Illinois Supreme Court’s “biometrics” decision has wide implications for employers

Analysis

The Illinois Supreme Court decided a landmark privacy case under the Illinois Biometric Information Privacy Act on Friday, finding that a failure to follow the requirements of the Act is enough to support a cause of action under the statute – no additional damage or harm needs to be alleged or shown.

The Biometric Information Privacy Act

Enacted in 2008, the BIPA restricts how private entities may collect, use, store, disclose, and destroy biometric information. (The Act does not apply to state or local governmental agencies.) The touchstone of this law is whether the information collected is a “biometric” – that is, a set of measurements of a physical component, such as eye, finger, voice, hand, or face, which can be used to identify a specific person.

The BIPA has received increasing attention in recent years due to the mounting number of lawsuits filed under it. This litigation has included suits against technology titans like Google and Facebook for their collection and analysis of photographs to create facial templates, without the permission of the subjects of the photographs.

In the employment context, before an employer collects, stores, or uses biometric identifiers or information, it must

  • Notify every employee in writing that it is collecting a biometric identifier or information, including the specific reason for collecting, storing, and using the information and how long the employer will use or retain the biometric identifier or biometric information;
  • Obtain the employee’s written release for the biometric collection; and
  • Develop a publicly available written policy that includes a retention schedule and guidelines for permanently destroying the biometric information.

The statute provides that an “aggrieved person” can file suit and recover actual or liquidated damages, and attorneys’ fees, and can also seek a court order directing the entity to comply with the law.

Rosenbach v. Six Flags Entertainment Corp.

A mother filed suit against Six Flags Entertainment Corporation on behalf of her son, alleging that Six Flags scanned and stored her son’s thumbprint during a visit in 2014. The lawsuit alleges that Six Flags did not disclose what was done with the information, how long it would be kept, or its guidelines for retaining and destroying the fingerprint information. According to the lawsuit, Six Flags did not provide written notice of the collection of the information or the purposes for which it would be used, nor did the company obtain a written release before scanning the thumbprint. The lawsuit claimed that all of this violated the BIPA. However, the son arguably was not “damaged” by the alleged violations. Thus, the issue in the Supreme Court decision was whether a person who had not suffered any actual or threatened damage as a result of a violation of the BPIA was an “aggrieved person” who could file suit.

A circuit court dismissed part of the lawsuit but found that the plaintiff had a valid claim under the BIPA. The Illinois Court of Appeals disagreed, finding that a plaintiff who alleged “only a technical violation” of the Act was not “aggrieved” under the statute and could not bring suit without showing some injury or adverse effect.

The Illinois Supreme Court disagreed with the Court of Appeals, and found that an individual whose BIPA rights were violated could be an “aggrieved person” with a right to sue even without any specific damages resulting from the violation. Citing a California decision regarding the Act, the Illinois Court found that in enacting the BIPA, the legislature recognized an individual’s right to privacy and to control his or her personal biometric identifiers. Accordingly, when a company fails to comply with the statute, that failure is itself a denial of an individual’s statutory rights, and “[n]o additional consequences need be pleaded or proved.”

The Court also gave short shrift to the idea that a mere “technical” violation of the law does not result in actual harm to an individual, saying that violation of the right to control one’s biometric information is “real and significant.”

Lessons for employers

The BIPA and the Rosenbach decision have implications for any employer who does business in Illinois.

In the employment context, Illinois facilities with timekeeping systems that use fingerprints or handprints would be required to comply with the BIPA. Additionally, Illinois facilities that use retina or iris scans as a security measure to, for example, limit access to certain areas or rooms would also need to comply.

Other states, including Washington and Texas, also have biometric privacy laws, but the Illinois BIPA was the first act of its kind, and it is the broadest. It is also the only one that provides a private right of action. An aggrieved person can recover $1,000 in liquidated damages (or actual damages) for each violation, and $5,000 in liquidated damages (or actual damages) per violation if the violation is intentional or reckless. The aggrieved person can also recover reasonable attorneys’ fees and court costs.

As the Illinois Supreme Court noted, the statute creates “substantial potential liability” for employers, and the risk of class actions alleging BIPA violations is significant. The court’s decision is likely to encourage the filing of individual lawsuits and class actions against companies who gather and use biometric information.

The Illinois legislature may ultimately decide to amend the BIPA, but employers should not count on it, given the employee-friendly environment in Illinois. In the meantime, employers who gather any type of biometric information from employees should ensure that they are in compliance with the written notice, consent, storage, and deletion provisions of the statute:

  • Create appropriate, publicly available policies governing the collection, use, storage, and destruction of biometric information that may be collected.
  • Obtain a written release from employees before collecting or using any biometric information.
  • Store and protect biometric information using a reasonable standard of care within the industry. At a minimum, biometric information should be protected to the same degree as other highly confidential information, such as Social Security numbers or genetic information.

Susan Bassford Wilson is co-chair of Constangy’s e-Law Practice Group and is licensed to practice law in Missouri and Illinois.

For a printer-friendly copy, click here.
Subscribe for Updates
Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek