An emerging area of the law has become the focal point in a new class action lawsuit pending in the U.S. District Court for the Northern District of Illinois. In Baron v. Roundy's Supermarkets, Inc., et al. (No. 1:17-cv-03588), the plaintiff has alleged that Roundy's, a national supermarket chain, violated the Illinois Biometric Information Privacy Act (BIPA) when it failed to satisfy the legal preconditions required to obtain and retain employee fingerprints that the supermarket chain used for timekeeping purposes.

BIPA became effective in 2008 and requires that a collector of biometric data satisfy several preconditions before collecting this data, including:

  • informing the subject that the biometric data is being collected or stored
  • informing the subject in writing of the purpose and length of time for which the data is being collected
  • obtaining a written release signed by the subject of the data being collected

In addition to these preconditions to data collection, BIPA specifies requirements for the retention and destruction of biometric data.

The damages available under BIPA make it an attractive vehicle for class actions. For each violation of BIPA, a prevailing party may recover the greater of actual damages or $1,000 for negligent violations of the Act. For reckless or intentional violations, a plaintiff may recover the greater of actual damages or $5,000. In addition, a prevailing plaintiff is entitled to reasonable attorney's fees and costs.

Texas has a similar law to BIPA, but it does not have a private right of action. Further, several states are currently considering bills similar to BIPA, including Alaska, Montana, New Hampshire and Washington.

Considerations for Employers

Laws like BIPA will become more relevant to employers and of increasing interest to the plaintiffs' bar as the use of biometric data, such as the use of fingerprints or thumbprints for timekeeping purposes, becomes more prevalent in the workplace. With the increasing awareness of such laws by the plaintiffs' bar, it is important that employers using or considering the use of biometric data in the workplace ensure compliance with any state or local laws governing the use, retention and destruction of that data.