Tag Archives: Biometric Information Privacy Law (BIPA)

Facebook Agrees to $550 Million Settlement in BIPA Class Action

Contributed by Carlos Arévalo and guest author Molly Arranz, February 4, 2020

Biometric Identification Personality, Scanning Modern Access Control, Technology Recognition Authentication System Concept – Illustration Vector

In the face of billions of dollars of potential liability at trial, social media giant, Facebook, opted for the finality of a class-wide settlement—to the tune of $550 million—reached with Illinois users complaining of violations of the Illinois Biometric Information Privacy Act (BIPA). Facebook explained that the settlement was “in the best interest of [its] community and shareholders.” If approved by the court, the $550 million settlement will be the largest of its kind and will put an end to a case where Plaintiffs alleged that Facebook violated BIPA by collecting biometric data without consent through its facial-tagging feature. 

Under BIPA, entities may not “collect, capture, purchase, receive through trade or otherwise obtain” or store a person’s biometric information without informing an individual in writing about the collection or storage of said information. Further, entities collecting biometric information must specify the purpose for its collection and storage and how long it will be kept. Finally, entities must obtain a written release signed by the individual whose information has been collected. A failure to comply with these requirements gives an aggrieved individual a “private right of action” and allows the recovery of a minimum of $1,000 in liquidated damages, reasonable attorneys’ fees and costs and injunctive relief to anyone who successfully shows a violation. 

While plaintiff did not allege actual damages, the 9th Circuit confirmed that failure to obtain written consent and to establish a compliant retention schedule resulted in a compensable injury. Facebook and other companies have similarly come up short in other defenses in the face of BIPA class actions grounded in a failure to obtain the appropriate consent and complying with the statute’s other requirements.

In fact, Illinois’ BIPA, the most comprehensive legislation addressing the privacy of biometric information, packs a significant punch because unlike other states that have statutes protecting biometric data, including the California Consumer Privacy Act (the CCPA), the Illinois statute has been found to contain a private cause of action for the (mere) failure to comply with the law’s requisites. It’s unclear the impact that this Facebook settlement will have on other state legislatures in drafting similar privacy protections and how such an eye-popping settlement, without any alleged injury to the actual privacy of the Facebook users, might drive Congress to take action. No matter what: there appears to be no immediate relief in sight.

Our prior recommendations remain in place. Specifically, employers should review, audit and update practices regarding the use of their employees’ biometric data. This means companies with an Illinois presence should take the following steps:

  1. Establish and make public (for example, post on the company’s website) a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
  2. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
  3. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
  4. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection in writing.
  5. Train supervisors on the company’s policies and practices to ensure consistency.
  6. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
  7. Consult with competent counsel to ensure that policies and practices comply with relevant law.

Hotel Workers’ Claims under the Biometric Information Privacy Act Are Not Subject To Arbitration Clause

Contributed by Michael Faley, May 7, 2019

In only the latest of potential blows to companies that collect or use biometric data, an Illinois Appellate Court has ruled that claims brought by employees of the Four Seasons luxury hotel for alleged violations of the Illinois Biometric Information Privacy Act (BIPA) are not subject to arbitration under the workers’ respective employment agreements with the hotel. Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1st) 182645.

Lock on the converging point on a circuit, security concept

The BIPA was enacted to protect the privacy of individuals’ biometric data. It governs the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information, which includes retina or iris scans, fingerprints, voiceprints, or scans of “hand or face geometry.” 740 ILCS 14/1, et seq. BIPA contains a private right of action whereby a party may recover damages of $1,000 (or actual damages if greater) for each negligent violation of BIPA and $5,000 (or actual damages if greater) for each intentional or reckless violation, as well as attorney’s fees, costs, and expenses. Violations can be aggregated—meaning every day a company is not in compliance could serve as a separate “violation.” As reported in this blog, earlier this year, the Illinois Supreme Court lowered the bar for what a complaining-party must show in order to pursue a BIPA case against a company.

In Liu, the employees filed a class action complaint alleging that the Four Seasons violated BIPA through its method of collecting, using, storing and disclosing the employees’ biometric data (their fingerprints) for timekeeping purposes.

The Four Seasons maintained that the employees’ complaint fell within a provision of the employment agreement requiring arbitration of any claim for a “wage and hour violation.” The hotel argued that the sole reason for requiring employees to scan their fingerprints was to monitor the number of hours worked, which necessarily made it a claim for a “wage and hour violation.” However, the Appellate Court disagreed, holding that BIPA is a privacy rights law that applies inside and outside of the workplace. The Appellate Court explained that simply because an employer opts to use biometric data, like fingerprints, for timekeeping does not transform a potential BIPA-violation into a wage and hour claim. As a result, the Appellate Court found that the employees possessed the right to proceed with their claims in court.

Notably, the outcome may have been different had the Four Seasons’ employment agreements contained a broader arbitration clause or otherwise been updated to account for ongoing changes in the law.

To avoid and/or minimize any BIPA issues or potential liability, we continue to recommend that employers take the following steps:

  1. Review policies and procedures and identify if, and when, biometric data, such as retina or iris scans, fingerprints, voiceprints, or scans/pictures of hand or face geometry are being used.
  2. Establish a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
  3. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
  4. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
  5. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection.
  6. Train supervisors on the company’s policies and practices to ensure consistency.
  7. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
  8. Consult with competent employment counsel to ensure that policies, practices and agreements comply with the relevant law.
  9. Regularly review policies, procedures and agreements for compliance with updates to the law and current case law.

Illinois Employer Faces Class Action for Using Fingerprints to Track Attendance

Contributed by Suzanne Newcomb, October 5, 2017

Data Protection Keyboard

Technology allowing employers to use biometric data tools to track attendance and maintain worksite security abounds. Purveyors hype the advanced technology’s ability to accurately validate time entries, eliminate fraud, and better control access to the workplace or to sensitive areas within the workplace. If these systems are so readily available, it must be legal for employers to use them, right? As with seemingly everything involving HR and the workplace, it depends.

Last week, a group of Chicago-area employees filed a class action suit, alleging their employer’s use of worker fingerprints for time-tracking purposes violates the state’s biometric information privacy law. Specifically, the employees claimed that their employer failed to:

  • Properly inform them in writing of the specific purpose for which their fingerprints were being collected and the length of time their fingerprints would be stored and used;
  • Provide a publically available retention schedule and guidelines for permanently destroying their fingerprints; and
  • Obtain their written consent before obtaining fingerprints.

In 2008, Illinois became the first state to explicitly regulate the use of “biometric identifiers” which it defines as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and their derivatives, regardless of how that information is captured, converted, stored, or shared. 740 ILCS 14/10. The Illinois Biometric Information Privacy Act (BIPA) applies broadly to any individual or entity other than the government, and therefore encompasses all private-sector employers operating within the state.

Illinois Biometrics Legislation Sets Trend

Until recently, Illinois and Texas were the only states with laws addressing biometrics. However, a new wave of high-exposure litigation under BIPA has had an impact on other states’ decisions to introduce legislation on the matter. Many states, including Illinois, have data breach notification laws that cover biometric information, as well as other sensitive personal information.

Employers operating exclusively in jurisdictions that have not regulated the use of biometric information specifically could still face breach of privacy or negligence claims if their employee’s biometric information is compromised.

Tips for Employers

Due to the growing number of data breaches, employers are encouraged to ensure they have protocols in place to safeguard all of the personal information they possess, particularly biometric information.

Whether you are thinking about adopting and using biometric data or have already implemented this technology, it is vital that employers take the following steps before collecting any biometric data to ensure their use complies with the growing regulation in this area:

  1. Assemble a team of experienced legal, cyber-security, and data-breach experts prior to selecting or implementing any technology that uses biometrics. Involve this team in vetting potential vendors, negotiating the terms of vendor contracts, and developing protocols.
  2. Carefully draft policies and procedures to safeguard and properly destroy biometric information, as well as protocols in case of a breach. Ensure those policies, procedures, and protocols (and those of your outside vendors) comply with all applicable laws, including notice and disclosure requirements.
  3. Clearly disclose to your employees, in writing, your intent to collect and use biometric information, the ways the information will be used, the means by which the information will be collected, maintained, and eventually destroyed, as well as the safeguards the company has put in place to secure this information.
  4. Obtain each employee’s informed written content prior to collecting any biometric information. Consider good faith objections and requests for accommodation and analyze and address those requests in accordance with all applicable laws.
  5. Continue to monitor changing federal, state and local regulations in this area.