Illinois Biometric Law Keeping the Courts Busy

identity-fingerprint-represents-log-ins-and-brand-300x225The Biometric Information Privacy Act, which the Illinois legislature passed in 2008, has led to a barrage of class action lawsuits in the past six months. Thought to be the nation’s most stringent law protecting biometric identifiers—which include fingerprints, iris or face scans, and voice identification—BIPA has spurred about 30 such suits in Cook County alone.

Filed against employers such as gas stations, restaurants, and retail outlets, mostly stemming from employer time clocks that use fingerprint identification, the cases allege that businesses did not obtain proper informed consent from their employees, or did not maintain or inform employees about the company’s use, storage and destruction of biometric data, as required by the law. Some of the cases also claim the employer improperly shared with time clock vendors the biometric data, and some go so far as name these third parties as defendants.

These local cases follow on the heels of five class-action lawsuits that were filed in 2015, four against Facebook and one against Shutterfly, which allege that these social media companies used facial recognition software without asking for consent or following under procedural requirements under BIPA, which allows an “aggrieved” person to recover $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.

These earlier suits underscored the fact that individuals don’t necessarily even know who is capturing their biometric data—which is more valuable than passwords or even Social Security numbers, since it can’t be replaced or updated, and which can also be used by businesses for purposes like security or employer wellness programs, in addition to timekeeping.

These social media suits more generally laid the path for a private right to action under BIPA, which requires businesses to protect biometric data as it does other sensitive or confidential information, promulgate data retention and destruction policies, keep that data for no more than three years, obtain informed consent, and notify employees in the event of a data breach.

The earlier suits did not resolve questions like whether an “aggrieved” person must prove actual harm to recover damages—federal courts in northern Illinois and southern New York have dismissed BIPA suits for lack of standing when plaintiffs did not allege actual harm—as well as whether facial recognition through photography fits the definition of biometric data, and what forms of consent meet compliance.

Lastly, defendants have challenged the damages provisions on constitutional grounds that they violate due process because they are potentially disproportionate to the actual harm involved. As noted earlier in this space, the best small and midsized businesses can do for now is to become familiar with the law and work with counsel to ensure they are in compliance.