Illinois’ Unique Biometric Privacy Law Presents Lessons for Businesses Everywhere

The state of Illinois has been making headlines recently because of its unique biometric privacy law. In one example of a recent settlement, Instagram agreed to pay $68.5 million to resolve a class action filed on behalf of Illinois users.

The law at issue, known as BIPA, is the Biometric Information Privacy Act, enacted by the Illinois legislature in 2008. BIPA applies to any entity that uses Illinois residents’ biometric information in its business. Biometric information as defined under the law includes fingerprints, hand scans, retina or iris scans, facial geometry, voice prints, DNA and other unique biological identifiers. 

With advancing technology in workplace time clocks and security measures, many employers utilize biometric information to track employees’ working time, access secure areas in the workplace and log into online applications.

BIPA’s background

Illinois was the first state to pass sweeping biometric information privacy regulations and provide individuals with a private right of action for failure to adhere to the statute. There is no showing of actual damages required under BIPA and, even without proof of actual harm, statutory damages can be $1,000 per violation or $5,000 per violation if the violation is intentional or reckless.

There are multiple requirements under BIPA, but first and foremost, any company looking to gather biometric data must obtain the written consent of the individual before collecting or storing their data. They must also inform the individual in writing of what data is being collected and the specific purpose and length of time in which it will be collected, stored and used.

BIPA not only prevents companies from collecting and storing data without the individual’s advanced written consent, but it also prohibits companies from selling such data. The Illinois law is unique, but there are also comprehensive biometric data laws in Washington, Texas and New York City. And at least 15 states are considering modeling their future biometric privacy-specific laws off the Illinois statute.

Recent litigation making headlines

In the Instagram class action suit, plaintiffs claimed that parent company Meta violated BIPA by collecting and storing biometric information without its users’ consent. Meta denied any wrongdoing but still agreed to settle. Although the Instagram case does not involve employees, it is based on the use of facial recognition technology that has become common in many workplaces.

Another headline-grabbing case decided in February involved a group of employees at a trucking company who alleged that they were required to scan their fingerprints to clock in and out of work, without their employer obtaining their consent. The employer, Black Horse Carriers, attempted to dismiss the claim, arguing that since the statute does not provide a timeframe for when claims can be brought, the court should apply a one-year statute of limitations. The case made it to the Illinois Supreme Court, which disagreed with the employer’s arguments, ruling that BIPA claims may reach back as far as five years, drastically increasing the potential liability a company faces when it comes to such claims.

One of the most pivotal decisions under BIPA so far relates to the question of whether claims accrue each time a company collects an individual’s biometric identifier and each time the company transmits the scan to a third party, or only upon the first scan and first transmission.

This question was escalated to the Illinois Supreme Court in Cothron v. White Castle. According to the suit, employees of White Castle restaurants in Illinois had to scan their fingerprints to access their computers and paystubs. To authorize access to the system, White Castle had a third-party vendor verify each scan. The lawsuit was based on the allegation that White Castle never obtained its employees’ permission to do so.

In a tight 4-3 decision, the Illinois Supreme Court held that a separate claim accrues each time an individual’s biometric information is scanned or transmitted. This means an individual has grounds to sue for every instance that their finger touched the scanner and for every instance in which that data was transmitted to the third-party vendor. According to a recent Bloomberg Law analysis, the number of lawsuits in Illinois circuit courts alleging BIPA violations after this ruling skyrocketed 65%.

Compliance

There are several steps a company should take to comply with BIPA. To begin with, they must obtain advanced written consent from anyone who will be asked to use biometric technology and develop a written policy. This policy must be made available to the public and codify a retention schedule along with guidelines for permanently destroying the biometric information that is gathered.

The biometric information must be destroyed when the initial purpose for collecting the information has been fulfilled, or within three years of the individuals’ most recent interaction with the company, whichever comes first.

No company may collect, store or transmit biometric data until they inform the individual of such action, specify the purpose and length of term for which the information will be gathered and receive written consent from the individual to proceed.

Companies are not permitted to sell, lease, trade or otherwise profit from an individual’s or customer’s biometric information. Failure to adhere to these guidelines could result in liquidated damages, reasonable attorney fees and costs and other relief, potentially including an injunction.

Additional best practices to consider include:

• Audit existing technology to pinpoint every area where biometric information is either being collected, stored or transmitted.
• Ensure the written consent form is up to date and there is an individual responsible for ensuring consent is obtained before new users are enrolled in the technology.
• Create a record of documentation to prove BIPA compliance.
• Speak with a labor and employment attorney regarding the newest BIPA litigation to identify potential process gaps.

New technology is emerging daily, which desensitizes people to the number of times that their personal biometric information is captured and transmitted. Nonetheless, it is crucial to keep up with the latest state and federal laws to ensure compliance and reduce the potential for future litigation.