As reported last November, the Illinois Supreme Court has had in front of it perhaps the seminal case, Rosenbach v. Six Flags Entertainment Corp., regarding Illinois’s Biometric Information Privacy Act (BIPA). Prior to landing before the Supreme Court, the lower (appellate) court had ruled that simply claiming a violation of the notice and consent requirements of BIPA was not tantamount to alleging a compensable injury. Branding such claims only “technical” in nature, the lower court found these were not cases or controversies. If that was all you had, said the appellate court, your BIPA case should be dismissed at the outset.
Today, in a unanimous decision, the Illinois Supreme Court rejected that approach and ruled that alleging a violation of statutory rights under BIPA is enough. An individual does not have to allege an actual injury in order to qualify as an “aggrieved” person entitled to seek liquidated damages and injunctive relief. “To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights… would be completely antithetical to [BIPA’s] preventative and deterrent purposes.”
Under BIPA, entities may not “collect, capture, purchase, receive through trade or otherwise obtain” or store a person’s biometric information without informing an individual in writing about the collection or storage of said information. Further, entities collecting biometric information must specify the purpose for its collection and storage and how long it will be kept. Finally, entities must obtain a written release signed by the individual whose information has been collected. A failure to comply with these requirements gives an aggrieved individual a “private right of action” and allows the recovery of a minimum of $1,000 in liquidated damages, reasonable attorneys’ fees and costs and injunctive relief to anyone who successfully shows a violation. BIPA cases are—almost without exception—brought as class actions, whereby hundreds or thousands of “aggrieved persons” and their alleged damages are lumped together.
With today’s ruling, BIPA’s requirements alone empower private citizens to serve as watchdogs over company policy. The Court explained: “[i]t is clear that the legislature intended for [BIPA] to have substantial force” and “[w]hen private entities face liability for failure to [simply] comply with the law’s requirements … those entities have the strongest possible incentive to conform to the law…” Rosenbach is not an employment case (it concerns a patron’s access to Six Flags); but, it impacts employers’ practices for collecting and maintaining biometric data for time tracking or security purposes. All companies—with any presence in Illinois—should be reviewing policies and protocols because simply failing to comply with the statute’s requirements could result in a firestorm of litigation from affected employees, consumers and patrons.
What should you ensure you are doing today?
- Establish and make public (for example, post on the company’s website) a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
- Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
- If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
- Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection in writing.
- Train supervisors on the company’s policies and practices to ensure consistency.
- Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
- Finally, consult with competent counsel to ensure that policies and practices comply with relevant law.