Contributed by Michael Faley, May 7, 2019
In only the latest of potential blows to companies that collect or use biometric data, an Illinois Appellate Court has ruled that claims brought by employees of the Four Seasons luxury hotel for alleged violations of the Illinois Biometric Information Privacy Act (BIPA) are not subject to arbitration under the workers’ respective employment agreements with the hotel. Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1st) 182645.
The BIPA was enacted to protect the privacy of individuals’ biometric data. It governs the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information, which includes retina or iris scans, fingerprints, voiceprints, or scans of “hand or face geometry.” 740 ILCS 14/1, et seq. BIPA contains a private right of action whereby a party may recover damages of $1,000 (or actual damages if greater) for each negligent violation of BIPA and $5,000 (or actual damages if greater) for each intentional or reckless violation, as well as attorney’s fees, costs, and expenses. Violations can be aggregated—meaning every day a company is not in compliance could serve as a separate “violation.” As reported in this blog, earlier this year, the Illinois Supreme Court lowered the bar for what a complaining-party must show in order to pursue a BIPA case against a company.
In Liu, the employees filed a class action complaint alleging that the Four Seasons violated BIPA through its method of collecting, using, storing and disclosing the employees’ biometric data (their fingerprints) for timekeeping purposes.
The Four Seasons maintained that the employees’ complaint fell within a provision of the employment agreement requiring arbitration of any claim for a “wage and hour violation.” The hotel argued that the sole reason for requiring employees to scan their fingerprints was to monitor the number of hours worked, which necessarily made it a claim for a “wage and hour violation.” However, the Appellate Court disagreed, holding that BIPA is a privacy rights law that applies inside and outside of the workplace. The Appellate Court explained that simply because an employer opts to use biometric data, like fingerprints, for timekeeping does not transform a potential BIPA-violation into a wage and hour claim. As a result, the Appellate Court found that the employees possessed the right to proceed with their claims in court.
Notably, the outcome may have been different had the Four Seasons’ employment agreements contained a broader arbitration clause or otherwise been updated to account for ongoing changes in the law.
To avoid and/or minimize any BIPA issues or potential liability, we continue to recommend that employers take the following steps:
- Review policies and procedures and identify if, and when, biometric data, such as retina or iris scans, fingerprints, voiceprints, or scans/pictures of hand or face geometry are being used.
- Establish a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
- Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
- If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
- Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection.
- Train supervisors on the company’s policies and practices to ensure consistency.
- Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
- Consult with competent employment counsel to ensure that policies, practices and agreements comply with the relevant law.
- Regularly review policies, procedures and agreements for compliance with updates to the law and current case law.