Employers in Illinois who collect, use, or retain their employees’ biometric data—personal information such as fingerprints or facial or voice recognition—need to be aware of a recent legal development.
As we have explained before, Illinois was the first state to enact a law restricting the collection and storage of biometrics, and it remains the frontline for advancement of jurisprudence on the subject. The Illinois Biometric Information Privacy Act (BIPA) requires entities, including employers, that collect biometric data to follow a number of protocols, including maintaining a written policy about the collection and storage of biometric data, providing owners of biometric information (in this case employees) with written notice of such practices, and obtaining informed consent from individuals subject to biometric data collection. Since its enactment in 2008, BIPA has given rise to a lot of litigation, including many employment class action suits.
The Illinois Supreme Court’s Interpretation of BIPA Favors Plaintiffs
One such class action was the subject of an important decision issued on February 3, 2022, by the Illinois Supreme Court. In McDonald v. Symphony Bronzeville Park LLC, et al. (2022 IL 126511), the state’s highest court issued a unanimous opinion that effectively eliminated an entire defense in BIPA lawsuits. The lawsuit was a putative class action brought by an employee against her health care facility employer. As part of its security and timekeeping systems, the employer scanned employee fingerprints. In an amended complaint, the employee alleged that she was never provided the opportunity to give informed, written consent to the storage of her biometric data. This amendment is significant because the original complaint included allegations of mental anguish, as noted in a brief concurring opinion penned by Justice Michael J. Burke. Those alleged workplace injuries would have precluded the employee from her action under BIPA, pursuant to the Illinois Workers’ Compensation Act’s (IWCA) exclusive remedy provision. Whether IWCA’s exclusive remedy provision provided the employer with a defense by precluding the employee from seeking only statutory damages under BIPA was the question before the Illinois Supreme Court. The court said no, yet it remains an open question if the IWCA would bar claims for damages that were non-statutory, i.e., those for emotional distress.
What Does This Mean for Employers?
McDonald is further evidence of the court’s position that BIPA should be liberally construed, as was made clear in a prior case, Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186. In that case, the Illinois Supreme Court also unanimously held that plaintiffs do not need to suffer an actual injury beyond a violation of rights provided for by BIPA in order to state a claim under that statute. With Rosenbach, the Illinois Supreme Court established its position that a technical violation of BIPA creates a “real and significant injury” in and of itself.
BIPA is one of only a few laws nationwide that afford a private right of action to the owners of biometric data. This in itself constitutes a risk for businesses that use biometric technology for any purpose. Lawsuits can come from aggrieved individuals as well in the form of collective classes that allege violations of BIPA, even if those purported violations caused no actual harm to the plaintiffs, and even if the plaintiffs are not just employees, but customers, visitors, or anyone else from whom any biometric data is collected. The Illinois Supreme Court has been consistent in construing BIPA liberally, and the McDonald decision, which provides a roadmap for plaintiffs seeking statutory damages, further cements BIPA as a potential minefield for employers that fail to heed its requirements.
The best litigation strategy is to avoid litigation in the first place through compliance. Violations of BIPA can be very costly, with statutory damages of at least $1,000 per violation ($5,000 if the violations are deemed intentional or reckless), plus attorneys’ fees and costs. BIPA is an attractive vehicle for the Illinois plaintiffs’ bar and, as such, a substantial risk for businesses.
The Risk Isn’t Limited to Illinois Businesses
While it is obvious that BIPA presents a significant challenge to employers doing business in Illinois, it is important to note that biometric privacy laws have been enacted elsewhere, including Texas, Washington State, and New York City. Other states or localities are likely to follow suit, and developments in Illinois set the trend. Thus, what applies to employers in the Land of Lincoln today may well be widely applicable within the next few years.
What Illinois Employers (and Others) Should Do Right Now
Assess: Review all company practices surrounding the collection, usage, storage, or transmission of any biometric information covered by BIPA or other state and local laws like it. This might be as seemingly benign as issuing employees devices, such as smartphones with built-in thumbprint or facial recognition technology, or providing time clocks or security measures with those features.
Write: Be sure that your company has clear written policies that address the procedures for collection, storage, use, transmission, and destruction of biometric data, including specific timeframes.
Communicate: Be sure to notify all individuals—employee or otherwise—about your biometric data policy, including information about how such data will be secured to protect individual privacy interests.
Obtain Consent: BIPA and certain other laws require that individuals whose biometric data may be collected, stored, or used in any way provide informed consent to such collection, storage, and usage. Be sure to inform those individuals and to get their consent in a format that can be stored and, if necessary, produced as evidence of compliance with BIPA in the event of litigation.
Consult: Counsel is available to assist with risk assessment, policy development, and training to ensure compliance with this important law.