Back in 2008, Illinois enacted what at the time must have seemed like a relatively obscure law to address privacy concerns associated with biometric information – the Biometric Information Privacy Act or “BIPA”. At the time, biometric devices existed, but they weren’t terribly common. Today, many of us carry a sophisticated fingerprint reader or face scanner in our pockets, and many businesses have adopted biometric security for everything from company phones and computers to timekeeping systems to door access. Unfortunately, many of those same businesses had never heard of BIPA. Cue the lawyers.
Back in July 2017, we reported on several class action lawsuits filed against employers who allegedly failed to comply with BIPA. These lawsuits were potentially a big deal for organizations of any size, because BIPA provides for liquidated damages of $1,000 for each negligent violation, and $5,000 per willful violation, plus attorneys’ fees. In December 2017, the Illinois Appellate Court for the Second District threw potential defendants a break, holding in Rosenbach v. Six Flags Entertainment Corp. that plaintiffs could recover liquidated damages under BIPA only if they could show that they were actually harmed in some way by a violation. Many organizations breathed a sigh of relief after this decision. If the rule had held, it would have greatly diminished the pool of potential plaintiffs who could bring BIPA lawsuits. However, in September 2018, the Appellate Court for the First District reached the opposite conclusion in Sekura v. Krishna Schaumburg Tan, Inc. The Illinois Supreme Court resolved this brief split in authority last week, when it reversed the Second District’s ruling in Rosenbach, allowing Six Flags Great America patrons whose fingerprints were used to verify their identities when reentering the park to pursue claims for liquidated damages under BIPA. (See our write-up on that decision here.)
If you manage payroll for a “private entity” operating in Illinois that uses biometric time clocks to track employee hours, now would be a really good time to make sure that you have BIPA-compliant policies and procedures in place. Ditto if your organization uses biometric technology for anything else – company phones, laptops, door locks, etc.