Illinois Biometric Privacy Suit over Employee Fingerprinting Remanded for Lack of Standing
An Illinois district court remanded to state court for lack of standing a biometric privacy suit brought by employees over the collection and storage of individuals’ fingerprints allegedly in violation of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 (“BIPA”). (Aguilar v. Rexnord, LLC, No. 17 CV 9019 (N.D. Ill. July 3, 2018)). This decision echoes other recent rulings where federal courts have found a lack of Article III standing in disputes where employees claimed procedural violations of BIPA over the knowing collection of fingerprints for timekeeping purposes, absent any claims of wrongful sharing or disclosure. See e.g., Howe v. Speedway LLC, No. 17-07303 (N.D. Ill. May 31, 2018) (even if failing to provide certain disclosures and obtain his written authorization prior to collecting and storing plaintiff’s fingerprints may constitute a violation of BIPA, such procedural violations did not cause an injury in fact where the employee was aware of the nature and purpose of collection); Goings v. UGN, Inc., No. 17-9340 (N.D. Ill. June 13, 2018) (remanding BIPA claims for lack of Article III standing because claims were too abstract and employee was aware he was providing fingerprint data to his employers and did not claim any non-consensual disclosure of such data).
In Aguilar, the plaintiff’s employer implemented a time clock system that used employees’ fingerprints to authenticate and track when they began and ended their workdays. The plaintiff claimed, among other things, that he never signed a written release allowing his employer to collect or store his fingerprint, and that his employer never outlined the specific purposes of the fingerprint collection or disclosed a data retention schedule.
In examining the plaintiff’s informational injury, the court remanded the claim to state court for a lack of standing. The court stated that under Spokeo, a litigant must have suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Thus, the court looked at whether defendant’s alleged violations of the BIPA’s notice and consent provisions created a risk of harm to the concrete interests the statute was enacted to protect.
The court reasoned that plaintiff knew his fingerprints were being collected because he scanned them each time he clocked in and out at work, and it was clear that the fingerprints were stored since they were used for authentication purposes. As such, the court found no cognizable injury:
“Here, the violations are divorced from concrete harm, including harm to Aguilar’s privacy interest in his biometric information and harm to his right to know that the information was collected, and therefore do not constitute injuries in fact.”
While the court remanded the claims in this case, it clarified that violations of the notice and consent provisions can, in certain circumstances, constitute an injury in fact without additional harm (“For instance, collecting a person’s biometric information without her knowledge or consent could violate her privacy interests and constitute an injury in fact.”) Indeed, the court in Aguilar distinguished several social media photo tagging cases where a number of courts have found the alleged collection of a person’s biometric information without her knowledge or consent was a violation of a privacy interest and an injury in fact.