Illinois ruling highlights risks of biometric identifier use

Dive Brief:

In a case that could have significant implications for employers, the Illinois Supreme Court has ruled that plaintiffs alleging harm under the state's Biometric Information Privacy Act (BIPA) need not prove any injury beyond a violation of their rights in order to seek liquidated damages and injunctive relief (Rosenbach v. Six Flags Entertainment Corporation et al., 2019 IL 123186 (Ill. Jan. 25, 2019).
The case involved a 14-year-old who was required to provide a fingerprint scan to buy a season pass at a Six Flags amusement park; neither he nor his parents signed a written release or was informed about the purpose and length of retention of the fingerprint data, according to court documents.
Six Flags argued that the plaintiff had suffered no actual or threatened injury and therefore lacked standing to sue, but the Illinois Supreme Court said he was "aggrieved" within the meaning of the statute simply because the business failed to comply with BIPA's requirements. Accordingly, it reversed a lower court's ruling in favor of Six Flags and remanded the case for further proceedings.

Dive Insight:

BIPA imposes numerous restrictions on how private entities collect, retain, disclose and destroy biometric identifiers, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or biometric information. Any person "aggrieved" by a violation of BIPA is entitled to recover damages, attorney fees and costs and other relief (including injunctive) deemed appropriate by a court.

The Illinois Supreme Court noted that Six Flags had retained the plaintiff's biometric identifiers and information without publicly disclosing "what was done with the information or how long it [was to] be kept." This alone was sufficient to give the plaintiff standing to sue, the court said, even absent a showing of actual damages: "Through the Act, our General Assembly has codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information."

The court continued, arguing that compliance should not be difficult. "[W]hatever expenses a business might incur to meet the law's requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded," it said.

While Rosenbach deals with a business' interaction with the public, experts say it has implications for employers in the state. "This is a very significant decision considering that many companies have been using biometric identifiers without complying with the statute," said attorney David Morrison, principal at Goldberg Kohn, in a statement provided to HR Dive. "Employers are going to need to revisit using this technology, and work with counsel to come up with compliant policies and procedures."

The ruling could apply to biometric timeclocks, for example. In a 2018 blog post for law firm Littler Mendelson, P.C., attorneys Kwabena A. Appenteng and Philip L. Gordon said that employers' frequent use of such tools "has inspired the plaintiffs' bar to target employers." Employees could potentially assert that BIPA entitles them to at least $1,000 in damages each time biometric data is collected without notice and consent, they said.

The pair predicted that if the Illinois Supreme Court "were to decide that a failure to provide notice and obtain consent, standing alone, is enough to sustain a BIPA action" — which is precisely what happened — "employers are almost certain to see an increase in BIPA litigation."