Illinois Supreme Court clarifies Biometric Information Privacy Act

The Illinois Biometric Information Privacy Act, enacted in 2008, was designed to provide individuals with control over their biometric information and to establish standards for collection. The Illinois Supreme Court has recently issued three opinions interpreting provisions of the BIPA, two of which are likely to result in a spike in BIPA claims and related litigation.

What is the BIPA?

The BIPA requires private entities that collect “biometric identifiers” to meet certain standards summarized below. “Biometric identifiers” include a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” or “biometric information,” regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.

The standards are as follows:

1. Develop a publicly available, written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information.

2. Inform data subjects in writing that biometric identifiers or biometric information is being collected or stored, including the specific purpose and length of the collection or storage, and obtain a written release from the data subject before the collection.

3. Protect biometric identifiers and biometric information from disclosure or dissemination absent consent from the data subject or if the disclosure is required by law or court order.

The BIPA allows any aggrieved person to bring a private action alleging a BIPA violation with the potential to recover a set amount for each violation.

Decision One: BIPA claims have a five-year statute of limitations.

The BIPA, as originally drafted, did not contain a statute of limitations. On February 2, the Illinois Supreme Court ruled in Tims v. Black Horse Carriers, Inc., that BIPA claimants have five years from the date of an alleged violation to assert any type of BIPA claim.

The plaintiffs in Tims filed a class action complaint against their former employer, Black Horse Carriers, Inc., alleging that the employer violated the BIPA by requiring its employees to use a time clock that scanned fingerprints. The employer argued that the lawsuit was untimely, contending that a one-year statute of limitations period should apply.

In its decision, the Court reviewed the intent of the legislature in passing the BIPA, citing to the “fears of and risks to the public surrounding the disclosure of highly sensitive biometric information,” and holding that Illinois’ five-year “catch-all” limitations period applies to BIPA claims.

Decision Two: Each BIPA violation gives rise to a separate claim.

The BIPA, as originally drafted, did not clearly define what constituted an individual “violation” for purposes of a claim. On February 17, the state Supreme Court ruled in Cothron v. White Castle System, Inc., that a separate BIPA claim accrues with each violation.

The plaintiff in Cothron filed a class action against White Castle, alleging that the company failed to comply with the BIPA’s notice and consent provisions before requiring employees to scan their fingerprints to access pay stubs and work computers. The plaintiff alleged that the employer violated BIPA every time it scanned fingerprints and provided those scans to a third-party vendor – beginning in 2008 and continuing through 2018.

The employer argued that the plaintiff should have sued in 2008, when the BIPA became effective and that only the first fingerprint scan or dissemination of the scan should count as a violation. The employer also argued that because the BIPA authorizes a certain recovery for each violation, applying the plaintiff’s interpretation would result in “astronomical” damage awards that could exceed $17 billion in this case alone.

In its decision, the Court found that the plain language of the BIPA applies to multiple collections and disseminations of biometric identifiers or information. Responding to the employer’s argument that the ruling would result in “annihilative liability,” the Court cited to the potential recovery as an incentive for employers to comply with the law. In any event, the Court said, trial courts presiding over BIPA class actions have discretion to fashion a damage award that fairly compensates class members, deters future violations, and does not destroy the defendant business.

Decision Three: BIPA claims from union employees may be preempted by federal labor law.

In Walton v. Roosevelt University, the Illinois Supreme Court found that Section 301 of the Labor Management Relations Act preempts BIPA claims asserted by union employees if the employees are covered by a collective bargaining agreement that includes a broad management rights clause.

This ruling means that collective bargaining agreements and federal labor laws will dictate the course of BIPA claims for many unionized workers.

In Walton, a former employee filed a class action complaint alleging multiple violations of the BIPA when the university scanned employees’ hand geometry onto a biometric timeclock. The former employee was a union member, and the contract contained a clause allowing the employer to have “exclusive rights to direct the employees covered by [the contract].” Relying on established federal law recognizing preemption when claims depend on interpretation of a collective bargaining agreement, the Court found that the BIPA claims were preempted.

What now?

The Tims, Cothron, and Walton decisions demonstrate the importance of companies’ remaining sensitive to the requirements of the BIPA. For information about steps that companies can consider taking to help address BIPA risks or for assistance in defending a litigation involving BIPA claims, the Constangy Cyber Security & Data Privacy team can help.  Contact us today at breachresponse@constangy.com.

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Subscribe

* indicates required
Back to Page