Thursday, August 24, 2017

In the past few weeks, five putative class action lawsuits have been filed under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., targeting defendants in the health care, senior living, commercial baking, meat processing and security industries. These recent suits join previously filed BIPA class actions against day care operators, tanning salons, video game manufacturers, hotel groups and supermarkets as well as much larger entities, including Facebook, Google, Shutterfly, Six Flags and Snapchat. All of these suits have similar allegations at their core; that defendants utilized employees’, customers’, or other persons’ biometric identifiers, such as fingerprints, voiceprints, retina scans or facial recognition technology, in violation of BIPA’s disclosure and consent requirements. All seek recovery of BIPA’s statutory liquidated damages of $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, injunctive relief, and recovery of attorneys’ fees and costs.

BIPA Background

Until the past 18 months, when the first of these suits was filed, BIPA has been a little-known statute. Enacted in 2008, BIPA was passed to protect against risk of identity theft resulting from the growing use of biometric technology to facilitate financial transactions and security screenings. 740 ILCS 14/5.

BIPA applies to both biometric identifiers, such as fingerprints, voiceprints, retina scans, and facial geometry, and other biometric information based on those identifiers to the extent used to identify an individual. 740 ILCS 14/10. BIPA is an important measure because, unlike such things as Social Security numbers and passwords that can be changed if necessary, biometrics are biologically unique and, when compromised, leave an individual without recourse. 740 ILCS 14/5.

BIPA requires a private entity in possession of biometric identifiers or biometric information to develop a written policy, made available to the public, establishing a retention schedule and guidelines for destroying the information. 740 ILCS 14/15(a). BIPA also governs private entities which collect, capture, purchase, receive or otherwise obtain biometrics, and requires those entities to inform the subject of that fact in writing, as well as the specific purpose and length of time for which the information will be retained, and to obtain a written release executed by the subject. 740 ILCS 14/15(b). In addition, BIPA prohibits private entities from selling or disclosing biometric identifiers or biometric information. 740 ILCS 14/15(c) and (d).

As noted, failure to comply with BIPA can lead to significant consequences. Any person aggrieved by a violation of the statute may recover the greater of actual damages or statutory damages of $1,000 (for negligent violation) or $5,000 (for intentional or reckless violation). 740 ILCS 14/20. BIPA also provides for recovery of attorneys’ fees and costs. Id.

BIPA Class Actions

The Illinois General Assembly passed BIPA to reassure the public, which has been wary of using biometrics when tied to finances and other personal information. 740 ILCS 14/5. Despite the statute’s focus on financial transactions and security screenings, BIPA class action litigation is now popping up in other contexts, ranging from suits against social media and photo-sharing platforms for their facial-recognition and tagging features, to other businesses that use finger scans or other biometrics for identification purposes.

More recently, the plaintiff class action bar has set its sights on employers using employee biometrics as part of timekeeping protocol. Many employers have turned to biometrics in the past decade or so—requiring an employee to not only clock in but to also scan a finger or palm—to prevent “buddy punching,” where one employee can clock in or clock out for another who is not actually present. Biometrics are also increasingly being used to facilitate identification verification for security protocol across many applications and industries.

Notably, one common feature in BIPA cases is that a plaintiff (or class of plaintiffs) seeks relief for technical noncompliance with the statute without having suffered any actual injury or harm. Accordingly, a threshold pleading issue arising in these cases is whether a plaintiff has a viable cause of action for a bare, procedural violation, given that BIPA limits recovery to only those persons “aggrieved” by a violation of the statute. 740 ILCS 14/20. Several courts to date have dismissed BIPA claims where a plaintiff has alleged only a procedural violation, while others have declined to do so. Other potentially dispositive, but as yet unsettled issues, include whether the data from various electronic or imaging technologies commonly employed fall within BIPA’s definitions of “biometric identifier” and “biometric information”; what link, if any, is required by the statute between biometrics and an individual’s personal identifying information; whether collection and use of biometrics by third-party contractors subjects an entity on whose behalf the activities are undertaken to liability under BIPA; whether, absent actual injury, injunctive relief is the only recourse; and what constitutes acceptable disclosures and consents.

What Does BIPA Mean for Your Business?

Potential liability under BIPA’s statutory damages provisions could be catastrophic. It is therefore critical that any practices involving biometrics (including employee timekeeping, security protocols or identification procedures) be thoroughly evaluated against the far-reaching and as yet untested provisions of BIPA. In the short term then, any such practices undertaken in the State of Illinois, and the scope thereof, should be evaluated from legal compliance and potential exposure standpoints. Because BIPA provides that an entity should “first” disclose its practices and obtain consent from any individual from whom biometrics will be collected or captured, it is far from certain that after-the-fact consent from those individuals may ensure non-liability for past practices. What is certain is that the number of BIPA putative class action suits will increase.