Category Archives: Biometric Information Privacy Act (BIPA)

BIPA: The Ongoing Threat of Employee Class Actions and Recent Developments

Contributed by Carlos Arévalo and guest author Molly Arranz, October 9, 2020

Biometric Identification Personality, Scanning Modern Access Control, Technology Recognition Authentication System Concept – Illustration Vector

Even in the pandemic, the (high) number of class action filings based upon the Illinois Biometric Privacy Act (BIPA) remains steady. And, against that backdrop come two recent decisions that may impact how employers need to shift their defense strategies.

First, in McDonald v. Symphony Bronzeville Park LLC, the Illinois Court of Appeals ruled that the state Workers’ Compensation Act (WCA) and its exclusivity provisions do not bar claims for statutory damages under BIPA. The court distinguished the two, noting that while the WCA provides remedies to workers that have sustained an actual injury, BIPA provides statutory, liquidated damages to employees who allege privacy right violations even when there is no injury. This outcome should come as no surprise given past rulings on what an employee or consumer needs to show to pursue a BIPA claim. Thus, as it relates to BIPA claims, the WCA exclusivity defense is no longer viable – or at least for the time being, since this case will likely be appealed to the Illinois Supreme Court.

In a second decision, Williams v. Jackson Park SLF, LLC, the Northern District of Illinois held that union workers under a collective bargaining agreement are preempted from pursuing a BIPA cause of action in federal court. The overall success of this argument, though, may be limited as the court is allowing the plaintiff to amend its complaint, meaning the case may still be litigated by non-union class members. It remains to be seen what defenses to the merits—and perhaps, more importantly, to class certification—can be advanced with an amended complaint and amended class definition.

On balance: it has been 12 years since BIPA was enacted, but there are still so many questions that are being battled in court as employers and employees continue to navigate this biometric privacy law. One thing is for certain: BIPA packs a punch with eye-popping statutory damages and monetary awards that can lead to anywhere from $1,000 to $5,000 per violation plus attorneys’ fees. Moreover, considering that an alleged violation is enough to bring a suit, BIPA is a class action dream – bearing in mind if an employer is collecting biometric data on one individual, it is collecting it on many individuals.

To avoid finding yourself facing a BIPA class action, the best thing you can do as an employer is ensure basic compliance in the first place:

  • Determine what biometric information you are collecting. Under BIPA, biometric data is sensitive information that is biologically unique—such as iris scans, fingerprints, voiceprints, and face geometry. Both of the recent lawsuits were brought by employees using finger prints or hand prints to clock in and out of work. While these may now seem like obvious identifiers, remember that some identifiers can be captured simply through voice or video recording. That being said, while advanced technology can enhance the workplace experience, when integrating new systems think through what information your company may be collecting in order to determine any necessary disclosures.
  • Evaluate what disclosures you currently have in place. To comply with BIPA, companies must provide written notice to its users disclaiming what biometric information will be collected, stored, or used, as well as an explanation of the purpose of its collection. Additionally, prior to collection it is best to obtain express written authorization from employees to collect and store their biometric information.
  • Create a public facing policy that is easily accessible for employees. Biometric data has become a hot button issue across the country. Since biometric information is uniquely sensitive and cannot be changed, there is constant, growing concern on how information is being collected, stored, and destroyed. Creating a company policy that is available to employees is not only required, but helps ease some concern. Consider posting the policy in public spaces like breakrooms, or perhaps in areas where the biometric data is being used. For example, if your employees clock in via fingerprints, then perhaps it is worth posting a copy of the policy near the time clock.
  • Stay alert to both recent court decisions and pending regulations. BIPA has caused quite a stir and will continue to be challenged in courts as employers and employees alike learn what can and cannot be brought under BIPA. While staying up to date on recent court decisions is always beneficial, it is also important to be alert to any regulatory changes so that your business can remain in compliance. Recently, the National Biometric Information Act of 2020 was introduced in the U.S. Senate. If passed, this would be the first comprehensive federal policy of its kind concerning biometric data. Since this bill has only been introduced you are not subject to any official requirements as of yet. However, the more you are aware of upcoming regulations, the better prepared your company will be with efficiently and effectively complying.

Want to learn more about BIPA and how you can avoid the threat of a class action? Join Molly Arranz and Carlos Arévalo for a complimentary webcast on October 29.  

Biometric Data in the Days of Virtual Interaction and E-Learning

Contributed by Molly Arranz and Carlos Arévalo, April 7, 2020

Biometric Identification Personality, Scanning Modern Access Control, Technology Recognition Authentication System Concept – Illustration Vector

Due to COVID-19, everyone has been adjusting to daily life from home, including the youngest family members. Education is coming in the form of rapidly-developing technology that provides cybernetic classes and hangouts and the submission of coursework or “attendance” virtually. More businesses now have employees working remotely, using technology to stay in touch with co-workers and conduct meetings. However, this interfacing by schools, dance/music classes and management or team meetings may come with legal risk. The requirements of privacy laws, take, even the Illinois Biometric Information Privacy Act (BIPA) protection of “voiceprints,” are not being relaxed even in these unusual times. Any company should ask what consent and disclosures are in place before they engage in the next virtual connection.

A new class action lawsuit against Google, for use of the tech giant’s educational platform, highlights this challenge. There, a parent claims that Google violated BIPA by collecting voiceprints, facial features and other personal identifiers of children. Google is also being accused of violating the Children’s Online Privacy Protection Act (COPPA), which prohibits companies from collecting personal information from children under the age of 13 without parental consent. So while making remote working and learning resources available during this pandemic is undoubtedly necessary, companies must remember that federal and state privacy laws remain in full force.

If you are allowing for any recordings or interfacing that could involve facial or voice data, you should first:

  • Determine what biometric information you are collecting: Under BIPA, biometric data is sensitive information that is biologically unique—such as iris scans, fingerprints, voiceprints and face geometry. Some of these identifiers can be captured simply through voice or video recording, so think through what information your company may be collecting to determine any necessary disclosures.
  • Evaluate what disclosures you currently have in place: To comply with BIPA, companies must provide written notice to its users disclaiming what biometric information will be collected, stored, or used, as well as an explanation of the purpose of its collection and how long it will be kept. Additionally, prior to collection it is best to obtain express written authorization from consumers (students, employees, participants) to collect and store their biometric information.
  • Develop a publically available written policy: Along with obtaining express consent, it is important to incorporate a public policy establishing a retention schedule and guidelines for destroying biometric information.
  • Do not forget about federal regulations: While it may be difficult to keep up with the many changing state regulations, do not allow blanket federal policies to fall to the wayside. If you collect, use, or disclose any personal information from children under 13 years of age be sure to comply with COPPA by clearly posting privacy policies on your website or platform and obtaining parental consent. State privacy laws may add another layer of disclosure or consent. In fact, regardless of whether you interact with this age group, the Federal Trade Commission (FTC) and/or certain state laws recommend providing this disclosure as a precaution.

Facebook Agrees to $550 Million Settlement in BIPA Class Action

Contributed by Carlos Arévalo and guest author Molly Arranz, February 4, 2020

Biometric Identification Personality, Scanning Modern Access Control, Technology Recognition Authentication System Concept – Illustration Vector

In the face of billions of dollars of potential liability at trial, social media giant, Facebook, opted for the finality of a class-wide settlement—to the tune of $550 million—reached with Illinois users complaining of violations of the Illinois Biometric Information Privacy Act (BIPA). Facebook explained that the settlement was “in the best interest of [its] community and shareholders.” If approved by the court, the $550 million settlement will be the largest of its kind and will put an end to a case where Plaintiffs alleged that Facebook violated BIPA by collecting biometric data without consent through its facial-tagging feature. 

Under BIPA, entities may not “collect, capture, purchase, receive through trade or otherwise obtain” or store a person’s biometric information without informing an individual in writing about the collection or storage of said information. Further, entities collecting biometric information must specify the purpose for its collection and storage and how long it will be kept. Finally, entities must obtain a written release signed by the individual whose information has been collected. A failure to comply with these requirements gives an aggrieved individual a “private right of action” and allows the recovery of a minimum of $1,000 in liquidated damages, reasonable attorneys’ fees and costs and injunctive relief to anyone who successfully shows a violation. 

While plaintiff did not allege actual damages, the 9th Circuit confirmed that failure to obtain written consent and to establish a compliant retention schedule resulted in a compensable injury. Facebook and other companies have similarly come up short in other defenses in the face of BIPA class actions grounded in a failure to obtain the appropriate consent and complying with the statute’s other requirements.

In fact, Illinois’ BIPA, the most comprehensive legislation addressing the privacy of biometric information, packs a significant punch because unlike other states that have statutes protecting biometric data, including the California Consumer Privacy Act (the CCPA), the Illinois statute has been found to contain a private cause of action for the (mere) failure to comply with the law’s requisites. It’s unclear the impact that this Facebook settlement will have on other state legislatures in drafting similar privacy protections and how such an eye-popping settlement, without any alleged injury to the actual privacy of the Facebook users, might drive Congress to take action. No matter what: there appears to be no immediate relief in sight.

Our prior recommendations remain in place. Specifically, employers should review, audit and update practices regarding the use of their employees’ biometric data. This means companies with an Illinois presence should take the following steps:

  1. Establish and make public (for example, post on the company’s website) a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
  2. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
  3. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
  4. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection in writing.
  5. Train supervisors on the company’s policies and practices to ensure consistency.
  6. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
  7. Consult with competent counsel to ensure that policies and practices comply with relevant law.

Facebook Facing Massive Class Action Trial: Ninth Circuit Rules BIPA Class Action Can Proceed

By Carlos Arévalo and Molly Arranz, August 12, 2019

Social media design, vector illustration.

In January 2019, we reported on the Illinois Supreme Court’s decision, Rosenbach v. Six Flags Entertainment Corp., where the highest court in Illinois unanimously found that an individual need not allege (or show) an actual injury to qualify as an “aggrieved” person under the Illinois’s Biometric Information Privacy Act (BIPA). This decision opened up the floodgates for additional, class action litigation under this Illinois statute.

Then, last week, in Patel v. Facebook, (a case that was originally filed in Illinois but later transferred to the Northern District of California where Facebook is headquartered), the Ninth Circuit ruled that an Illinois class of Facebook users can proceed in their class action lawsuit against Facebook over its use of facial recognition technology. Specifically, the Ninth Circuit panel answered in the affirmative the question of whether the mere collection of an individual’s biometric data in violation of BIPA was sufficient to establish standing in federal courts. In order to have standing, a plaintiff need only show she has suffered an invasion of a “legally protected interest that is concrete and actual or imminent, not conjectural or hypothetical.”   

No actual damages from a company’s failure to comply with BIPA? The Ninth Circuit confirmed that is no hurdle to proceeding in a class action trial. Like the plaintiff in Rosenbach, the plaintiff contended that violation of the requirements of obtaining written consent and establishing a compliant retention schedule resulted in an actual injury. On the other hand, Facebook advanced that these were only procedural violations and did not amount to “an injury of a concrete interest.” 

The NinthCircuit was not persuaded by the defendant’s argument. The three-judge panel concluded that since BIPA provisions were established to protect the plaintiffs’ privacy rights, which “encompassed an individual’s control of information concerning his or her person,” Facebook’s development of a face template using facial recognition technology without consent served as an invasion of private affairs and affected concrete interests. Plaintiffs had advanced injury to their substantive privacy rights, not just complained about procedural failures.

Because BIPA provides for fines between $1,000 and $5,000 per violation, the ruling exposes Facebook to a potentially massive class action judgment. It is reasonable to expect that Facebook will seek an en banc review of this decision—and that this is not the last petition for review of this holding.

For other companies, like Rosenbach, the Ninth Circuit decision serves as yet another reminder that BIPA impacts every company that uses, controls or collects biometric data. For employers, this means reviewing, auditing and updating practices regarding the use of your employees’ biometric data. All companies with an Illinois presence should be reviewing policies and protocols regarding the use of biometric data. We continue to recommend the following:

  1. Establish and make public (for example, post on the company’s website) a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
  2. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
  3. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
  4. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection in writing.
  5. Train supervisors on the company’s policies and practices to ensure consistency.
  6. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
  7. Consult with competent counsel to ensure that policies and practices comply with relevant law.

Hotel Workers’ Claims under the Biometric Information Privacy Act Are Not Subject To Arbitration Clause

Contributed by Michael Faley, May 7, 2019

In only the latest of potential blows to companies that collect or use biometric data, an Illinois Appellate Court has ruled that claims brought by employees of the Four Seasons luxury hotel for alleged violations of the Illinois Biometric Information Privacy Act (BIPA) are not subject to arbitration under the workers’ respective employment agreements with the hotel. Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1st) 182645.

Lock on the converging point on a circuit, security concept

The BIPA was enacted to protect the privacy of individuals’ biometric data. It governs the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information, which includes retina or iris scans, fingerprints, voiceprints, or scans of “hand or face geometry.” 740 ILCS 14/1, et seq. BIPA contains a private right of action whereby a party may recover damages of $1,000 (or actual damages if greater) for each negligent violation of BIPA and $5,000 (or actual damages if greater) for each intentional or reckless violation, as well as attorney’s fees, costs, and expenses. Violations can be aggregated—meaning every day a company is not in compliance could serve as a separate “violation.” As reported in this blog, earlier this year, the Illinois Supreme Court lowered the bar for what a complaining-party must show in order to pursue a BIPA case against a company.

In Liu, the employees filed a class action complaint alleging that the Four Seasons violated BIPA through its method of collecting, using, storing and disclosing the employees’ biometric data (their fingerprints) for timekeeping purposes.

The Four Seasons maintained that the employees’ complaint fell within a provision of the employment agreement requiring arbitration of any claim for a “wage and hour violation.” The hotel argued that the sole reason for requiring employees to scan their fingerprints was to monitor the number of hours worked, which necessarily made it a claim for a “wage and hour violation.” However, the Appellate Court disagreed, holding that BIPA is a privacy rights law that applies inside and outside of the workplace. The Appellate Court explained that simply because an employer opts to use biometric data, like fingerprints, for timekeeping does not transform a potential BIPA-violation into a wage and hour claim. As a result, the Appellate Court found that the employees possessed the right to proceed with their claims in court.

Notably, the outcome may have been different had the Four Seasons’ employment agreements contained a broader arbitration clause or otherwise been updated to account for ongoing changes in the law.

To avoid and/or minimize any BIPA issues or potential liability, we continue to recommend that employers take the following steps:

  1. Review policies and procedures and identify if, and when, biometric data, such as retina or iris scans, fingerprints, voiceprints, or scans/pictures of hand or face geometry are being used.
  2. Establish a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
  3. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
  4. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
  5. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection.
  6. Train supervisors on the company’s policies and practices to ensure consistency.
  7. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
  8. Consult with competent employment counsel to ensure that policies, practices and agreements comply with the relevant law.
  9. Regularly review policies, procedures and agreements for compliance with updates to the law and current case law.

Illinois Supreme Court Rules Actual Damages, Injury or Harm Not Necessary in Biometric Privacy Case

Contributed by Carlos Arévalo and Molly Arranz

As reported last November, the Illinois Supreme Court has had in front of it perhaps the seminal case, Rosenbach v. Six Flags Entertainment Corp., regarding Illinois’s Biometric Information Privacy Act (BIPA). Prior to landing before the Supreme Court, the lower (appellate) court had ruled that simply claiming a violation of the notice and consent requirements of BIPA was not tantamount to alleging a compensable injury. Branding such claims only “technical” in nature, the lower court found these were not cases or controversies. If that was all you had, said the appellate court, your BIPA case should be dismissed at the outset. 

Today, in a unanimous decision, the Illinois Supreme Court rejected that approach and ruled that alleging a violation of statutory rights under BIPA is enough. An individual does not have to allege an actual injury in order to qualify as an “aggrieved” person entitled to seek liquidated damages and injunctive relief. “To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights… would be completely antithetical to [BIPA’s] preventative and deterrent purposes.”

Under BIPA, entities may not “collect, capture, purchase, receive through trade or otherwise obtain” or store a person’s biometric information without informing an individual in writing about the collection or storage of said information. Further, entities collecting biometric information must specify the purpose for its collection and storage and how long it will be kept. Finally, entities must obtain a written release signed by the individual whose information has been collected. A failure to comply with these requirements gives an aggrieved individual a “private right of action” and allows the recovery of a minimum of $1,000 in liquidated damages, reasonable attorneys’ fees and costs and injunctive relief to anyone who successfully shows a violation. BIPA cases are—almost without exception—brought as class actions, whereby hundreds or thousands of “aggrieved persons” and their alleged damages are lumped together.

With today’s ruling, BIPA’s requirements alone empower private citizens to serve as watchdogs over company policy. The Court explained: “[i]t is clear that the legislature intended for [BIPA] to have substantial force” and “[w]hen private entities face liability for failure to [simply] comply with the law’s requirements … those entities have the strongest possible incentive to conform to the law…” Rosenbach is not an employment case (it concerns a patron’s access to Six Flags); but, it impacts employers’ practices for collecting and maintaining biometric data for time tracking or security purposes. All companies—with any presence in Illinois—should be reviewing policies and protocols because simply failing to comply with the statute’s requirements could result in a firestorm of litigation from affected employees, consumers and patrons.

What should you ensure you are doing today?

  1. Establish and make public (for example, post on the company’s website) a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
  2. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
  3. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
  4. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection in writing.
  5. Train supervisors on the company’s policies and practices to ensure consistency.
  6. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
  7. Finally, consult with competent counsel to ensure that policies and practices comply with relevant law.

Illinois Supreme Court to Decide Biometric Privacy Case

Contributed by Carlos Arévalo, November 27, 2018

Data breach 2In October of 2017, we first reported on the filing of a class action suit by a group of Chicago-area employees where plaintiffs alleged that their employer’s use of worker fingerprints for time-tracking purposes violates the Illinois Biometric Information Privacy Act (BIPA).  Specifically, the employees claimed that their employer failed to properly inform them in writing of the specific purpose for which their fingerprints were being collected and the length of time their fingerprints would be stored. Plaintiffs also claimed the employer failed to obtain written consent before obtaining fingerprints.

Then, this past June, we reported on a federal court’s decision finding that despite no concrete damage, an employee (and her putative class) might have a triable cause of action for violating her privacy and right to control her biometric data. The allegations in this case also included a failure to inform the specific purpose of collection and failing to obtain written authorization for the collection of biometric data.

On November 20, 2018, the Illinois Supreme Court heard oral arguments in a Rosenbach v. Six Flags Entertainment Corp., a case specifically addressing BIPA. While Rosenbach is not an employment case (it concerns a patron’s access to Six Flags), it nevertheless involves the issue of whether collection of biometric data alone triggers statutory damages even if the plaintiff has not claimed actual harm. The lower appellate court in Rosenbach found that alleging only technical violations of the notice and consent provisions of the statute is not tantamount to alleging an adverse effect or harm. Thus, how the Illinois Supreme Court rules in the next few months is bound to have a significant impact on Illinois employers and potentially elsewhere in the country.

In the meantime, to avoid and/or minimize any BIPA issues or potential liability, we continue to recommend that employers take the following steps:

    1. Establish a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
    2. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
    3. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
    4. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection.
    5. Train supervisors on the company’s policies and practices to ensure consistency.
    6. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
    7. Finally, consult with competent employment counsel to ensure that policies and practices comply with relevant law.

 

Illinois Employer Faces Class Action for Using Fingerprints to Track Attendance

Contributed by Suzanne Newcomb, October 5, 2017

Data Protection Keyboard

Technology allowing employers to use biometric data tools to track attendance and maintain worksite security abounds. Purveyors hype the advanced technology’s ability to accurately validate time entries, eliminate fraud, and better control access to the workplace or to sensitive areas within the workplace. If these systems are so readily available, it must be legal for employers to use them, right? As with seemingly everything involving HR and the workplace, it depends.

Last week, a group of Chicago-area employees filed a class action suit, alleging their employer’s use of worker fingerprints for time-tracking purposes violates the state’s biometric information privacy law. Specifically, the employees claimed that their employer failed to:

  • Properly inform them in writing of the specific purpose for which their fingerprints were being collected and the length of time their fingerprints would be stored and used;
  • Provide a publically available retention schedule and guidelines for permanently destroying their fingerprints; and
  • Obtain their written consent before obtaining fingerprints.

In 2008, Illinois became the first state to explicitly regulate the use of “biometric identifiers” which it defines as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and their derivatives, regardless of how that information is captured, converted, stored, or shared. 740 ILCS 14/10. The Illinois Biometric Information Privacy Act (BIPA) applies broadly to any individual or entity other than the government, and therefore encompasses all private-sector employers operating within the state.

Illinois Biometrics Legislation Sets Trend

Until recently, Illinois and Texas were the only states with laws addressing biometrics. However, a new wave of high-exposure litigation under BIPA has had an impact on other states’ decisions to introduce legislation on the matter. Many states, including Illinois, have data breach notification laws that cover biometric information, as well as other sensitive personal information.

Employers operating exclusively in jurisdictions that have not regulated the use of biometric information specifically could still face breach of privacy or negligence claims if their employee’s biometric information is compromised.

Tips for Employers

Due to the growing number of data breaches, employers are encouraged to ensure they have protocols in place to safeguard all of the personal information they possess, particularly biometric information.

Whether you are thinking about adopting and using biometric data or have already implemented this technology, it is vital that employers take the following steps before collecting any biometric data to ensure their use complies with the growing regulation in this area:

  1. Assemble a team of experienced legal, cyber-security, and data-breach experts prior to selecting or implementing any technology that uses biometrics. Involve this team in vetting potential vendors, negotiating the terms of vendor contracts, and developing protocols.
  2. Carefully draft policies and procedures to safeguard and properly destroy biometric information, as well as protocols in case of a breach. Ensure those policies, procedures, and protocols (and those of your outside vendors) comply with all applicable laws, including notice and disclosure requirements.
  3. Clearly disclose to your employees, in writing, your intent to collect and use biometric information, the ways the information will be used, the means by which the information will be collected, maintained, and eventually destroyed, as well as the safeguards the company has put in place to secure this information.
  4. Obtain each employee’s informed written content prior to collecting any biometric information. Consider good faith objections and requests for accommodation and analyze and address those requests in accordance with all applicable laws.
  5. Continue to monitor changing federal, state and local regulations in this area.