June 3, 2023

Volume XIII, Number 154


June 02, 2023

Subscribe to Latest Legal News and Analysis

June 01, 2023

Subscribe to Latest Legal News and Analysis

May 31, 2023

Subscribe to Latest Legal News and Analysis

Employers Take Heed: Follow Illinois Biometric Privacy Rules or Risk a Losing Battle

Employers in Illinois who collect, use, or retain their employees’ biometric data—personal information such as fingerprints or facial or voice recognition—need to be aware of a recent legal development.

As we have explained before, Illinois was the first state to enact a law restricting the collection and storage of biometrics, and it remains the frontline for advancement of jurisprudence on the subject. The Illinois Biometric Information Privacy Act (BIPA) requires entities, including employers, that collect biometric data to follow a number of protocols, including maintaining a written policy about the collection and storage of biometric data, providing owners of biometric information (in this case employees) with written notice of such practices, and obtaining informed consent from individuals subject to biometric data collection. Since its enactment in 2008, BIPA has given rise to a lot of litigation, including many employment class action suits.

The Illinois Supreme Court’s Interpretation of BIPA Favors Plaintiffs

One such class action was the subject of an important decision issued on February 3, 2022, by the Illinois Supreme Court. In McDonald v. Symphony Bronzeville Park LLC, et al. (2022 IL 126511), the state’s highest court issued a unanimous opinion that effectively eliminated an entire defense in BIPA lawsuits. The lawsuit was a putative class action brought by an employee against her health care facility employer. As part of its security and timekeeping systems, the employer scanned employee fingerprints. In an amended complaint, the employee alleged that she was never provided the opportunity to give informed, written consent to the storage of her biometric data. This amendment is significant because the original complaint included allegations of mental anguish, as noted in a brief concurring opinion penned by Justice Michael J. Burke. Those alleged workplace injuries would have precluded the employee from her action under BIPA, pursuant to the Illinois Workers’ Compensation Act’s (IWCA) exclusive remedy provision. Whether IWCA’s exclusive remedy provision provided the employer with a defense by precluding the employee from seeking only statutory damages under BIPA was the question before the Illinois Supreme Court. The court said no, yet it remains an open question if the IWCA would bar claims for damages that were non-statutory, i.e., those for emotional distress.

What Does This Mean for Employers?

McDonald is further evidence of the court’s position that BIPA should be liberally construed, as was made clear in a prior case, Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186. In that case, the Illinois Supreme Court also unanimously held that plaintiffs do not need to suffer an actual injury beyond a violation of rights provided for by BIPA in order to state a claim under that statute. With Rosenbach, the Illinois Supreme Court established its position that a technical violation of BIPA creates a “real and significant injury” in and of itself.

BIPA is one of only a few laws nationwide that afford a private right of action to the owners of biometric data. This in itself constitutes a risk for businesses that use biometric technology for any purpose. Lawsuits can come from aggrieved individuals as well in the form of collective classes that allege violations of BIPA, even if those purported violations caused no actual harm to the plaintiffs, and even if the plaintiffs are not just employees, but customers, visitors, or anyone else from whom any biometric data is collected. The Illinois Supreme Court has been consistent in construing BIPA liberally, and the McDonald decision, which provides a roadmap for plaintiffs seeking statutory damages, further cements BIPA as a potential minefield for employers that fail to heed its requirements.

The best litigation strategy is to avoid litigation in the first place through compliance. Violations of BIPA can be very costly, with statutory damages of at least $1,000 per violation ($5,000 if the violations are deemed intentional or reckless), plus attorneys’ fees and costs. BIPA is an attractive vehicle for the Illinois plaintiffs’ bar and, as such, a substantial risk for businesses.

The Risk Isn’t Limited to Illinois Businesses

While it is obvious that BIPA presents a significant challenge to employers doing business in Illinois, it is important to note that biometric privacy laws have been enacted elsewhere, including Texas, Washington State, and New York City. Other states or localities are likely to follow suit, and developments in Illinois set the trend. Thus, what applies to employers in the Land of Lincoln today may well be widely applicable within the next few years.

What Illinois Employers (and Others) Should Do Right Now

  • Assess: Review all company practices surrounding the collection, usage, storage, or transmission of any biometric information covered by BIPA or other state and local laws like it. This might be as seemingly benign as issuing employees devices, such as smartphones with built-in thumbprint or facial recognition technology, or providing time clocks or security measures with those features.

  • Write: Be sure that your company has clear written policies that address the procedures for collection, storage, use, transmission, and destruction of biometric data, including specific timeframes.

  • Communicate: Be sure to notify all individuals—employee or otherwise—about your biometric data policy, including information about how such data will be secured to protect individual privacy interests.

  • Obtain Consent: BIPA and certain other laws require that individuals whose biometric data may be collected, stored, or used in any way provide informed consent to such collection, storage, and usage. Be sure to inform those individuals and to get their consent in a format that can be stored and, if necessary, produced as evidence of compliance with BIPA in the event of litigation.

  • Consult: Counsel is available to assist with risk assessment, policy development, and training to ensure compliance with this important law.

©2023 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XII, Number 47

About this Author

Adam S. Forman, Epstein Becker Green, Workforce Management Lawyer, Chicago, Detroit, Social Media Issues Attorney

ADAM S. FORMAN is a Member of the Firm in the Employment, Labor, and Workforce Management practice, based in Chicago and Detroit (Metro). As noted in the 2015 edition of Chambers USA, Mr. Forman “is a renowned expert in social media issues relating to the workplace” and also “focuses on litigation, training and preventive advice on the employment side.” A frequent writer and national lecturer on issues related to technology in the workplace, such as social media, Internet, and privacy issues facing employers, Mr. Forman is often interviewed by...

Nathaniel M. Glasser, Epstein Becker, Labor, Employment Attorney, Publishing

NATHANIEL M. GLASSER is a Member of the Firm in the Labor and Employment practice, in the Washington, DC, office of Epstein Becker Green. His practice focuses on the representation of leading companies and firms, including publishing and media companies, financial services institutions, and law firms, in all areas of labor and employment relations.

Mr. Glasser’s experience includes:

  • Defending clients in employment litigation, from single-plaintiff to class action disputes,...

Matthew Savage Aibel, Epstein Becker Green, Trade Secrets Attorney, Breach of Non-Compete Agreements Lawyer

MATTHEW SAVAGE AIBEL is an Associate in the Litigation and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Aibel:

  • Assists in the representation of clients in complex commercial litigation, business disputes, and breach-of-contract matters

  • Provides assistance with litigation matters involving the breach of non-competition and non-solicitation agreements, the misappropriation of trade secrets, and...