Category Archives: Data Privacy, Security and Litigation

BIPA: The Ongoing Threat of Employee Class Actions and Recent Developments

Contributed by Carlos Arévalo and guest author Molly Arranz, October 9, 2020

Biometric Identification Personality, Scanning Modern Access Control, Technology Recognition Authentication System Concept – Illustration Vector

Even in the pandemic, the (high) number of class action filings based upon the Illinois Biometric Privacy Act (BIPA) remains steady. And, against that backdrop come two recent decisions that may impact how employers need to shift their defense strategies.

First, in McDonald v. Symphony Bronzeville Park LLC, the Illinois Court of Appeals ruled that the state Workers’ Compensation Act (WCA) and its exclusivity provisions do not bar claims for statutory damages under BIPA. The court distinguished the two, noting that while the WCA provides remedies to workers that have sustained an actual injury, BIPA provides statutory, liquidated damages to employees who allege privacy right violations even when there is no injury. This outcome should come as no surprise given past rulings on what an employee or consumer needs to show to pursue a BIPA claim. Thus, as it relates to BIPA claims, the WCA exclusivity defense is no longer viable – or at least for the time being, since this case will likely be appealed to the Illinois Supreme Court.

In a second decision, Williams v. Jackson Park SLF, LLC, the Northern District of Illinois held that union workers under a collective bargaining agreement are preempted from pursuing a BIPA cause of action in federal court. The overall success of this argument, though, may be limited as the court is allowing the plaintiff to amend its complaint, meaning the case may still be litigated by non-union class members. It remains to be seen what defenses to the merits—and perhaps, more importantly, to class certification—can be advanced with an amended complaint and amended class definition.

On balance: it has been 12 years since BIPA was enacted, but there are still so many questions that are being battled in court as employers and employees continue to navigate this biometric privacy law. One thing is for certain: BIPA packs a punch with eye-popping statutory damages and monetary awards that can lead to anywhere from $1,000 to $5,000 per violation plus attorneys’ fees. Moreover, considering that an alleged violation is enough to bring a suit, BIPA is a class action dream – bearing in mind if an employer is collecting biometric data on one individual, it is collecting it on many individuals.

To avoid finding yourself facing a BIPA class action, the best thing you can do as an employer is ensure basic compliance in the first place:

  • Determine what biometric information you are collecting. Under BIPA, biometric data is sensitive information that is biologically unique—such as iris scans, fingerprints, voiceprints, and face geometry. Both of the recent lawsuits were brought by employees using finger prints or hand prints to clock in and out of work. While these may now seem like obvious identifiers, remember that some identifiers can be captured simply through voice or video recording. That being said, while advanced technology can enhance the workplace experience, when integrating new systems think through what information your company may be collecting in order to determine any necessary disclosures.
  • Evaluate what disclosures you currently have in place. To comply with BIPA, companies must provide written notice to its users disclaiming what biometric information will be collected, stored, or used, as well as an explanation of the purpose of its collection. Additionally, prior to collection it is best to obtain express written authorization from employees to collect and store their biometric information.
  • Create a public facing policy that is easily accessible for employees. Biometric data has become a hot button issue across the country. Since biometric information is uniquely sensitive and cannot be changed, there is constant, growing concern on how information is being collected, stored, and destroyed. Creating a company policy that is available to employees is not only required, but helps ease some concern. Consider posting the policy in public spaces like breakrooms, or perhaps in areas where the biometric data is being used. For example, if your employees clock in via fingerprints, then perhaps it is worth posting a copy of the policy near the time clock.
  • Stay alert to both recent court decisions and pending regulations. BIPA has caused quite a stir and will continue to be challenged in courts as employers and employees alike learn what can and cannot be brought under BIPA. While staying up to date on recent court decisions is always beneficial, it is also important to be alert to any regulatory changes so that your business can remain in compliance. Recently, the National Biometric Information Act of 2020 was introduced in the U.S. Senate. If passed, this would be the first comprehensive federal policy of its kind concerning biometric data. Since this bill has only been introduced you are not subject to any official requirements as of yet. However, the more you are aware of upcoming regulations, the better prepared your company will be with efficiently and effectively complying.

Want to learn more about BIPA and how you can avoid the threat of a class action? Join Molly Arranz and Carlos Arévalo for a complimentary webcast on October 29.  

Illinois Employer Faces Class Action for Using Fingerprints to Track Attendance

Contributed by Suzanne Newcomb, October 5, 2017

Data Protection Keyboard

Technology allowing employers to use biometric data tools to track attendance and maintain worksite security abounds. Purveyors hype the advanced technology’s ability to accurately validate time entries, eliminate fraud, and better control access to the workplace or to sensitive areas within the workplace. If these systems are so readily available, it must be legal for employers to use them, right? As with seemingly everything involving HR and the workplace, it depends.

Last week, a group of Chicago-area employees filed a class action suit, alleging their employer’s use of worker fingerprints for time-tracking purposes violates the state’s biometric information privacy law. Specifically, the employees claimed that their employer failed to:

  • Properly inform them in writing of the specific purpose for which their fingerprints were being collected and the length of time their fingerprints would be stored and used;
  • Provide a publically available retention schedule and guidelines for permanently destroying their fingerprints; and
  • Obtain their written consent before obtaining fingerprints.

In 2008, Illinois became the first state to explicitly regulate the use of “biometric identifiers” which it defines as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and their derivatives, regardless of how that information is captured, converted, stored, or shared. 740 ILCS 14/10. The Illinois Biometric Information Privacy Act (BIPA) applies broadly to any individual or entity other than the government, and therefore encompasses all private-sector employers operating within the state.

Illinois Biometrics Legislation Sets Trend

Until recently, Illinois and Texas were the only states with laws addressing biometrics. However, a new wave of high-exposure litigation under BIPA has had an impact on other states’ decisions to introduce legislation on the matter. Many states, including Illinois, have data breach notification laws that cover biometric information, as well as other sensitive personal information.

Employers operating exclusively in jurisdictions that have not regulated the use of biometric information specifically could still face breach of privacy or negligence claims if their employee’s biometric information is compromised.

Tips for Employers

Due to the growing number of data breaches, employers are encouraged to ensure they have protocols in place to safeguard all of the personal information they possess, particularly biometric information.

Whether you are thinking about adopting and using biometric data or have already implemented this technology, it is vital that employers take the following steps before collecting any biometric data to ensure their use complies with the growing regulation in this area:

  1. Assemble a team of experienced legal, cyber-security, and data-breach experts prior to selecting or implementing any technology that uses biometrics. Involve this team in vetting potential vendors, negotiating the terms of vendor contracts, and developing protocols.
  2. Carefully draft policies and procedures to safeguard and properly destroy biometric information, as well as protocols in case of a breach. Ensure those policies, procedures, and protocols (and those of your outside vendors) comply with all applicable laws, including notice and disclosure requirements.
  3. Clearly disclose to your employees, in writing, your intent to collect and use biometric information, the ways the information will be used, the means by which the information will be collected, maintained, and eventually destroyed, as well as the safeguards the company has put in place to secure this information.
  4. Obtain each employee’s informed written content prior to collecting any biometric information. Consider good faith objections and requests for accommodation and analyze and address those requests in accordance with all applicable laws.
  5. Continue to monitor changing federal, state and local regulations in this area.