Illinois employers who collect, use, or retain employee biometrics (personal information such as fingerprints or facial or voice recognition) should be aware of a recent legal development.
As we previously explained, Illinois was the first state to enact legislation restricting the collection and storage of biometric data, and it remains the frontline for advancing case law on the subject. The Illinois Biometric Information Privacy Act (BIPA) requires entities, including employers, that collect biometric data to follow a number of protocols, including maintaining a written policy on the collection and storing biometric data, providing owners of biometric information (in this case, employees) with written notice of such practices, and obtaining informed consent from individuals subject to biometric data collection. Since its enactment in 2008, BIPA has given rise to numerous litigations, including numerous employment class action suits.
Illinois Supreme Court’s interpretation of BIPA favors plaintiffs
One of these class actions was the subject of an important decision rendered on February 3, 2022 by the Supreme Court of Illinois. In McDonald v. Symphony Bronzeville Park LLC, et al. (2022 IL 126511), the state’s highest court issued a unanimous opinion that effectively eliminated an entire defense in BIPA’s suit. The lawsuit was a putative class action lawsuit brought by an employee against her employer at a health care facility. As part of its security and timing systems, the employer scanned employees’ fingerprints. In an amended complaint, the employee alleged that she was never given the opportunity to give informed, written consent to the storage of her biometric data. This amendment is significant because the original complaint included allegations of mental anguish, as noted in a brief concurring opinion written by Judge Michael J. Burke. These alleged employment injuries would have barred the employee from pursuing her action under BIPA, pursuant to the exclusive remedy provision of the Illinois Workers’ Compensation Act (IWCA). The issue before the Illinois Supreme Court was whether the IWCA’s exclusive remedy provision provided the employer with a defense by preventing the employee from seeking only statutory damages under BIPA. The court said no, but the question remains open whether the IWCA would bar claims for non-statutory damages, i.e. those for emotional distress.
What does this mean for employers?
mcdonalds is further evidence of the court’s position that the BIPA should be interpreted liberally, as has been made clear in an earlier case, Rosenbach vs. Six Flags Entertainment Corp., 2019 IL 123186. In this case, the Illinois Supreme Court also unanimously ruled that plaintiffs need not suffer actual harm beyond a violation of BIPA rights to make a claim under this law. With Rosenbachthe Illinois Supreme Court established its position that a technical violation of BIPA creates “real and substantial harm” in and of itself.
BIPA is one of the few national laws to grant a private right of action to owners of biometric data. This in itself poses a risk to companies that use biometric technology for any purpose. Lawsuits may also come from aggrieved individuals in the form of collective classes alleging violations of BIPA, even if those alleged violations have caused no actual harm to the plaintiffs, and even if the plaintiffs are not just employees, but customers, visitors or anyone. another from whom biometric data is collected. The Illinois Supreme Court has been consistent in the liberal interpretation of the BIPA, and the mcdonalds The decision, which provides a roadmap for plaintiffs seeking statutory damages, further cements BIPA as a potential minefield for employers who fail to meet its requirements.
The best litigation strategy is to avoid litigation in the first place through compliance. Violations of BIPA can be very costly, with statutory damages of at least $1,000 per violation ($5,000 if the violations are found to be intentional or reckless), plus attorneys’ fees and costs. BIPA is an attractive vehicle for the Illinois plaintiffs’ bar and as such a substantial risk to business.
The risk is not limited to Illinois businesses
While it is apparent that BIPA presents a significant challenge for employers doing business in Illinois, it is important to note that biometric privacy laws have been enacted elsewhere, including in Texas, the state from Washington and New York. Other states or localities are likely to follow suit, and developments in Illinois have set the trend. So what applies to employers in the Land of Lincoln today may well be broadly applicable in years to come.
What Illinois Employers (and Others) Should Do Now
Assess: Review all company practices regarding the collection, use, storage or transmission of any biometric information covered by BIPA or other similar state and local laws. It might seem as benign as providing employees with devices, such as smartphones with built-in fingerprint or facial recognition technology, or providing time clocks or security measures with these features.
Write: Make sure your company has clear written policies that address procedures for collecting, storing, using, transmitting, and destroying biometric data, including specific timelines.
Communicate: Be sure to inform all persons (employees or otherwise) of your biometric data policy, including information on how such data will be secured to protect individual privacy interests.
Obtain consent: BIPA and certain other laws require individuals whose biometric data may be collected, stored or otherwise used to provide informed consent to such collection, storage and use. Be sure to notify these individuals and obtain their consent in a format that can be stored and, where appropriate, produced as evidence of compliance with BIPA in the event of a dispute.
To consult: A lawyer is available to assist with risk assessments, policy development and training to ensure compliance with this important law.
©2022 Epstein Becker & Green, PC All rights reserved.National Law Review, Volume XII, Number 47