After noting the flood of Illinois biometric privacy suits in September, it appears that the flow of such suits remains robust. Dozens of suits have been filed in Illinois state court against Illinois-based employers and other businesses alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which generally regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, and encourage businesses that collect such personal data to employ reasonable safeguards.
In recent years, biometric privacy suits initially involved social media services and video game makers, but have increasingly been asserted against businesses that collect biometric data to authenticate customers or employees, especially Illinois-based employers that use biometric timekeeping devices to verify employees when clocking in and out.
While dozens of suits have been filed in Illinois state court, it is not yet clear if mere procedural violations of BIPA’s consent and data retention requirements, without any showing of actual harm or data misuse, are actionable under the statute (i.e., whether persons pleading procedural violations are “aggrieved” under the statute, as BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party). Defendants, in other cases, have argued that the term “aggrieved” in BIPA requires a plaintiff to establish an injury due to a statutory violation, while plaintiffs oppose this interpretation and have contended that “aggrieved” means only that a plaintiff must come within a statute’s zone of interest.
In one of the latest suits, a putative class of employees asserted BIPA claims an Illinois-based media company that collected and stored employees’ fingerprints, allegedly without proper notice and consent, for the purpose of authenticating attendance and timeliness. (Lopez v. Multimedia Sales & Marketing, Inc., No. 2017CH15750 (Ill. Cir. Ct. Cook Cty filed Nov. 29, 2017)). Specifically, the complaint alleges that the employer violated BIPA by failing to give proper notice, obtain written consent or publish a data retention policy prior to collecting fingerprints for the purpose of timekeeping authentication. The complaint also alleges that, to the extent the defendant transmits the employees’ biometric data to out-of-state vendors to manage its authentication procedures, it failed to obtain consent for such a practice. Notably, the complaint does not allege any misuse or misappropriation of the biometric data previously collected. The complaint seeks injunctive relief requiring defendant to comply with BIPA and statutory damages of $5,000 for each willful violation of BIPA (and $1,000 for each negligent violation).
Examples of other recent BIPA suits filed against employers include:
- Freeman-McKee v. Alliance Ground International LLC, No. 2017CH13636 (Ill. Cir. Ct. Cook Cty filed Oct. 11, 2017) (employees of airline cargo company assert BIPA claims regarding collection of fingerprints for use during clocking in and out)
- McGee v. RJW Transport Inc., No. 2017CH14077 (Ill. Cir. Ct. Cook Cty Oct. 20, 2017) (BIPA claims against logistics and transportation company regarding use of fingerprints for timekeeping authentication)
- Heckl v. Suparossa Restaurant Group LLC, No. 2017CH14299 (Ill. Cir. Ct. Cook Cty filed Oct. 25, 2017) (BIPA claims against restaurant company over scanning of employees’ fingerprints to check in and out of a digital time clock)