Technology has become ubiquitous in the workplace including as an integral part of business security systems. Because of technological progress, companies increasingly use biometric information for multiple purposes. Biometrics are biological markers that make each of us unique and distinguishable from one another, the most common being the finger print. Their uniqueness makes them ideal for identification systems, but they are also easily copied and used for improper purposes, such as in identity theft. Worse, once breached and distributed, they cannot be replaced or changed, like a social security number can, as they are exclusively ours for our entire life.
It is now common for security systems to rely, in part, on biometric technology to authenticate authorized users, or employees, before granting them access to company facilities, computer systems and protected business information. At least in Illinois, because of legislation, the use of biometric technology has exposed companies to substantial liability risks, and the situation intensified recently as a result of the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186. In Rosenbach, the court severely restricted previously successful defenses to biometric privacy claims, and the opinion has led to a wave of class action lawsuits against companies in all sorts of businesses and industries.
BIPA Basics
If you have ever found yourself asking Apple’s Siri for driving directions, using your fingerprint to unlock your smart phone, or adding a Snapchat filter to your photo, then you have interfaced with biometric technology. Biometric technology captures, records, and stores the private physiological information of its users, such as finger and voice prints, and facial patterns. The increased use of biometric data in the workplace and in business, and the need to protect such data from disclosure, caught the attention of legislators in Illinois.
In 2008, the Illinois General Assembly passed the Biometric Information Privacy Act (“BIPA”). The statute is codified at 740 ILCS 14/1 et seq. BIPA prohibits private entities from collecting and storing “biometric identifiers” without prior notification and written consent. BIPA defines “biometric identifiers” as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. The Act’s provisions apply to any biometric information regardless of how it is captured, converted, stored or shared.
As a precondition of obtaining the biometric information, any private entity collecting the information must: (1) make their data retention policy publicly available; (2) notify individuals in writing what biometric information is being collected, how the information is being stored and for how long, the use of such information, and how the information will be destroyed; (3) refrain from selling biometric information to third parties; and (4) handle the biometric information with reasonable care. The Act provides that the biometric data must be destroyed when the initial purpose for collecting or obtaining such information has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever occurs first.
BIPA provides for a private cause of action against any private entity that violates any of its provisions. The Act provides for liquidated damages of $1,000 or actual damages (whichever is greater) per “negligent” violation of the Act, and the greater of $5,000 or actual damages per “intentional” or “reckless” violation of the Act. Courts have yet to determine whether the liquidated damages will be awarded on a per person violation or on a per person per day violation basis. In addition, a prevailing plaintiff is entitled to reasonable attorney’s fees and costs, including expert witness fees.
Illinois remains the only state in the nation that allows for a private cause of action for violation of a biometric privacy law. Since 2017, over 200 BIPA violation cases have been filed in Cook County alone. Most of those cases were filed as class actions, and most sought purely liquidated damages. The extent of this private right of action is a matter of dispute, the resolution of which required cases to make their way up through the appellate process. One of the arguments defendants have successfully raised is that a plaintiff must suffer actual damage in order to bring a claim for a statutory violation. In a key turning point, however, the Illinois Supreme Court has now rejected that defense.
Rosenbach v. Six Flags
In Rosenbach, the Supreme Court resolved conflicting decisions of the First and Second appellate districts, and held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”
In other words, the biometric data need not have been stolen, hacked or otherwise misappropriated or misused for there to be a valid cause of action under BIPA. All that is needed is an alleged violation of the provisions of BIPA. The Court unanimously found that to impose the burden of an actual injury beyond the violation of the Act would be both inconsistent with the statutory language and contrary to clear legislative intent, and would frustrate the purpose of the Act.
Since the January 25, 2019 decision in Rosenbach, more than 50 additional lawsuits have been filed in Cook County for violation of BIPA, nearly all of them as class actions on behalf of persons whose biometric information was collected by their employer. The cases allege failure to obtain consent for collecting biometric information, insufficient disclosure of retention and destruction policies and/or failure to destroy the biometric information once an employee has left the employer.
In the face of the uptick of BIPA lawsuits, companies would be wise to review their current biometric data policies, including the written consent they obtain prior to collection, and their written disclosure and information destruction policies. Companies should include in this review a consideration of third-party vendors who have access to this information and whether they are in compliance with the provisions of BIPA.