On January 25, 2019, the Illinois Supreme Court issued its long-awaited decision in Rosenbach v. Six Flags Entertainment Corp, et al., 2019 IL 123186 (Ill. Jan. 25, 2019). The Court concluded that a private cause of action is available under the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1 et seq. (BIPA), without allegations of additional, actual harm beyond violations of the procedural requirements set forth in the statute. This new ruling by the Illinois Supreme Court could trigger expensive class action lawsuits and private litigation against businesses, even where plaintiffs do not allege actual injury. The case demands attention, not only for Illinois companies that use biometric information, but for companies generally.
What is this case about?
In Rosenbach, the plaintiff alleged that an amusement park violated BIPA because it used her son’s fingerprints to issue a season pass without first obtaining written consent or otherwise complying with BIPA’s notification procedures. The plaintiff alleged no actual harm beyond the violation of BIPA’s requirements. On certification from the trial court, the Second District Appellate Court held that in order to bring an action under BIPA’s “aggrieved person” private right of action, a plaintiff must allege an “injury or adverse effect” beyond noncompliance with the statute.
The Illinois Supreme Court disagreed, concluding that the term “aggrieved” does not contemplate actual harm or injury beyond violation of the rights provided under BIPA. The Court held that a plaintiff can seek both monetary damages and injunctive relief regardless of whether a defendant’s alleged non-compliance with BIPA resulted in actual harm or injury.
What is Biometrics Information Privacy Act (BIPA)?
When BIPA took effect in 2008, Illinois became the first state to enact a biometric privacy law regulating the collection, use, and storage of “biometric identifiers,” such as fingerprints, voiceprints, iris or retina scans and scans of hand or face geometry, as well as other “biometric information” based on those identifiers to the extent used to identify an individual (collectively, “biometric data”). Although three other states have since passed similar laws, BIPA remains the only one that grants individuals a private right of action—the right to sue and seek damages or injunctive relief for statutory violations.
The BIPA set forth a comprehensive set of rules for companies collecting biometric data of state residents. The BIPA has 5 key features:
- Requires informed consent prior to collection
- Permits a limited right to disclosure
- Mandates protection obligations and retention guidelines
- Prohibits profiting from biometric data
- Creates a private right of action for individuals harmed by BIPA violations. Statutory damages can reach $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation.
How are Biometrics used in business?
The use of biometrics in the business world has become widespread, and the types of usage are constantly evolving. With new technological developments and the technology itself becoming more readily available, industries of all sizes and kinds are discovering the benefits of biometrics. Common uses include:
- Time Management – Businesses across all industries have found that biometric time clocks – devised that facilitate clocking in and out with a fingerprint or other biometric, rather than an I.D. card or pin code, is cost effective, eliminates time theft, and ensures more accurate compliance with attendance policies.
- Security Access – One of the original and most common forms of biometric use, typically through fingerprint reader, hand geometry scanners, and facial recognition, businesses use this technology to secure laptops, keyboard/mice, USB and portable storage devices, as well as for more general physical security (access to buildings and spaces within). Iris and retina scanners are more expensive, and generally only justify use in locations that require a high security clearance.
- Safety – As regulations and internal policies are added to increase employee safety, biometrics allows employers to complete a profile for each employee – a “one-stop shop” for keeping up-to-date with training, certification, use of company information, and issuing credentials.
- Health Plans – Biometrics assists health plans in establishing effective wellness programs. Biometric screening of an enrolled population allows data to be aggregated providing a complete risk profile for each individual. Some plans also measure biometric data of individuals to assess their health risks and provide incentives for changing behaviors that could lower those risks.
What should Companies do?
The Rosenbach decision now makes it easier for plaintiffs to bring claims without asserting actual damages. In other words, plaintiffs do not need to make one of the essential allegations of any lawsuit claiming money damages – that they have been harmed in fact. The decision of this case will bring proliferation of lawsuits, already numbering approximately 200, filed in Illinois state and federal courts alleging BIPA violations.
To avoid exposure to lawsuits under BIPA, any entity with Illinois employees or that operates in Illinois and collects, stores or uses biometric identifiers or information, whether that of its employees or its customers, guests, visitors, must ensure that they adopt and implement written policies and procedures regarding their collection, retention, disclosure and destruction of this data to ensure that they are sufficient to comply with the strict standards and requirements of BIPA. However, having these policies by themselves is not enough. It is essential that entities, especially in an employer/employee context, provide notice to individuals that their biometric information is being collected, stored, and/or used. For employers, this can be part of the onboarding process, where a signed affirmation of receipt of the notice can be made a condition of employment. Doing so will help secure a strong defense to any claim that an employee lacked adequate BIPA notice. Developing policies and procedures that place individuals on notice of an entity’s collection/storage and use of biometric information is especially critical in light of the Rosenbach decision.
Should you have any questions about the BIPA or any other laws that may affect your company, or would like to schedule a consultation, please contact Waltz, Palmer & Dawson, LLC at (847)253-8800 or contact us online.
Waltz, Palmer & Dawson, LLC is a full-service law firm with various areas of service to assist your business, including: Employment Law, Intellectual Property, Commercial Real Estate, Litigation and general Business Law services. Individual services include Estate Planning, Wills and Trusts, Probate, Guardianship, Divorce and Family Law, Collaborative Divorce & Mediation.
This article constitutes attorney advertising. The material is for informational purposes only and does not constitute legal advice.
To subscribe to our business e-newsletter, pleases send an email request to www.info@navigantlaw.com