Note: Biometrics are measurements of biological (like fingerprints or retinas) and physical characteristics (voice recognition or body odor) that can be used to identify individuals. Collection of this data is becoming common. For example, your fingerprint will check you in at the gym, unlock your computer or clock you in at work. It is often collected as part of wellness programs. Only three states currently have laws regulating the collection and use of biometrics: Illinois, Texas and Washington. Several other states have considered, but failed to adopt biometric privacy laws. However, as the use of biometrics continues to grow, it is likely that laws similar to the one in Illinois will be enacted. The importance of the case discussed in this article is that persons suing for violations of the Illinois law do not have to allege or prove actual harm, a requirement of most lawsuits.
∼∼∼∼∼
The Illinois Supreme Court’s decision in Rosenbach v. Six Flags held that plaintiffs do not have to allege actual, real world, harm to survive a motion to dismiss in cases filed under the Illinois Biometric Information Privacy Act (“BIPA”), thereby opening the floodgates for suits often based on purely procedural violations of BIPA.
Editor’s note: In the case here, a mother sued on behalf of her 14 year-old son who was fingerprinted to identify him as a season pass holder at a Six Flags Great America amusement park. Six Flags provided no disclosure about the use, storage and purpose of the biometric data. Nor did Six Flags obtain a release from the boy or his legal representative (the boy was on a school outing). Brought on behalf of the boy and others, the class action was brought under the Act, which, as the Supreme Court said, “provides that any person “aggrieved” by a violation of the Act’s provisions “shall have a right of action *** against an offending party” and “may recover for each violation” the greater of liquidated damages or actual damages, reasonable attorney fees and costs, and any other relief, including an injunction, that the court deems appropriate.”
The resurgence of litigation under BIPA is ramping up pressure on employers who rely on biometric technology in the workplace. The question of who qualifies as an “aggrieved” person allowed to sue under BIPA may be settled — but many issues remain unresolved. As such, notwithstanding Rosenbach, defendants are still left with numerous tactical opportunities to defeat or limit potential damages in BIPA cases.
Employers must obtain consent
Under BIPA, employers that capture individuals biometric information, such as fingerprints, hand scans, face geometry, or retina scans, are required to obtain written consent and provide written and public disclosures about use, storage and destruction of that data. BIPA covers the collection of biometric information regardless of how it is captured, converted, stored, or shared, and therefore potentially covers a broad spectrum of employee timekeeping technology. Because BIPA’s coverage is broad in scope, it quickly became a trap for unwary employers who utilize biometric based timekeeping technology to improve accuracy and convenience in employee timekeeping practices and security at their facilities. The employee BIPA class actions test the viability of employers’ widespread use of biometric data gathering practices. But the plaintiff friendly ruling in Rosenbach aside, defendant employers are not without defenses.
Clock in, clock out liability
Defendants found in violation of BIPA face liability of liquidated damages in the amount of $1,000 for each negligent violation, or $5,000 for each reckless violation. Whether each separate “clock in” and “clock out” would count as a separate BIPA violation remains an unresolved issue and portends a significant battle in these lawsuits. The number of claims would be drastically impacted based on whether the violation is deemed to have occurred only once at the initial collection of biometric information – or again each time the employee “swiped” to “clock in” or “clock out.”
BIPA provides every Illinois employee with a right to sue their employer who fails to comply with the statute’s requirements – to date, the only biometric privacy statute in the nation to do so. Thus far, most claims have been filed as class actions in Illinois state courts, but may also be filed in federal court as a supplemental claim or removed by defendants if appropriate.
Targeted defendants are not limited to Illinois employers. Nationwide employers are also targets of these lawsuits because at least so far, an employer’s operations only have to “touch” Illinois to be covered by BIPA. As such, employers have been sued even though their operations are based in, for example, New York or California. But damages in these instances may be narrowed if the number of employees actually present in Illinois is minimal.
Potential employer options
Notwithstanding the ruling in Rosenbach, defense attorneys are preparing for new battles on the BIPA front. A preliminary consideration will be to explore the possibility of any arbitration agreement and class action waivers, which would significantly undercut the value of these lawsuits and potentially lead to quick, inexpensive, and possibly individual resolutions.
Defendants may also consider whether removal to federal court is an option, which could provide a more favorable venue as the case proceeds.
If in federal court, defendants may continue pressing the argument that the U.S. Supreme Court’s holding in Spokeo v. Robins nonetheless requires such plaintiffs to allege an actual injury to have standing. In Spokeo, the Supreme Court held that a plaintiff does not automatically satisfy the injury-in-fact requirement whenever a law grants a person a statutory right — Article III standing requires a concrete injury even in the context of a statutory violation. Although Illinois law requires an injury-in-fact, standing is not jurisdictional but rather an affirmative defense that is the defendant’s burden to plead and prove. As a result, Illinois courts generally are not as receptive to standing arguments as federal courts. Ultimately, state and federal courts may diverge in their assessment of BIPA cases based on the issue of standing.
The applicable statute of limitations is yet another significant and unsettled issue post Rosenbach. Whether the one year statute for privacy claims applies or the five year catch-all may apply will have vast implications in this area. Critically, the limitation period will determine the temporal scope of a putative class and therefore the extent of potential liability.
Defendants will also seek to establish that plaintiff-employee consented to the collection and/or disclosure of their biometric information through various electronic or paper policy and handbook acknowledgments. Some have also argued that a written consent to use biometric technology or to waive a right to privacy in the workplace should defeat a BIPA claim, but thus far courts have not ruled on this issue.
BIPA also allows for a few specific exemptions. For example, an Illinois employer who can show that compliance with the X-Ray Retention Act or the federal Health Insurance Portability and Accountability Act of 1996 and their rules would conflict with BIPA may avoid liability.
What employers should do
Given this landscape, employers should be taking proactive steps to limit and avoid liability, including updating their employment policies and providing BIPA compliant notifications to all employees as part of the onboarding process, or by obtaining electronic or written acknowledgments of such policies from current employees. Employers should:
- Inform an employee in writing that their biometric identifiers and biometric information will be collected;
- Inform employees of the applicable time span and specific purpose for collecting, storing, and using the employee’s biometric identifier or biometric information;
- Obtain a written release from the employee.