May 29, 2020

May 29, 2020

Subscribe to Latest Legal News and Analysis

May 28, 2020

Subscribe to Latest Legal News and Analysis

May 27, 2020

Subscribe to Latest Legal News and Analysis

May 26, 2020

Subscribe to Latest Legal News and Analysis

Scan Your Practices: Illinois Supreme Court to Resolve Biometric Privacy Standard

Fingerprinting, retina scans, and voiceprints – practices once reserved for FBI agents, criminals, and Jason Bourne – are now widely used by companies of all sizes. These "biometric identifiers" are collected, often by employers, to provide for workplace efficiencies such as clocking time and ensuring secure access to sensitive locations. Or they may be used by businesses looking to track and identify customers. Whatever the case may be, collection and use of biometric identifiers are landing companies in legal hot water.

There has been a frenzy of class action lawsuits filed under the Illinois Biometric Information Privacy Act (BIPA) in recent weeks, in anticipation of a pending decision from the Illinois Supreme Court regarding the statute's scope. BIPA provides a roadmap for how to lawfully gather, store, and destroy biometric data. When companies flout these requirements, they expose themselves to legal liability.

Compliance with BIPA is not terribly difficult. A private entity must: 1) develop a written policy, available to the public, that establishes a retention schedule and guidelines for permanently destroying biometric data; 2) provide information to the subject in writing, and obtain a written release before collecting and using biometric information; 3) safely store and prevent disclosure or dissemination of the biometric data to unauthorized third parties; and 4) destroy the biometric data when there is no longer a reason for keeping it, or within three years of the individual's last interaction with the entity, whichever comes first.

The statute provides that "any person aggrieved by a violation" of these rules can bring suit. The tricky question, which the Illinois Supreme Court will soon answer, is who is a person aggrieved? Is someone aggrieved if a private entity technically violates the statute, but does not otherwise cause harm to the individual through unauthorized dissemination or disclosure of his or her biometric data? If a company forgets to obtain written authorization, but otherwise posts appropriate notices and protects the security of the data, are its employees or customers aggrieved persons?

The answer once appeared favorable to companies. In Rosenbach v. Six Flags Entertainment Corporation, the Second District Appellate Court held that "a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person" under BIPA. In other words, technical violations of the statute, without any accompanying harm, did not pave the way for litigation.

At the end of 2018, however, the First District Appellate Court, in Sekura v. Krishna Schaumburg Tan, Inc., signaled a more relaxed, plaintiff-friendly standard by agreeing that an injury to a privacy right may be enough to maintain a lawsuit. Though that case also involved allegations of actual harm (unauthorized disclosure of the data to third parties), it created a fissure and undermined whatever comfort came from knowing that technical violations alone would not produce viable lawsuits. And, while the federal courts sitting in Illinois continue to dismiss these cases for lack of constitutional standing, the majority of BIPA cases are filed and remain in state court, where state precedent controls. Companies will seldom find themselves in the more favorable federal venue.

Meanwhile, the plaintiffs in Rosenbach appealed to the Illinois Supreme Court, which heard oral arguments on this issue at the end of November 2018. The central question the court will soon answer is what type of harm must be alleged in order for a plaintiff to maintain suit under BIPA: Are allegations of mere technical violations enough, or must a plaintiff allege a more particular harm? BIPA aficionados across the state are waiting with bated breath to learn the answer.

In the meantime, companies would be wise to review their biometric data notification, collection, storage, and destruction practices. In many ways, regardless of Rosenbach's outcome, companies need to be extremely vigilant in deciding whether to collect biometric data in the first place and, if so, in developing and implementing careful practices to ensure full compliance with BIPA. Even if the Illinois Supreme Court ultimately concludes that technical violations alone are not actionable, shrewd plaintiffs and their attorneys will not hesitate to articulate allegations of harm beyond mere technicalities. Now is the time to scan your practices.

© 2020 Much Shelist, P.C.


About this Author

Laura A. Elkayam Employment Lawyer Much Law Firm

Laura helps employers implement best practices to promote compliance with federal, state, and local labor and employment laws, while remaining mindful of each company’s unique business strategies and objectives.

Laura advises employers on matters pertaining to nearly every aspect of the employment relationship, including hiring, termination, leaves of absence, and wage and hour issues. She counsels clients on compliance with a variety of employment laws, including Title VII, the Americans with Disabilities Act (ADA), the Age Discrimination in Employment Act (ADEA...


Jim is a highly regarded legal advisor and litigator who taps his extensive trial and appellate experience to help clients identify potential issues, prevent costly business disruptions and minimize the impact of complex commercial disputes. Over the course of his career, Jim has counseled entrepreneurs, startups, mid-cap companies, and large, publicly traded corporations. He has represented businesses, owners, executives and directors in federal and state courts across the country, including in Arizona, California, Florida, Illinois, Indiana, Nebraska, New York, and Oklahoma.

“The best peacemakers are often those who have been in battle themselves. Having gone to the mat many times for plaintiffs and defendants, I know firsthand the risks involved with litigation. I use that knowledge to help my clients make decisions that can reduce potential exposure and achieve business objectives.”

Jim’s litigation, arbitration and settlement experience is as broad as the industries in which his clients operate. He has served as lead counsel on single-plaintiff cases involving personal-injury claims, legal and medical malpractice, negligence, partnership disputes, shareholder derivative actions, foreclosures and construction contracts, as well as large, potentially catastrophic civil and criminal matters, including alleged product liability, breach of fiduciary duty, environmental contamination, toxic torts, securities violations, misrepresentation of defects and other claims. Among other sectors, Jim has represented clients in the insurance and reinsurance, manufacturing, distribution, environmental cleanup, utilities, entertainment, medical devices, and real estate industries.

Jim’s breadth of experience is matched by the specificity and depth of his legal knowledge. He immerses himself in each matter to ensure that he has a full understanding of the business and legal issues at hand, and is committed to providing clear, meaningful counsel delivered in terms his clients understand.

In recent matters, Jim obtained a jury verdict for his client in a complex breach of contract case filed in Queens County, New York Supreme Court by a prominent mechanical contracting company that, at one time, was publicly traded on the NASDAQ stock exchange. Jim obtained crucial admissions from the CEO of the company on cross examination, which led to a successful closing argument and an ultimate verdict in his client’s favor. The case took almost two weeks to try. Jim also successfully tried to verdict an indemnity case filed in federal court by a Fortune 500 corporation in which the jury found favorably for his client, a former publicly traded company. He has secured summary judgment, declaratory judgment and dismissal with prejudice in a broad range of cases and has also prevailed at the appellate level in cases of first impression. As a legal counselor, he meets regularly with CEOs, CFOs, in-house counsel and other corporate executives to review and develop risk-management strategies and goals.

Jim serves as an adjunct professor at Chicago-Kent College of Law where he teaches “Legal Negotiation—Theory and Practice.” He also is the author of publications on topics such as discovery issues in reinsurance disputes and ISO additional insured endorsements.