Over 30 employment class actions claiming violations of the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) have been filed in Illinois courts in recent months. Many of the complaints allege that employers are collecting and storing employee’s fingerprints for timekeeping purposes (in which employees punch in and out with their fingerprints) but failing to: (1) provide written notice to its employees, (2) failing to obtain informed written consent from its employees and (3) failing to publish a written policy relating to this fingerprint information.
BIPA seeks to regulate employers’ collection and storage of biometric information. BIPA defines “biometric information” as “any information, regardless of how it is captured, converted, stored or shared, based on an individual’s biometric identifier used to identify an individual.” 740 ILCS §14/10. It defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.” Id.
The recent lawsuits contend that BIPA prohibits employers from collecting employees’ fingerprint information until the company notifies the employee in writing that the information is being collected. Among other details, the written notice must inform the employee of the “specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored and used.” 740 ILCS § 14/15(b). An employer also must obtain a written release from the employee enabling it to collect and store the information. Id.
The Act also requires employers to develop a written and publicly available policy establishing a “retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting them has been satisfied or within three years of the employee’s last interaction with the [employer], whichever occurs first.” 740 ILCS § 14/15(a). BIPA further directs that an employer use “the reasonable standard of care” within its industry to protect, store or transmit biometric information and act “in a manner that is the same as or more protective than the manner in which the [employer] stores, transmits and protects other confidential and sensitive information.” 740 ILCS § 14/15(e).
BIPA provides for actual damages, or alternatively, for liquidated damages of $1,000 for each negligent violation and $5,000 for each willful violation. 740 ILCS § 14/20. To willfully violate the BIPA, an employer must intentionally or recklessly violate the statute. BIPA also provides that a prevailing employee may recover attorneys’ fees, expert witness fees and litigation costs and expenses. Id. Thus, employers are understandably concerned that significant damages may be sought through a BIPA class action.
Employers that collect or use fingerprints or other biometric identifiers should review their policies and practices and consult with experienced counsel to ensure that they are in compliance with BIPA. For most employers, implementing policies that comply with BIPA will be relatively straightforward and assist to avoid the significant expenses associated with defending a BIPA class action.
In the event that a BIPA class action lawsuit has been filed or threatened, these cases may be subject to immediate motions to dismiss based on standing, the absence of actual injury and other legal defenses. The cases interpreting BIPA on these issues are mixed, however, and the law is currently unsettled.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.
Privacy Law Alert | 01.25.19
NP Privacy Partner | 12.01.17
NP Privacy Partner | 10.26.17
12.06.17 | San Francisco, CA