Illinois enacted its Biometric Information Privacy Act (“BIPA”) in 2008 to regulate, among other things, employer collection and use of employee biometric information. Biometrics is defined as the measurement and analysis of physical and behavioral characteristics. This analysis produces biometric identifiers that include things like fingerprints, iris or face scans, and voiceprints, all of which can be used in a variety of ways, including for security, timekeeping, and employer wellness programs.
Illinois is not the only state with a biometrics privacy law on its books, however, its version is considered the nation’s most stringent. BIPA requires a business that collects and uses biometric data to protect the data in the same manner it protects other sensitive or confidential information; to establish data retention and destruction procedures, including temporal limitations of three years; to publish policies outlining its biometric data collection and use procedures; and to obtain prior, informed consent from any individuals from whom it plans to obtain and use biometric data. The statute also requires businesses to notify employees in the event of a data breach.
Protection of biometric data is viewed as critical because, unlike passwords comprised of letters, numbers, or typographical characters, biometric data is unique and cannot be replaced or updated in the event of a breach. Technology now allows biometric data to be captured surreptitiously, such as recording a voice over the phone, or face mapping individuals in a crowd or through photographs, increasing the risk for its theft or unauthorized or at least, unknown, use. In fact, these more furtive methods of collecting and using biometric data is what led to the filing of five BIPA class action lawsuits in 2015 – four against Facebook, and one against online photo website Shutterfly – that alleged these companies used facial recognition software to analyze online posts, but did not comply with BIPA’s consent or other procedural requirements. These first lawsuits brought attention to the private right of action authorized under BIPA, which provides that any “aggrieved” person may sue and recover $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, or, in both circumstances, actual damages if greater than the statutory damages. Prevailing parties may also recover their attorneys’ fees and costs.
The plaintiffs’ employment bar recently has gotten seriously into the BIPA class action game; since August 2017, approximately 30 lawsuits have been filed in Cook County, Illinois (where Chicago is), alone. These putative class actions have been filed against employers in many industries including gas stations, restaurants, and retail, and typically involve the employer’s use of fingerprint operated time clocks. The cases allege that the defendant employers failed to obtain proper informed consent or fail to maintain and inform employees about policies on the company’s use, storage, and destruction of biometric data. Many of these lawsuits also allege the employer companies have improperly shared employee biometric data with third-party time clock vendors, and some even name the vendor as a defendant.
In addition to the obvious cost of class action litigation, these suits present additional legal challenges because many aspects of BIPA remain untested. For example, the statutory term “aggrieved” person leaves open the question whether a plaintiff must be able to prove actual harm in order to recover. The U.S. District Court for the Northern District of Illinois and U.S. District Court for the Southern District of New York both have dismissed BIPA suits for lack of standing where the plaintiffs did not allege actual harm. The latter case, Santana v. Take-Two Interactive Software, is currently before the United States Court of Appeals for the Second Circuit, which heard oral argument in October 2017, but has not yet issued its ruling. Other aspects of BIPA also remain in flux – such as whether facial recognition through photography is biometric data, as defined under the statute, and what forms of consent are compliant. On the other side, defendants are challenging the constitutionality of the damages provisions, arguing that their potentially disproportionate nature to any actual harm violates due process. As these issues are flushed out under BIPA, they are certain to affect other states who have already enacted, or may seek to enact, laws regarding use of biometric data.