Illinois Supreme Court Confirms BIPA Floodgates Are Open
BIPA Questions to be Answered in 2019
With roughly 200 BIPA class action lawsuits filed since the fall of 2017, we finally have an answer from the Illinois Supreme Court on whether a plaintiff can proceed on a mere technical violation of the Illinois Biometric Information Privacy Act ("BIPA"), despite having suffered no actual injury. The court’s answer: a unanimous yes. This "yes" answer means we need to pull out our crystal ball and predict the BIPA issues likely to be resolved by courts this year as well as best practices to avoid getting swept up in this class action litigation wave. But first, a quick refresher on BIPA.
We issued a client alert in October 2017 after noticing a flurry of class actions filed under a law that had been on the books for close to a decade, but had never seen much litigation. The surge came as a result of companies adopting new workplace technologies that relied upon employee fingerprints, retina scans and other biometric identifiers for time clocks and access to restricted areas - technologies that were not as prevalent in workplaces in 2008 as they were in 2017. BIPA had largely been forgotten and ignored by companies implementing these technologies, which is why there was a flurry of "gotcha" class action lawsuits filed in the fall of 2017.
The incentive to pursue a class claim under BIPA comes from its damages remedy. Plaintiffs can recover statutory damages of $1,000 for each negligent violation and $5,000 for intentional or reckless violations, plus attorneys’ fees and other relief deemed appropriate by the court. BIPA awards the $1,000 or $5,000 statutory damages penalty on an individual basis, though, meaning an employer with as few as 100 employees could sustain a verdict in excess of $500,000, and an employer with 10,000 employees could experience a verdict in the realm of $50 million.
At its core, BIPA prohibits private entities from collecting, storing, or using biometric information, unless the entity adopts written policies, issues written notice, obtains individual written consent, and takes specific precautions to protect the information. See 740 ILCS 14/1 et seq. The law also requires certain disclosures if biometric information is shared with a third party. 740 ILCS § 14/15(d).
The Rosenbach v. Six Flags Case in the Illinois Supreme Court
With all of the new BIPA lawsuits working their way through the court system, one common question arose in virtually every case: can an employee pursue a claim under BIPA based merely on the failure to receive the requisite notice and consent document, even if the employee suffered no actual damages as a result of this violation? Rosenbach raised this exact question in the context of an amusement park that required season ticket holders to provide a fingerprint in order to gain access to the park. The plaintiff in that case, a minor child represented by his mother, was not provided the notice and consent document required by BIPA, but suffered no actual injury as a result of this violation. The plaintiff brought the action on behalf of a large class of park customers and sought the maximum in damages per affected customer.
On review of the case, the Illinois Supreme Court held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” In other words, once a business violates the statutory requirements, the claim accrues and any affected person can seek relief in court.
The Rosenbach v. Six Flags Fallout and BIPA Questions For 2019
In the first two weeks after the Six Flags decision, another wave of BIPA lawsuits were filed in Illinois courts. This is in addition to the roughly 200 lawsuits already on file and now ready to proceed after the Illinois Supreme Court's Rosenbach decision. The next wave differs from the original wave in one important way: early claims predominantly alleged a complete failure to provide the notice/consent document whereas lawsuits challenging the sufficiency of the notice/consent provided are being filed at a much greater clip in 2019. This developing trend means that employers should view their BIPA notice and consent document in the same vein as their background check notice and consent. Both are subject to "gotcha" class actions that opportunistically claim a technical error in the notice/consent document makes the employer liable to the entire class for statutory damages and attorneys' fees. In order to mitigate the risk of such claims, employers utilizing biometric identifiers should have legal counsel regularly review their notice and consent document. This is especially true for the next year as the flurry of BIPA lawsuits will provide courts the opportunity to interpret and apply this "new" law to a wide ranging variety of factual situations.
Among the issues we expect courts to resolve in the coming year are:
- Shedding light on exactly what is required factually in a notice to adequately explain the purpose for collecting the information, the method for collecting and storing the information and the length of time it will be stored and/or used.
- If a vendor sells a fingerprint time clock system to an employer where the information derived from biometric identifiers is stored at the vendor's place of business (not in the actual time clock or at the employer's workplace), does this constitute a transfer of biometric information to a third party and trigger BIPA's provisions regarding the same?
- Most of the biometric based technology in the marketplace does not store an actual fingerprint or retina scan, but, instead, creates a mathematical equation or other numerical value that is associated with the scanned biometric identifier. Yet, BIPA distinguishes between a Biometric Identifier (the actual fingerprint or retina scan) and Biometric Information by defining "Biometric Information" to include "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual." 740 ILCS 14/10. Conservative advice has been to treat any stored information that is derived from a biometric identifier as "Biometric Information," but this question will definitely be resolved in the coming year.
- BIPA requires that biometric information must be destroyed "when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first." 740 ILCS 14/15(a). Conservative advice has been to include the deletion of biometric information as part of the exit checklist for departing employees and employees that are transferring to a different position where the biometric information is not required. Does BIPA grant more flexibility and time to employers?
- Is there an implied consent defense when an employee is clearly aware he/she is providing a biometric identifier in order to gain access to the facility and voluntarily provides it, even if the requisite notice and consent document was not provided?
- What level of culpability is required to warrant the $5,000 per violation willful statutory damage penalty instead of the $1,000 negligence-based penalty?
- As a privacy-based cause of action, does the 1 year statute of limitations for such claims govern BIPA lawsuits or does the exposure go back multiple years?
- Even if BIPA does not require actual damages to pursue a violation, does the Article III standing requirement for federal courts and its state law equivalent bar BIPA claims when the plaintiff suffered no actual damages?
Stay tuned. It's going to be an interesting year as we get answers to these and other BIPA related questions.
Recommendations and Practice Insights
Regardless of how these issues resolve in the courts, we continue to recommend the following proactive measures to mitigate the risk of a BIPA claim:
- Determine whether your company is collecting, storing, or using individual biometric data for any purpose.
- If the answer is yes, make sure your company has issued the required notice and received signed releases/consents from all affected individuals. Also make sure that you have in place a publically available written policy to cover the collection, storage, use and destruction of the data.
- Ensure any collected data is not being sold or disclosed to third parties, outside of the limited exceptions permitted by the BIPA.
- Evaluate your data privacy protocols and processes for protecting individual biometric data. If a vendor has access to the individual biometric data, make sure the vendor has sufficient data privacy protocols and processes in place.
- Make sure your data breach policies recognize that individual biometric data is considered personal information under Illinois laws addressing data breach notification requirements.
- If you already have a notice and consent form in place, have legal counsel review the documents and update them as we get more clarity in 2019 on what BIPA requires.
For more information on other states considering similar laws governing biometric information, see the Health Information Technology, Privacy & Security Data Privacy Group's related client alert.
For more information on BIPA specific issues, please contact your local Quarles & Brady attorney or: