Getting biometrics right: How employers can avoid stiff statutory penalties
Lawsuits are being filed daily against companies whose employees "clock-in and clock-out" using fingerprint scans. Almost 30 new lawsuits have been filed in Illinois since Jan. 1, 2019, thanks to a new ruling by the Illinois Supreme Court.
In Rosenbach v. Six Flags Entm't Corp., the Court held that an "aggrieved person" who has a claim under the Illinois Biometric Information Privacy Act, or "BIPA," need not state a separate, real-world harm beyond a statutory violation, throwing the door wide open to BIPA litigation. 2019 IL 123186. In other words, BIPA plaintiffs can sue their current -- or former -- employers even if they've suffered no injury at all. This decision has ramifications for companies doing business in Illinois, because it makes it easier for plaintiffs to sue and potentially recover big damages.
BIPA is the first state law concerning the growing number of businesses collecting biometric data. The statute, enacted in 2008, protects data such as "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." 740 ILCS 14/1 et seq.
BIPA is a magnet for plaintiff's attorneys, because violations carry statutory penalties of between $1,000 and $5,000. The lawsuits claim that each and every time a member of the class scanned his or her fingerprint, the defendant is liable for another penalty. The numbers add up - quickly. Over one year, a business with 50 employees who clock in once in the morning, clock in and out over lunch, and clock out to go home, potentially faces up to $50 million in potential damages (50 employees x 4 time clock swipes x 5 days x 50 weeks x $1,000 = $50,000,000).
The plaintiff in Rosenbach filed a class-action lawsuit against Six Flags Great America theme park on behalf of her 14-year-old son, whose fingerprint was collected when he purchased a season pass to the park, allegedly without proper notice and consent. 2017 IL App (2d) 170317. The lawsuit accused Six Flags of violating BIPA's notice and consent provisions. Six Flags moved to dismiss, arguing that plaintiff's son was not an "aggrieved" person as the statute defined it, because his fingerprint data had never been stolen or sold, and he had not alleged any tangible harm. Id.
In January, the Illinois Supreme Court held that the right to bring a lawsuit was not limited to circumstances of actual damage. 2019 IL 123186, at ¶ 25. The court did not agree that the statutory violation was merely "technical." Rather, it was "real and significant." Id. at ¶ 40. "When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, the right of the individual to maintain [his or] her biometric privacy vanishes into thin air." Id. at ¶ 34.
If you are an employer who does business in Illinois and uses biometric time clocks, thumbprint security scans, monitoring cameras that identify individuals by their facial geometry, or other biometric devices or systems, plaintiffs may have you in their sights. Companies that collect biometric data should immediately take steps to implement a BIPA compliance program. A good BIPA compliance program has at least three components. First, a company must operationally ensure it is following BIPA's strict requirements for the collection, storage, and destruction of biometric data. Second, a company must establish a policy disclosing the purpose of the policy. Lastly, companies must obtain a written release before collecting biometric data that discloses the information collected, who it is shared with, how long it is stored and the purpose for the collection. With a BIPA compliance program in place and a little luck, companies may be able to avoid the onslaught of BIPA litigation.
• This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.