The Illinois Biometrics Information Privacy Act: A Flood of Class Action Litigation

Since last summer, over thirty class action lawsuits have been filed against Illinois employers alleging violations of the Illinois Biometrics Information Privacy Act (“BIPA”).  These lawsuits tend to be filed against employers using time clocks that require employees to punch in using fingerprint scans or retina scans.   The plaintiffs in these cases allege that their employer’s violated the BIPA by failing to obtain written consent from them, and for failing to publish policies regarding biometric information, as required by the law.  Large statutory penalties are at stake in these cases:  BIPA provides for damages of $1,000 for each negligent violation of the Act, and $5,000 for each willful violation.  When you consider the large number of employees who may be accessing your timekeeping systems, those numbers can add up.   Fast.

Illinois Biometrics Privacy Act - FingerprintBIPA defines “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”  A “biometric identifier” is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”

More and more, employers in Illinois are implementing timekeeping systems that utilize biometric identifiers.   If you currently utilize a time clock that requires the use of biometric identifiers, or if you are considering one in the future, it’s critical that you take appropriate compliance measures under BIPA:

First, you must issue your employees written notice that their biometric information is being used.  The notice must specifically inform employees of the specific purpose for which their biometric information is being used.

Second, you must obtain written consent from each employee authorizing you to use biometric information in the workplace.

Third, you must develop a written policy setting forth the company’s policies for the storage, retention, and destruction of biometric information.  BIPA requires that employers must destroy biometric information when it no longer has a use for the information or within three years after the employee’s end of employment, whichever is sooner.

Now, about those thirty-plus lawsuits…  there is hope.

On December 21, 2017, an Illinois Appellate court held that in order for a plaintiff to sue under BIPA, the plaintiff must first show that it suffered an “actual harm or adverse consequences.”   The court held that “[i]f a person alleges only a technical violation of the Act without alleging any injury or adverse effect, then he or she is not aggrieved and may not recover” in a lawsuit under BIPA.  The court effectively held that a plaintiff must demonstrate more than simple noncompliance with the statute by the employer — he or she must show that they were harmed in some way, financially or otherwise, to bring suit.

While this recent decision is certainly encouraging, it remains critical that employers using biometric information ensure they are BIPA-compliant.  Notwithstanding the Appellate Court’s ruling, nearly all of the aforementioned lawsuits remain pending in state and federal courts.  Through notifying your employees, implementing and publishing the required policies, and obtaining employee consent, you can ensure that you aren’t the next in line.

David will be presenting on the Illinois Biometrics Privacy Act to the Chicago Chapter of the Society for Human Resource Management  on April 11, 2018.   More details here.

UPDATE (4/11/2018):   The Illinois legislature is considering changes to BIPA.  We will keep you posted on this blog as things develop.  You can also follow us on Twitter for updates and current events on this, and other subjects.

Image Credit: From Pixabay, Creative Commons license, free for commercial use.