The Illinois Supreme Court decided a landmark privacy case under the Illinois Biometric Information Privacy Act on Friday, finding that a failure to follow the requirements of the Act is enough to support a cause of action under the statute – no additional damage or harm needs to be alleged or shown.
The Biometric Information Privacy Act
Enacted in 2008, the BIPA restricts how private entities may collect, use, store, disclose, and destroy biometric information. (The Act does not apply to state or local governmental agencies.) The touchstone of this law is whether the information collected is a “biometric” – that is, a set of measurements of a physical component, such as eye, finger, voice, hand, or face, which can be used to identify a specific person.
The BIPA has received increasing attention in recent years due to the mounting number of lawsuits filed under it. This litigation has included suits against technology titans like Google and Facebook for their collection and analysis of photographs to create facial templates, without the permission of the subjects of the photographs.
In the employment context, before an employer collects, stores, or uses biometric identifiers or information, it must
- Notify every employee in writing that it is collecting a biometric identifier or information, including the specific reason for collecting, storing, and using the information and how long the employer will use or retain the biometric identifier or biometric information;
- Obtain the employee’s written release for the biometric collection; and
- Develop a publicly available written policy that includes a retention schedule and guidelines for permanently destroying the biometric information.
The statute provides that an “aggrieved person” can file suit and recover actual or liquidated damages, and attorneys’ fees, and can also seek a court order directing the entity to comply with the law.
Rosenbach v. Six Flags Entertainment Corp.
A mother filed suit against Six Flags Entertainment Corporation on behalf of her son, alleging that Six Flags scanned and stored her son’s thumbprint during a visit in 2014. The lawsuit alleges that Six Flags did not disclose what was done with the information, how long it would be kept, or its guidelines for retaining and destroying the fingerprint information. According to the lawsuit, Six Flags did not provide written notice of the collection of the information or the purposes for which it would be used, nor did the company obtain a written release before scanning the thumbprint. The lawsuit claimed that all of this violated the BIPA. However, the son arguably was not “damaged” by the alleged violations. Thus, the issue in the Supreme Court decision was whether a person who had not suffered any actual or threatened damage as a result of a violation of the BPIA was an “aggrieved person” who could file suit.
A circuit court dismissed part of the lawsuit but found that the plaintiff had a valid claim under the BIPA. The Illinois Court of Appeals disagreed, finding that a plaintiff who alleged “only a technical violation” of the Act was not “aggrieved” under the statute and could not bring suit without showing some injury or adverse effect.
The Illinois Supreme Court disagreed with the Court of Appeals, and found that an individual whose BIPA rights were violated could be an “aggrieved person” with a right to sue even without any specific damages resulting from the violation. Citing a California decision regarding the Act, the Illinois Court found that in enacting the BIPA, the legislature recognized an individual’s right to privacy and to control his or her personal biometric identifiers. Accordingly, when a company fails to comply with the statute, that failure is itself a denial of an individual’s statutory rights, and “[n]o additional consequences need be pleaded or proved.”
The Court also gave short shrift to the idea that a mere “technical” violation of the law does not result in actual harm to an individual, saying that violation of the right to control one’s biometric information is “real and significant.”
Lessons for employers
The BIPA and the Rosenbach decision have implications for any employer who does business in Illinois.
In the employment context, Illinois facilities with timekeeping systems that use fingerprints or handprints would be required to comply with the BIPA. Additionally, Illinois facilities that use retina or iris scans as a security measure to, for example, limit access to certain areas or rooms would also need to comply.
Other states, including Washington and Texas, also have biometric privacy laws, but the Illinois BIPA was the first act of its kind, and it is the broadest. It is also the only one that provides a private right of action. An aggrieved person can recover $1,000 in liquidated damages (or actual damages) for each violation, and $5,000 in liquidated damages (or actual damages) per violation if the violation is intentional or reckless. The aggrieved person can also recover reasonable attorneys’ fees and court costs.
As the Illinois Supreme Court noted, the statute creates “substantial potential liability” for employers, and the risk of class actions alleging BIPA violations is significant. The court’s decision is likely to encourage the filing of individual lawsuits and class actions against companies who gather and use biometric information.
The Illinois legislature may ultimately decide to amend the BIPA, but employers should not count on it, given the employee-friendly environment in Illinois. In the meantime, employers who gather any type of biometric information from employees should ensure that they are in compliance with the written notice, consent, storage, and deletion provisions of the statute:
- Create appropriate, publicly available policies governing the collection, use, storage, and destruction of biometric information that may be collected.
- Obtain a written release from employees before collecting or using any biometric information.
- Store and protect biometric information using a reasonable standard of care within the industry. At a minimum, biometric information should be protected to the same degree as other highly confidential information, such as Social Security numbers or genetic information.