Little-known Illinois statute now a source of class claims against employers

Do any of your office systems involve fingerprint scans or facial recognition? If so, and if you have any Illinois business operations, you may soon become a target of the latest round of employment class actions.

In 2008, Illinois passed the Biometric Information Privacy Act (referred to, when people are aware of it, as BIPA). The statute is codified at 740 ILCS 14/1, and a copy can be found here. We say “when people are aware of it” because the statute has merited little attention until now. A recent search engine request using that acronym came up with answers such as a line of home care products, a Namibian government agency and a kind of Korean lute, but there was only one reference to the obscure statute. It is poised, however, to take on increasing importance because a spate of suits under the act are now underway and catching numerous businesses off guard.

BIPA purports to regulate businesses’ use of biometric data. It was passed in the wake of a controversy involving the failure of a company that sought to link a customer’s banking and other consumer information through the use of a fingerprint device. Curiously, although the use of such devices was in its infancy at best, the statute contains a finding that “[a]n overwhelming majority of members of the public are weary of the use of biometrics when such information is tied to finances and other personal information.” Five years later, Apple introduced Touch ID as part of the then-new iPhone 5S, and suddenly such devices came into everyday (and for many of us multiple times a day) use. Face recognition technology is also becoming increasingly common, including in video games as well as business applications. The reliability and methodology used by these kinds of systems have evolved rapidly and are now far beyond what was available when the statute was passed.

BIPA itself defines biometric data based on 2008 technology, which is much older than it sounds given the pace of development in this area. Under the statute, biometric data includes such things as a “retina or iris scan, voiceprint, or scan of hand or face geometry,” subject to multiple exceptions such as signatures, photographs, or basic descriptive data such as weight, height, eye color or tattoos. It also excludes its use in a wide array of patient healthcare settings. Where the statute does apply, it has numerous requirements that include:

  1. Informing users of its use and purpose and obtaining written consent.
  2. Limiting its dissemination or sale without the subject’s consent.
  3. Exercising reasonable care over its storage.
  4. Developing and following a data retention policy requiring destruction of the data within a specified time period.

Significantly, BIPA provides for damages of $1,000 or actual damages (whichever is greater) for negligent violations, and $5,000 or actual damages (whichever is greater) for reckless or intentional violations. These are in addition to reasonable attorney fees, costs, expenses and injunctive relief. The availability of such damages is now fueling a wave of BIPA cases in Cook County (Chicago), Illinois. In the past two months alone, more than two dozen class action suits have been filed against a host of entities that include retailers, healthcare, restaurants and manufacturers, mostly for using fingerprint recognition software as part of their timekeeping processes. Other businesses have been sued, again in class actions, for collecting data such as smartphone pictures or utilizing fingerprinting technology for admission to events or places, day care security, and similar uses. We describe the specifics of the statute more fully here.

It is not clear where this trend will go. Much of the technology today is far more nuanced and operates very differently than what the drafters of BIPA likely intended when they wrote the statute. Until this year, there were few BIPA cases, and courts have had little opportunity to opine on when, where or how the statute might operate, or what circumstances might call for relief. Irrespective of these issues, however, any employer with Illinois operations should be reviewing its use of any arguable type of biometric data and considering adopting BIPA-compliant policies to avoid being a bleeding-edge defendant in this type of litigation. But it likely will be found to apply to technologies less fanciful than, say, the use of retinal scanners in movies like Tom Cruise’s 2002 Minority Report or the 1983 James Bond movie Never Say Never Again.

The bottom line: Employers with Illinois operations should review their use of fingerprint or facial recognition technology and consider BIPA compliance to avoid what would likely be very expensive litigation.