Dozens of employment class actions have been filed against employers with operations in Illinois for alleged violations of the Illinois Biometric Information Privacy Act (BIPA).  Those suits relate primarily to the failure to provide required notice to employees and obtain their consent in connection with the collection and use of employee fingerprints for timekeeping systems.  Other states, such as New York, also prohibit the fingerprinting of individuals as a condition of securing employment or continuing employment, but the Illinois BIPA is far broader in regulating employers’ collection and storage of biometric information.

In Rosenbach v. Six Flags Entertainment Corp., a widely anticipated decision addressing the circumstances under which an employee has standing to bring a BIPA claim, the Illinois Supreme Court held that an individual does not need to allege actual injury, beyond a violation of his or her rights under BIPA, to be entitled to seek statutory damages. Simply failing to comply with BIPA’s requirements could result in litigation by affected employees and customers.  Thus, a “no harm” defense is now a non-starter for violations under the BIPA.

In an opinion staunchly portraying individuals’ right to privacy in and control over their biometric data under BIPA, the Illinois Supreme Court decided that this “no harm needed” result is intended by the law to give companies the strongest possible incentive to conform to their biometric privacy obligations and prevent problems before they occur.

While BIPA isn’t new law, given the increasing use of biometric data, BIPA’s private right of action, and the Rosenbach finding that plaintiffs don’t have to demonstrate actual harm, employers’ exposure to lawsuits and damages under the law will increase. Moreover, as local and global legislators continue to focus on individual privacy rights, including biometric privacy rights, employers will have to pay attention to developments in the law that  regulate their handling of biometric data.

Workplace Privacy Landscape

In the United States, no one law provides an overall framework for the privacy of personal information in the workplace. There is a patchwork of federal laws that protects certain employee information, such as health-related information and credit histories. For example, the Health Insurance Portability and Accountability Act (HIPAA) and the Genetic Information Nondiscrimination Act (GINA) impose confidentiality obligations on most employers when it comes to employees’ health-related information. Employers using consumer reporting agencies to gather the credit history of an employee must follow the notice, disclosure, and consent requirements established by the Fair Credit Reporting Act (FCRA).

Otherwise, in the US an employee’s right to privacy in the employment context is largely based on state law. For example, states have enacted laws regulating drug and other pre-employment testing, e-mail and phone call monitoring, personnel files access, the use and disclosure of social security numbers, and security breach notifications.

California recently passed a comprehensive consumer privacy law (the California Consumer Privacy Act (CCPA), effective January 1, 2020), granting consumers rights over their personal information (including biometric information) and imposing data protection duties on companies conducting business in California. While the CCPA does not directly address employee or job applicant personal information, its broad definition of consumers suggests that it could have an impact in the workplace.

The privacy landscape is a bit different outside of the US, but also is transforming. For example, last year, European Union data protection legislation faced huge change. Effective May 28, 2018, the General Data Protection Regulation (GDPR) provides a harmonized framework for the protection of personal data in the EU. The GDPR can apply to businesses located outside the EU also. The GDPR strengthened individuals’ rights to control their personal data, and requires those processing personal data to, among other things, have a lawful basis for processing personal data, notify and inform data subjects about their processing activities, and comply with obligations around accuracy, retention, disclosure and disposal of personal data. Personal data protected by the law encompasses a wide range of information including, personal details, family details, education and training, employment details and medical details. Biometric data is among the GDPR’s “special categories” of personal data which may be processed only if a separate, specified lawful justification is established.

You can read more about the CCPA and the GDPR on our Privacy Matters blog.

Illinois Biometric Information Privacy Act (BIPA)

BIPA was passed in 2008, but as the use of biometric information increases, it has received more attention. BIPA regulates the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Biometric identifiers include things such as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. Biometric information is information based on an individual’s biometric identifier used to identify an individual.

In addition to complying with rules on disseminating, safeguarding, retaining and destroying biometric data, under BIPA, Illinois companies have to take the following steps before collecting anyone’s biometric data or information:

(1)    provide written information that biometric information is being collected or stored;

(2)    provide written information of specific purpose and length of term for which biometric information is being collected, stored, and used; and

(3)    receive a written release.

In recent years, the plaintiff’s class action bar has focused increasingly on bringing class actions under statutes such as BIPA, i.e., statutes that allow for an award of statutory damages. BIPA allows a person “aggrieved” by a violation of the law to recover, for each violation, liquidated damages or actual damages, reasonable attorneys’ fees and costs, and obtain other relief, including an injunction.

Rosenbach v. Six Flags Entertainment Corp.

In Rosenbach, the Illinois Supreme Court answered what it means to be “aggrieved” under BIPA, stating that a failure to comply with one of the requirements of BIPA “constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. . . . The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”

The defendant in Rosenbach sold season passes to its amusement park using a fingerprinting process. To complete the sign-up process for a season pass, when the plaintiff visited the park, he was asked to scan his thumb into the defendant’s biometric data capture system. However, when collecting the thumbprint, the defendant did not provide the requisite information or obtain a release. The court found that alleging this non-compliance was enough for the plaintiff to seek relief under BIPA.

The court weighed the cost of compliance for a business against the harm to individuals, and found strongly in favor of protecting individuals’ privacy rights, stating:

“Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law. To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to [BIPA’s] preventative and deterrent purposes.”

Biometric Information is Special

Companies are using biometric data, such as retina scans, fingerprints, and face or voice recognition, more often due to technological advances.  For example, this data is being used to track employee time and for building and device security (e.g., biometric authentication to enter a building or access work tablets, laptops, and smart phones). At the same time, laws regulating the handling of biometric information are gaining steam among US state legislators.

In 2008, with BIPA, Illinois was the first state to enact a biometric privacy statute. BIPA explains that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information”, that “[b]iometrics are biologically unique to the individual; therefore, once compromised, the individual has no recourse [and] is at heightened risk for identity theft,” and the “full ramifications of biometric technology are not fully known.”

After BIPA, two other states (Texas and Washington) passed laws specifically governing the handling of biometric information.

The Texas law, the Capture or Use of Biometric Identifier Act (CUBI), went into effect in 2009. CUBI restricts companies from capturing biometric information for a commercial purpose unless the individual was informed and consented to the information’s capture. Uncooperatively, CUBI does not define “commercial purpose,” but, for example, capturing biometric data to pay employees may be a commercial purpose. CUBI specifically recognizes, however, that biometric identifiers may be collected “for security purposes by an employer.” The law also requires a companies use reasonable care to “store, transmit, and protect from disclosure” biometric information, and it restricts the sale or disclosure of biometric information.

The Washington law went into effect in 2017. Like CUBI, it only applies to biometric information used for a commercial purpose. The Washington law, however, does define “commercial purpose” to mean the sale or disclosure to a third party for the purpose of marketing goods or services, and excludes a security or law enforcement purpose. In Washington, a person cannot enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, and providing ways to prevent the successive use for a commercial purpose.

Unique aspects of the Illinois law, compared to the Texas and Washington laws, include that it is not limited to commercial activities, and it allows a private right of action, which give an individual the right to sue in a civil litigation. There is no private right of action under the Texas or Washington biometric privacy laws.

Other states have also considered biometric data laws, which require notice and information on collection and use, require consent, restrict disclosure, and regulate confidentiality, retention, and disposal standards. Laws like this have been considered in Alaska, Connecticut, Massachusetts, Montana, and New Hampshire. Further, in the last several months, legislators in Florida and New York City have also proposed laws on the collection and use of biometric data similar to BIPA, including its feature of a private right of action.

Going Forward

Laws like BIPA will become more relevant to businesses and employers that increasingly use biometric data, for example, when using fingerprint scans for timekeeping. While employers may be familiar with their obligations under HIPAA and the FCRA, and new laws like GDPR and the CCPA have garnered much attention and discussion, employers must watch out for other laws regulating employee privacy in the jurisdictions in which they operate, and monitor developments in this area. More regulation of biometric data is likely due to an increasing use of biometrics and the potential harm if this data is compromised.

In particular, companies operating in Illinois and using biometric data will have to ensure they understand and comply with their obligations under BIPA, since simply failing to comply with any of the law’s requirements could result in litigation. Following the Rosenbach decision, there should be an increase in litigation under BIPA because plaintiffs will not have to demonstrate actual harm to survive a motion to dismiss. Failing to explain how biometric data will be stored and collected, to notify in advance of collecting biometric data, or to obtain consent in writing to the collection, use or storage of biometric data exposes companies to these lawsuits.