As we previously reported, in January, in Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that a plaintiff need not plead an actual injury beyond a per se statutory violation to state a claim for statutory liquidated damages or injunctive relief under the Illinois Biometric Privacy Act (BIPA).
(By way of reminder, the Illinois BIPA prohibits gathering biometric data such as fingerprints without notice and consent. It also requires data collectors adopt a written policy and a destruction policy for data which is no longer required.)
In the wake of Rosenbach, dozens more class actions have been filed in Illinois state courts. Following Rosenbach,plaintiffs can seek injunctive relief and statutory penalties under the BIPA on a class-wide basis. Despite the flurry of activity by the plaintiff’s bar over the past several years, Illinois courts have only recently started addressing such claims. The rulings since Rosenbach demonstrate a strong commitment not to deviate from the Illinois Supreme Court’s holding.
Specifically, two recent cases from the Illinois Appellate Court for the First District (Cook County) provide additional guidance regarding the defenses available to employers under the BIPA post-Rosenbach:
- Standing to Sue: In Rottner v. Palm Beach Tan, Inc., the First District addressed the availability of lack of standing as a possible defense to a BIPA claim. Here, a customer of a tanning salon alleged that the company violated the BIPA by requiring clients to use a fingerprint scanner to verify membership without providing information regarding the salon’s biometric data retention policy.
The company attempted to narrow the holding in Rosenbach by arguing that the customer did not have standing to sue under the BIPA because she could not demonstrate that the collection of her biometric data, as opposed to the improper storage of such data, actually caused her harm. The company argued that Rosenbach did not resolve whether a party claiming only a collection of the party’s biometric data in violation of the Act without further injury can recover liquidated damages under the BIPA. The First District, however, strictly applied Rosenbach and rejected the defendant’s proposed carve out. Palm Beach Tan supports Rosenbach’s holding that an injury beyond the act of simply collecting biometric information is not required to obtain liquidated damages or penalties under the BIPA.
- Ability to Arbitrate: In Liu v. Four Seasons Hotel, LTD., the First District held that not all employment-related claims are subject to an employment agreement’s mandatory arbitration clause. In Liu, hotel employees filed a class action complaint alleging that the hotel failed to follow BIPA requirements when collecting, using, storing and disclosing their fingerprints to track hours worked. The employer moved to compel arbitration, arguing that the plaintiffs’ signed an employment agreement which required arbitration of wage or hour violation claims. The First District, however, rejected this claim holding that the BIPA is not a wage or hour statute, but rather a privacy law.
In these two cases, the First District signaled that it is not prepared to whittle away at Rosenbach’s broad holding. Rather, recent applications of Rosenbach further incentivize employers to conform to the BIPA to mitigate potential civil claims, as mandatory arbitration clauses and common defenses, such as lack of standing, may not not be effective.
To date, several BIPA actions have settled and the terms publicly disclosed. In one settlement, the defendant paid $150.00 to each class member, plus attorney’s fees and costs. (The settlement predated Rosenbach and thus may have contained a risk contingency discount.) In another settlement, the defendant paid up to $400.00 to each class member. This settlement was reached post-Rosenbach, demonstrating that settlement may be more expensive now. In yet another settlement, also post-Rosenbach, each class member was entitled to receive up to $750. Notably, attorney’s fees and costs were not included. This leaves open the question of whether future BIPA settlements will also decline to include such costs.
In light of these decisions, employers should take concrete measures to mitigate the risk of BIPA litigation. We recommend employers:
- Review existing data privacy policies and consent notices for BIPA compliance.
- Incorporate explicit language in employment agreements making it clear that any clauses requiring arbitration also encompass BIPA claims.
- Implement a procedure whereby individuals are notified in writing and asked to provide written consent before any biometric information is collected.
- Obtain written consent forms from active employees as soon as a policy has been adopted.
- Provide employees with a nominal sum in exchange for a release of claims arising under the BIPA.
Implementing these requirements can help bring a company into compliance with the Act and prevent potential claims.