What Is BIPA and Why Does It Matter?
Employers may not be paying attention to BIPA and resulting litigation in Illinois, but they should. BIPA class action lawsuits have surged since 2015, and filings are expected to reach new heights by the end 2023 [1]. Similar proposals, often modeled after BIPA, have emerged in Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont, and Washington, and others are likely to follow [2] [3].
What is BIPA?
In 2008, Illinois enacted what has remained among the most stringent biometric privacy laws passed in the nation, the Illinois Biometric Information Privacy Act (BIPA). The act regulates how employers can collect and store biometric data, which may include fingerprints, voiceprints, facial scans, and iris scans. BIPA requires all employers operating in Illinois to obtain written consent and release from employees before collecting biometric data, and to publicly detail their guidelines for deleting that data.
Who does this impact?
Employers using biometric tools are already affected if they operate in Illinois, but given the development of similar laws in other states, employers only doing business outside of Illinois should also pay attention and take steps now to ensure proper safeguards and consents are in place.
Even employers who are not using biometric tools should pay attention. Just because you are not using biometric tools now does not mean you will not use them in the future. Biometric tools can facilitate rapid, cost-effective timekeeping systems that also reduce employee fraud by preventing clocking in or out by colleagues. In turn, this ensures that time records accurately reflect employee work times. The use of biometrics can also provide additional security in an age where employees may share their passwords or leave personal data visible in unsecure locations; biometric logins can ensure only authorized employees are able to access secure systems.
Further, usage of a third-party company to manage biometric data may not be enough to shield employers from potential impact. In a recent case involving BSNF Railway, the company was found liable despite claims that biometric data was ultimately controlled by a third-party vendor [4]. In another matter, Clark v. Microsoft Corporation, a claim was allowed to proceed merely on the finding that it was plausible that Microsoft could access biometric data gathered through software developed by Brainshark Inc., which integrated Microsoft’s Azure applications, although other claims involving active collection, disclosure, and injury were limited [5].
What happens if BIPA is violated?
It is important to understand that plaintiffs may seek damages without any allegation of harm [6]. In February of this year, the Illinois Supreme Court ruled in Cothron v. White Castle System, Inc. that claims accrue each time data is unlawfully collected and disclosed [7]. If employees are using biometrics to clock in for each shift, that means a penalty is accrued for every employee, every day. With a 5-year statute of limitations allowing for discretionary damages of $1,000 per negligent violation and $5,000 for intentional or reckless violation of the law, potential damages stemming from BIPA violations have skyrocketed [8].
How much is at stake?
In the first BIPA case to go to trial, a jury found that BNSF Railway intentionally violated the Act and awarded $228 million in damages—$5,000 per violation for each of the 45,600 times that driver fingerprints were registered. A new trial will be held to re-determine and finalize appropriate damages [9] [10].
In the two months following the February Cothron ruling, claims involving BIPA rose 65%, to 122 cases, as compared to the two months prior [11]. While we may not reach the heights of settlements reached in prior BIPA cases, $1.1M, $16.75M, $25M, $36M, $50M, $100M, and $650M, there has been a notable filing in every month since the February Cothron ruling [12] [13]. Relevant filings include:
- Papa Johns was the subject of a proposed class action suit in March concerning fingerprint scans [14].
- In April, Amazon was named in a lawsuit alleging improper capture, storage, and usage of geometric facial data through the Amazon Flex app [15].
- Sinai Health System was hit with a lawsuit in May alleging an unlawful requirement to use fingerprints to access biometric cabinets [16].
- A similar lawsuit against Ascension Health was filed in June, also alleging the improper usage of fingerprints without express consent [17].
- In July, PepsiCo was named in a proposed class action alleging lack of consent in the use of voiceprints collected through Honeywell International Inc.'s Vocollect Technology [18].
- Medical device manufacturer Becton, Dickinson and Co. was hit with a class action lawsuit over the collection and storage of fingerprints in August [19].
What should employers do?
BIPA and similar laws developing in other states do not mean that employers cannot or should not use biometrics. But they do mean that introducing transparent collection and proper safeguards are a necessity. Any employer that is considering either collecting or obtaining biometric data, even if a vendor controls access, should ensure policies compliant with BIPA are in place. As additional states eye the introduction of biometric privacy laws, it will become increasingly imperative that employers carefully consider all aspects of biometric privacy before implementing biometric security measures.
Sources
[1] ANALYSIS: AI Becomes New Focus of Employer Biometric Lawsuits (1), Roddy, B., (July 27, 2023), https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-ai-becomes-new-focus-of-employer-biometric-lawsuits
[2] Illinois court decisions acknowledge biometric privacy act's damages a potential business killer, Fredric D. Bellamy, F., and Fernandez, A., (April 17, 2023) https://www.reuters.com/legal/legalindustry/illinois-court-decisions-acknowledge-biometric-privacy-acts-damages-potential-2023-04-17
[3] See Biometrics Law Map by Jackson Lewis P.C. at https://www.jacksonlewis.com/services/biometrics-law-map
[4] Michael Galibois, Gerry Stegmaier and Natsayi Mawere, BNSF Verdict Shows Risk To Cos. From Ill. Biometric Law, Law360 (October 28, 2022), https://www.law360.com/articles/1544255/bnsf-verdict-shows-risk-to-cos-from-ill-biometric-law.
[5] Allison Grande, Microsoft Must Face Trimmed Privacy Suit Over Face Scans, Law360 (August 21, 2023), https://www.law360.com/classaction/articles/1713398.
[6] Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims, Sidley Austin LLP (February 22, 2023), https://www.sidley.com/en/insights/newsupdates/2023/02/illinois-supreme-court-clarifies-accrual-for-illinois-biometric-privacy-act-claims.
[7] Illinois Supreme Court Opens the Door for Huge Damages Claims in BIPA Actions, Kohne, N., Reed, M., Whitman, M., and Hold, J., (May 11, 2023), https://www.akingump.com/en/insights/blogs/ag-data-dive/illinois-supreme-court-opens-the-door-for-huge-damages-claims-in-bipa-actions
[8] Illinois Supreme Court Finds that Biometric Information Privacy Act Claims Accrue with Each and Every Violation, Nahra, K., and Jessani, A., (February 22, 2023), https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20230223-illinois-supreme-court-finds-that-biometric-information-privacy-act-claims-accrue-with-each-and-every-violation.
[9] Lauraan Wood, Illinois Cases To Watch In 2023: A Midyear Report, Law360 (July 20, 2023), https://www.law360.com/articles/1539166/bnsf-hit-with-228m-judgment-in-first-bipa-trial.
[10] Celeste Bott, BNSF Hit With $228M Judgment In First BIPA Trial, Law360 (October 12, 2022), https://www.law360.com/articles/1699846.
[11] Illinois Biometric Privacy Cases Jump 65% After Seminal Ruling, Joyce, S., and Witley, S., (May 2, 2023) https://news.bloomberglaw.com/privacy-and-data-security/illinois-biometric-privacy-cases-jump-65-after-seminal-ruling.
[12] Goree et al. v. New Albertsons LP, case number 1:22-cv-01738, in the U.S. District Court for the Northern District of Illinois.
[13] BIPA’s Devastating Effects on Illinois Businesses, Appenteng, K., Catlett, C., Haase, D., Henry, O., Jones, J., Lotito, M., Meade, S., and Mroueh, Y., (June 27, 2023), https://www.littler.com/publication-press/publication/bipas-devastating-effects-illinois-businesses
[14] Kyles et al. v. Hoosier Papa LLC et al., case number 1:20-cv-07146, in the U.S. District Court for the Northern District of Illinois.
[15] Rodneka Perry v. Amazon Logistics Inc. et al., case number 2023-CH-03680, in the Circuit Court of Cook County, Illinois, Chancery Division.
[16] King v. Sinai Health et al., case number 2023-CH-04955, in the Circuit Court of Cook County, Illinois, Chancery Division.
[17] Samuel Lopez v. Ascension Health et al., case number 2023CH05692, in the Circuit Court of Cook County, Illinois.
[18] William Hoskin et al., v. PepsiCo Inc., case number 7:23-cv-06413 in the U.S. District Court for the Southern District of New York
[19] Andres Socorro v. Becton, Dickinson & Co., case number 2023CH07087, in the Circuit Court of Cook County, Illinois, Chancery Division.
Experts
- Principal Consultant