Since its enactment a decade ago, the Illinois Biometric Information Privacy Act (BIPA) has seen a recent spike in attention from employees and consumers alike. This is due, in large part, to the technological advancements that businesses use to service consumers and keep track of employee time.

What Is The BIPA?

Intending to protect consumers, Illinois was the first state to enact a statute to regulate use of biometric information. The BIPA regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. The statute defines biometric identifiers to include a retina or iris scan, fingerprint, or scan of hand or face geometry. Furthermore, the statute defines biometric information as any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Any person aggrieved by a violation of the act may sue to recover actual or statutory damages or other appropriate relief. A prevailing party may also recover attorneys’ fees and costs.

Since September of 2017, there have been more than thirty-five class action BIPA lawsuits with no particular industry being targeted. More commonly sued industries include healthcare facilities, manufacturing and hospitality.

The drastic increase in litigation is largely contributable to employers’ attempt to prevent “buddy punching,” a term that references situations where employees punch in for a co-worker where biometric data is not required to clock in or out. For example, in Howe v. Speedway LLC, the class alleges that defendants violated the BIPA by implementing a finger-operated clock system without informing employees about the company’s policy of use, storage and ultimate destruction of the fingerprint data. Businesses engaging in technological innovation have also come under attack from consumers. In Morris v. Wow Bao LLC, the class alleges that Wow Bao unlawfully used customers’ facial biometrics to verify purchases at self-order kiosks.

Recent Precedent

In Rivera v. Google Inc.,the District Court for the Northern District of Illinois explained that a “biometric identifier” is a “set of biometric measurements” while “biometric information” is the “conversion of those measurements into a different, useable form.” The court reasoned that “[t]he affirmative definition of “biometric information” does important work for the Privacy Act; without it, private entities could evade (or at least arguably could evade) the Act’s restrictions by converting a person’s biometric identifier into some other piece of information, like mathematical representation or, even simpler, a unique number assigned to a person’s biometric identifier.” Thus, a company could be liable for the storage of biometric information, in any form, including an unreadable algorithm.

More recently, in Rosenbach v. Six Flagsthe Illinois Appellate Court, Second District, confirmed that the BIPA is not a strict liability statute that permits recovery for mere violation. Instead, consumers must prove actual harm to sue for a BIPA violation. The court reasoned that the BIPA provides a right of action to persons “aggrieved” by a statutory violation, and an aggrieved person is one who has suffered an actual injury, adverse action, or harm. Vague allegations of harm to privacy are insufficient. The court opined that, if the Illinois legislature intended to allow for a private cause of action for every technical violation of the BIPA, the legislature could have omitted the word “aggrieved” and stated that every violation was actionable. The court’s holding that actual harm is required is consistent with the holdings of federal district courts on this issue.

Damages and Uncertainty

Plaintiffs and their counsel are attracted to the BIPA because it provides for significant statutory damages as well as attorneys’ fees and costs. The BIPA allows plaintiffs to seek $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation, plus attorneys’ fees and costs.

To date, all claims have been filed as negligence claims, and, thus, it is unclear what a plaintiff must show to establish an intentional violation. Similarly, the law is unsettled on whether the statutory damages are awarded per claim or per violation. A per violation rule would exponentially increase a defendant’s potential liability. For example, some plaintiffs are currently seeking $1,000 or $5,000 for each swipe of a fingerprint to clock in or out.

How To Protect Your Business

To avoid a costly mistake when retaining biometric data, businesses should:

  1. provide employees or consumers with a detailed written policy that includes why and how the data will be collected, stored, retained, used, and destroyed;
  2. require a signed consent before collecting the data;
  3. implement a security protocol to protect the data; and
  4. place an appropriate provision in vendor contracts (e.g., for data storage) to require vendors to adhere to the law and report any data breaches.

Consent can be obtained in different ways. For example, employers may condition employment upon an individual’s consent to a data retention policy, and companies can require consumers to accept a click-through consent before accessing a company’s website or application.

For questions or additional information, please contact Esther Slater McDonald at emcdonald@seyfarth.com or Paul Yovanic Jr. at pyovanic@seyfarth.com.

shutterstock_384992695Wearable device data may be the next big thing in the world of evidence for employment cases since social media. Given that it has already been used in personal injury and criminal cases, it is only a matter of time before wearable device data is proffered as evidence in an employment case.

From Fitbit to the Nike FuelBand to a slew of others, the worldwide wearable market has exploded in recent years. In a world increasingly obsessed with health and fitness, wearable devices offer instantaneous and up-to-the-minute data on a number of metrics that allow the user to assess his or her own health and fitness. Wearable devices can track information like heart rate, calories, general level of physical activity, steps taken, diet, blood glucose levels and even sleep patterns. Given the nature of the information captured, it is easy to see how wearable device data may be relevant to claims of disability discrimination, workers’ compensation and even harassment. Continue Reading Wearable Device Data: The Next Big Thing for Employment Litigation Cases

Over the past several years, technology has dramatically increased employee accountability in the workplace. For example, in an office environment, employees are expected to respond to emails immediately because they are either sitting in front of their computers or carrying a mobile device on which they can access their email. As for employees who work outside the office, the availability of employer-issued phones and, alternatively, the proliferation of “bring your own device” policies, has resulted in off-site employees being generally just a phone call away. In specific industries in which employees drive motor vehicles while conducting business for the employer, yet another method of accountability exists: GPS. Continue Reading Employee GPS Tracking – Is it Legal?

Today the European Court of Justice (“ECJ”) issued its Judgment in the Schrems case, and in doing so, added another tremor to the ongoing seismic shift related to cross-border privacy law. The two major elements of today’s Judgment are: 1) that Commission Decision 2000/520/EC  of 26 July 2000 of the adequacy of the protection provided by the US Safe Harbor Framework (the “Safe Harbor Decision”) is invalid, and 2) even if the Safe Harbor Decision were otherwise valid, no decision of the Commission can reduce the authority of a national data protection authority to enforce data protection rights as granted by Article 28 of Directive 95/46/EC (the “DP Directive”).

Clearly, the first element brings a more immediate concern for all the companies participating in the Safe Harbor framework. However, the second element will have much longer term consequences for the stability of US-EU commerce and privacy law. Continue Reading Safe Harbor – Not so Safe After Schrems

In any case involving a data breach of customer or employee information, the first line of defense for the defendant is to assert that the plaintiff(s) lack standing to bring suit. In Remijas v. Neiman Marcus Group, the Seventh Circuit became the first United States Court of Appeals to tackle the issue of standing in the context of data breach litigation since the Supreme Court’s pronouncement on standing in Clapper. Continue Reading 7th Circuit – Alleged Injuries Can Confer Standing In Data Breach Suit