As we previously reported, since 2017 employees have filed dozens of employment class actions claiming violations of Illinois’ 2008 Biometric Information Privacy Act (“BIPA”). In short, BIPA protects the privacy rights of employees, customers, and others in Illinois against the improper collection, usage, storage, transmission, and destruction of biometric information, including biometric identifiers, such as retina or iris scans, fingerprints, voiceprints, and scans of face or hand geometry. Before collecting such biometric information, BIPA requires an entity to: (1) provide written notice to each individual of the collection; (2) obtain a signed release from each individual for the collection of biometric data; and (3) make available a policy that contains a retention schedule and guidelines for the permanent destruction of the biometric data.

One of the unresolved legal issues was whether an entity’s failure to comply with BIPA’s requirements, absent an actual injury, was sufficient to sustain a claim under that law. On January 25, 2019, the Illinois Supreme Court weighed in on this issue in Rosenbach v. Six Flags Entertainment Corp., holding that mere collection of an individual’s biometric information may be enough to state a claim under BIPA.

In Rosenbach, a parent sued on behalf of her child after he was fingerprinted entering a Six Flags theme park. Neither the parent nor the child signed a release, Six Flags did not provide a written notice provided to the child or the parent, and Six Flags did not have a publicly available policy regarding the retention or destruction of the biometric information. Nonetheless, there have been no known data breaches on Six Flags systems, and the complaint did not allege any other harm to the parent or her son.

The Illinois Supreme Court found that the legislative intent behind BIPA dictated that a technical violation of the law, such as failure to provide notice or obtain a release, is sufficient to state a claim under the Act. Under BIPA, an “aggrieved” party is similar to the concept of the injury-in-fact requirement for standing in federal court. There, the Court found that the “injury is real and significant.”

In light of the Rosenbach decision, it is even more important that employers with operations in Illinois consider taking the following action:

(1)  First, determine if your company collects, uses, stores, or transmits any employee’s (or other individual’s) biometric information or identifiers that may be covered by BIPA (e.g., using fingerprint recognition technology for time keeping purposes or to access a company-issued property or devices).

(2)  If your company does collect, use, store, or transmit biometric data/identifiers, you should:

(a)  develop or review existing, written policies concerning the collection, storage, use, transmission, and destruction of that information, consistent with industry standards;

(b)  implement policies concerning proper notice to employees (and other affected individuals) about the company’s use, storage, etc., of such data and obtain written and signed consent forms from all affected persons; and

(c)  establish practices to protect individuals’ privacy against improper disclosure of biometric data/identifiers, using the methods and standard of care that they would apply to other material deemed confidential and sensitive.

Importantly, providing proper notice includes identifying the specific reason for the collection, storage, and use of the biometric data, as well as how long the employer will use or retain such data. 740 Ill. Comp. Stat. 14/15(a), (b); 14/10.

Employers continue to incorporate the use of biometric information for several employee management purposes, such as in systems managing time keeping and security access that use fingerprints, handprints, or facial scans.  Recently, Illinois state courts have encountered a substantial increase in the amount of privacy class action complaints under the Illinois Biometric Information Privacy Act (“BIPA”), which requires employers to provide written notice and obtain consent from employees (as well as customers) prior to collecting and storing any biometric data.  Under the BIPA, the employer must also maintain a written policy identifying the “specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used.”  740 ILC 14/15(b)(2).

Although the BIPA was enacted almost 10 years ago, individuals did not start filing lawsuits until 2015.  Since September 2017, there have been over twenty-five new filings in Illinois state courts including class actions against prominent international hotel and restaurant chains.  These lawsuits tend to target employers utilizing finger print recognition machines as part of their time keeping systems.  Where the employer uses a third-party supplier for its time-tracking system, the claims have also included allegations that the employer improperly shared the biometric information with the supplier without obtaining the proper consent.  In these cases, the claims generally allege that the employer failed to provide proper notice.

Though there is no definitive reason for the increase in filings over the past months, the claims may be related to the increased use of biometric information in the workplace since the initial case filings in 2015.  While Texas and Washington also have laws governing employer use of biometric information, Illinois is the only state that currently provides a private right of action, including class actions.  Additionally, potential damages associated with BIPA violations, particularly for class actions, can be extensive, including liquidated damages of $1,000 per negligent violation (or the amount of actual damages, whichever is greater), liquidated damages of $5,000 per intentional or reckless violation (or the actual damages, whichever is greater) and attorney’s fees.

What Can Employers Do?

  • Prior to collecting or storing biometric data, employers in Illinois should: (1) create a written policy regarding the retention and destruction of biometric data; (2) obtain written acknowledgment and release from the employees; and (3) store the biometric information securely, similar to other confidential information, such as personal health information or personally identifiable information.
  • Employers who use a third party to assist with the collection or storage of biometric data should include the third party in the acknowledgement and release, which employees execute.
  • Employers also should be aware that most states, including Illinois, have legislation governing how employers respond to data breaches and the required notifications to employees. If a data breach occurs, employers are advised to immediately contact counsel to devise and implement a response plan.
  • In the event of litigation, employers should remove BIPA cases to federal courts when possible, particularly where the allegations focus on notice and consent issues, as employers can argue that plaintiffs cannot establish the necessary harm to establish standing as required by the Supreme Court case Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (requiring more than a “bare procedural violation” to establish harm). Because employees likely will have difficulty establishing actual harm where the biometric data was stored in a confidential and secure manner, employers may be successful in getting such claims dismissed.

As the laws regulating biometric data continues to evolve, employers should monitor this issue closely and consult with counsel as further developments occur to ensure compliance with any relevant regulations.