After almost 10 years since its enactment, the Illinois Biometric Information Privacy Act (“BIPA”) has spawned a new wave of litigation against employers centered on biometric timekeeping technology. BIPA was enacted to regulate the collection, use, storage, retention and destruction of biometric information, such as fingerprints and hand or face scans, among other things. Although the law’s primary focus was to protect consumer biometric information, the vast majority of recent class action lawsuits have been filed against employers that use biometric timeclocks, e.g., fingerprint and handprint machines, to track employee hours.
Although other states have enacted biometric privacy statutes, BIPA is the only biometric privacy law in the nation which allows for a private right of action and recovery of liquidated damages to any “person aggrieved.” Under the statute, a plaintiff may recover liquidated damages of up to $5,000 for each BIPA violation. Since at least 2015, more than 100 class action lawsuits have targeted employers primarily in Illinois state and federal courts.
A recent state appellate court ruling has provided BIPA defendants with a potential defense by interpreting BIPA more narrowly. In Rosenbach v. Six Flags Entertainment Corp, a unanimous decision issued on December 21, 2017, the Illinois Appellate Court ruled that to state a cognizable claim under BIPA, a plaintiff must allege more than a mere failure to comply with BIPA’s notice and consent provisions. The Appellate Court’s ruling centered on the definition of the term “aggrieved” as used in the statute and found that a mere technical violation of the statute was insufficient to state a viable cause of action. Illinois federal courts have similarly interpreted BIPA as limited by the term “person aggrieved” in BIPA. These ruling are similar to the U.S. Supreme Court’s Spokeo standard for Article III standing, which requires a plaintiff’s injury-in-fact to be both concrete and particularized.
Illinois businesses that use or plan to use biometric identifiers and information should be mindful of BIPA’s requirements to avoid litigation. Before collecting biometric identifiers or information, a private entity should:
- Inform the individual in writing that a biometric identifier or information is being collected or stored;
- Inform the individual in writing of the purpose and length of time for which the biometric identifier or information is being collected, stored, and used; and
- Receive a written release from the subject.
Private entities that possess biometric identifiers or information must also develop a publicly available written policy setting forth a retention schedule and guidelines for permanent destruction. Finally, employers should identify any weaknesses in the security and protection of employees’ data, and develop policies to prevent and safeguard against the unauthorized disclosure, sale, lease, trade or profit from employees’ information.
While employers may craft effective defense strategies against BIPA claims in light of recent court decisions, employers are best served by preparing written and publicly available policies and by obtaining employee consent when implementing technology that collects biometric information.