-fact, explaining that, in those cases, plaintiffs voluntarily provided their biometric information to defendants and could not otherwise show injury (e.g., a hacker gaining access to the biometric information). The Monroe plaintiff, in contrast, had not voluntarily provided his biometric information to Shutterfly. The Northern District of California recently heard arguments on this issue in a BIPA case brought by Facebook users against the social networking site, in Facebook Biometric Info. Privacy Litig., Civil Action No. 3:15-cv-03747. At the time of publication of this article, the Facebook court had not yet ruled on whether the plaintiffs to that action have standing.

Although questions remain regarding the legal technicalities of BIPA, prudent companies doing business in Illinois that are collecting, using, or storing biometric information should follow BIPA’s guidelines discussed above.