A "New" Frontier for Plaintiffs Class Action Attorneys -- the Illinois Biometric Information Privacy Act: Can technical non-compliance equate to damages?
Since November 2016, over thirty-five class action lawsuits have been brought under the Illinois Biometric Information Privacy Act (the Illinois “BIPA”) in Illinois state and federal courts. Under the Illinois BIPA (which was enacted in 2008), “biometric information” is defined as “any information, regardless of how it is captured, converted, stored or shared, based upon on an individual’s biometric identifier used to identify an individual,” including “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
These new class action lawsuits under the Illinois BIPA are the result of businesses increasingly, using biometric information for timekeeping (clocking in and out of work with a fingerprint instead of punching a timecard), security access (using fingerprint, hand, or retina scanners or facial recognition software to allow access to company facilities or secure laptops, smartphones, or other electronic devices), wellness programs (measuring biometric data to assess health risks), and workplace safety and efficiency (using biometrics to track employee locations, information usage, training compliance, and job performance), With the growth of businesses’ use of biometrics has come increased legal risks that include the threat of BIPA class actions in Illinois.
Much to the chagrin of Illinois businesses, Illinois is the only state that has enacted a law that allows employees (or customers) to file a lawsuit against a company that fails to provide notice that biometric information is being collected, obtain a written consent for the collection of biometric information, or maintain a written policy establishing guidelines for destroying the information. Violating the Illinois BIPA can result in statutory damages of $1,000 for each negligent violation and $5,000 for each willful violation, plus the recovery of actual damages and attorney’s fees. Given the stakes involved in a BIPA violation, there has been a dramatic spike in the filing of BIPA class actions.
Most of these new suits arise out of employers’ use of timekeeping systems that utilize employee fingerprints, but a few have involved the use of facial recognition software. These new BIPA class actions are being filed , even though the biometric data has been protected, has not been lost or employee or customer may not have been damaged in any way. 740 ILCS § 14/15. Plaintiffs’ counsel are forging ahead with BIPA class actions, often in an effort to leverage massive settlements, based on technical violations involving the failure to provide notice, obtain written consents, or maintain a written policy establishing guidelines for retaining or destroying biometric information. The types of companies that have been named in BIPA class actions to date are varied and include Facebook, Shutterfly, technology companies, long-term care facilities, grocery stores, restaurants, staffing companies, tanning salons, manufacturers and other businesses.
As more and more employers use facial recognition software and fingerprinting for security and other timekeeping purposes, employers can expect employees or ex-employees to have a greater awareness to the requirements of the Illinois BIPA, which may result in increased exposure to unwarranted litigation. Employers can reduce or eliminate the risk of a BIPA class action by creating and publishing a policy that outlines the collection, use and retention procedures for employee and customer biometric information, providing employees and customers with a written notice and obtaining the requisite written consents prior to collecting biometric information. In the event that a BIPA class action is filed against an employer, there are certain defenses to BIPA claims based on a plaintiff’s lack of standing or that the plaintiff was not “aggrieved” or damaged by a technical BIPA violation of the statute, the information collected does not constitute biometric data, the employee was subject to an arbitration agreement that covered Illinois BIPA claims, and that claims are barred by BIPA’s statute of limitations. The success or failure of these BIPA defenses will depend on the facts of the case and further judicial interpretations of the Illinois Biometric Information Protection Act. While Illinois’ class action counsel have seized the opportunity to create a cottage industry of BIPA claims, Clark Hill is well-prepared and ready to assist companies in defending such claims and with their compliance needs to enact an appropriate BIPA policy.
2023 Cybersecurity and Data Privacy Laws Summit: Chicago
Join us for our inaugural, in-person program, where legal, in-house, and technical professionals will delve into the latest cyber and privacy topics and trends.
Legal, Tax and Infrastructure Requirements for Fleet EV Charging
Organizations that currently own or intend to acquire electric vehicles can gain insights into tax, legal, and infrastructure requirements by understanding best practices and common mistakes. The panel will also discuss new EV laws and charging technology.
For companies considering a full or partial transition to EV fleets, the webinar will discuss how to maximize tax rebates, determine optimal legal contracts, and identify funding opportunities. The presentation will also cover infrastructure considerations with regard to electrical and cyber requirements.