By: Laura S. Platt, Daley Mohan Groble. P.C.
If you ever have found yourself asking Apple’s Siri for directions, adding a Snapchat filter to your photo, or using your fingerprint to unlock your smart phone or clock into work, then you have interfaced with biometric technology. Biometric technology captures, records, and stores the private physiological information of its users, such as finger and voice prints, and facial patterns. Biometric technology at home and in the workplace paved the way for important efficiencies in business facility and information security and employee timekeeping, attendance, and payroll systems. These systems rely on biometric technology and data to identify authorized users and employees before granting them access to secure facilities and protected business information, and before allowing them to clock in and out for the day.
However, the increased use of biometric data has sparked a flurry of recent class action litigation across Illinois, and has raised significant privacy concerns for employers who use that data.
The Illinois Biometric Information Privacy Act
In 2008, the Illinois General Assembly passed the Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1), the first statute of its kind in the country. BIPA prohibits private entities from collecting and storing “biometric identifiers” without prior notification and written consent. BIPA defines “biometric identifiers” as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, and it applies to any biometric information regardless of how it is captured, converted, stored or shared.
As a precondition of obtaining the biometric information, entities must: (1) make their data retention policy publicly available; (2) notify subjects in writing what biometric information is being collected, how the information is being stored and for how long, the use of the information, and how the information will be destroyed; (3) refrain from selling biometric information to third parties; and (4) handle the biometric information with reasonable care.
The Act provides for liquidated damages of $1,000 or actual damages (whichever is greater) per “negligent” violation of the Act, and liquidated damages of $5,000 or actual damages (whichever is greater) for every “intentional” or “reckless” violation. In addition, a prevailing plaintiff may recover reasonable attorneys’ fees and litigation costs, including expert witness fees.
BIPA provides a private cause of action for a “person aggrieved” by any private entity that violates any of its provisions. To that point, one recent bright spot in the interpretation of liability under BIPA is the Second District Appellate Court’s decision in Rosenbach v. Six Flags Entertainment Corp., 2017 Ill. App (2d) 170317. Rosenbach is a putative class action case in which Stacy Rosenbach claimed Six Flags violated BIPA when her son was fingerprinted (as part of purchasing a season pass) without written consent or a document disclosing the theme park’s plan to collect, use, store, and destroy his biometric identifiers. Rosenbach claimed she was entitled to statutory liquidated damages even though she did not allege actual damages, because she would not have allowed her son to purchase a season pass if she had known that Six Flags intended to violate the BIPA. The Second District, however, held that in order to be a “person aggrieved” under BIPA, a plaintiff must allege actual damages – a mere technical violation of BIPA will not suffice to support a claim for statutory damages or injunctive relief.
It remains to be seen what impact this decision will have on the pending BIPA lawsuits. At the very least, this recent decision likely will result in a slowdown of BIPA class action lawsuits.
Real-World Implications for Employers
BIPA has proven to be problematic for businesses, including such juggernauts as Facebook, Hyatt Corporation, and Bob Evans. Each company is facing class action litigation for alleged violations of BIPA.
The Facebook lawsuit involves the tech company’s facial recognition technology, which analyzes photos uploaded by users in order to capture and measure facial features. The application uses this analysis to recognize unique facial biometric identifiers in newly uploaded pictures to recommend photo tags. In seeking statutory damages, the plaintiff class claims that Facebook violated BIPA by analyzing, collecting and storing facial pattern information without first obtaining the plaintiffs’ written consent.
The Hyatt Corporation and Bob Evans class action lawsuits involve the collection and storage of employee fingerprint data. The plaintiff class in each of those lawsuits claims that the company failed to obtain written consent prior to collecting fingerprint data, and failed to disclose how the information would be stored, used, and destroyed. The proposed class in the Bob Evans case alleges that the restaurant chain collected and used fingerprints for a point-of-sale system, while the class in the Hyatt case alleges that the hotel chain used employee fingerprints for a biometric time clock – an increasingly common way for employers to efficiently manage their labor force, eliminate “buddy punching”, and reduce payroll expenses. As of February 2018, more than 50 BIPA lawsuits have targeted employers in Illinois who use biometric time keeping systems.
While it remains to be seen whether the class plaintiffs in the Facebook, Hyatt, and Bob Evans cases will be successful, the very existence of the lawsuits shows the tricky landscape companies and employers have to navigate in collecting and using biometric data.
Tips for Employers.
The recent flurry of BIPA litigation has focused primarily on companies’ failure to: (1) obtain the consent from employees and/or users prior to collecting biometric information, (2) provide a written policy or disclosure detailing how collected biometric data will be stored and used, and (3) identify to biometric data disposal process to be used at the conclusion of the employer-employee relationship. Accordingly, there are a number of recommended precautions employers should take to avoid potential litigation:
- Ensure compliance with the BIPA by reviewing and updating all employer policies, notifications and disclosures regarding the collection, uses, storage and disposal of biometric information of both applicants-for-hire, independent contractors, and employees.
- Obtain a signed release from all applicants-for-hire, independent contractors, and employees, notifying them of the employer’s collection, storage, use and disposal of biometric identifiers, the reason for such use, and the duration of use.
- Update all employee personnel files with their written consent to the employer’s biometric policy.
- Ensure independent contractors, such as security firms and staffing agencies, comply with BIPA regulations in their collection, access, storage, and disposal of biometric on behalf of the employer.
Please contact Daley Mohan Groble with any questions about BIPA and tips for compliance.