Seyfarth Synopsis: Over the last few years, Illinois companies have quickly become aware of the risks associated with the state’s unique biometric privacy law. Originally passed in 2008, the Illinois Biometric Information Privacy Act (“BIPA”) made Illinois the first state to enact a policy governing the collection and storage of biometric data resulting in a surge of class action lawsuits filed by employees and consumers alleging that their biometric data was improperly collected for timekeeping, security, and consumer transactions. While filing activity under the statute remained silent for nearly a decade following its enactment, the recent explosion of class actions in Illinois under the BIPA has since made biometric privacy compliance a top priority for many employers. In today’s blog, we examine this novel class action trend and provide a comprehensive analysis of the class action filing history of claims under the BIPA including the volume of class action filings, a breakdown of jurisdictions in which class actions are filed, who is filing, and the primary industries facing class actions.
Background Of The BIPA
As biometric technology has become more practical and affordable, businesses have gradually begun to utilize these innovative tools for various beneficial purposes, such as implementing biometric time clocks to prevent “buddy punching,” facilitate consumer transactions, and for restricting access to secure areas. Accordingly, the BIPA was enacted by the Illinois state legislature as a reaction to the increased use of biometric technology due to the sensitive nature of biometric identifiers and associated data.
The BIPA regulates the collection, capture, and storage of “biometric identifiers,” such as fingerprints, voiceprints, retina/iris scans, and scans of hand or face geometry. Specifically, the statute prohibits an entity from collecting biometric information unless it first: (1) informs individuals in writing that his or her biometric data is being captured; (2) outlines the purpose and period of time for which the data will be utilized; and (3) receives a written release from individuals consenting to the collection. Outside of these guidelines, the BIPA also includes regulations requiring a compliant, publically-available written policy, prohibits disclosure of biometric data to third-parties absent consent, and mandates a “standard of care” that businesses must adhere to in protecting biometric data.
While other states have also implemented biometric privacy statutes, the BIPA is unique because it provides a private right of action, and therefore allows plaintiffs to recover liquidated damages and attorneys’ fees for violation of the statute. Under the BIPA, “[a]ny person aggrieved by a violation” can recover “liquidated damages of $1,000 or actual damages, whichever is greater” for negligent violations, and “liquidated damages of $5,000 or actual damages, whichever is greater” for intentional or reckless violations.
Since the BIPA was the first biometric privacy statute of its kind, there were still a few important questions to be answered regarding the interpretation of the law. Namely, the most pressing threshold issue was whether individuals need to sustain actual damages in order to qualify as a “person aggrieved” in order to asserts claims under the BIPA. As we blogged HERE, this question was answered in the negative by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019). In Rosenbach, the Illinois Supreme Court held that a person does not need to allege any actual injury or adverse effect, beyond technical violations of the statute in order to state a claim.
Analysis Of Class Action Filing Trends Under The BIPA
Despite the BIPA being enacted in 2008, the first class action under this law was not filed until 2015. Though this filing drew some attention to Illinois’ unique statute governing biometric data, filing activity under the statute remained minimal until approximately 2017. As indicated in the graphic below, there were only a total of 15 class actions filed in Illinois under the BIPA from 2008 through 2016. However, filings have since increased at an exponential and rapid pace. Most notably, the approximately 161 class actions filed already in 2019 (as of the date this blog was published) more than doubles the total number from 2017, and filings have increased approximately 27 times from the total filings a mere four years ago.
Perhaps the most striking trend of all is the substantial increase in class action filings under the BIPA since the Illinois Supreme Court’s decision in Rosenbach. Since this decision was issued on January 25, 2019, there have been a total of 151 class actions under the BIPA filed in Illinois – approximately a rate of an additional case filed every day. In fact, in just 148 days following the Rosenbach decision, the Illinois plaintiff’s bar filed nearly as many class action lawsuits under the BIPA as it did during a 10-year span prior to the decision. The pie graph below offers a visual account of this prompt spike in litigation activity. It has become clear to all Illinois businesses utilizing biometric technology that the plaintiff’s bar views the Rosenbach decision as a “door-opener” for class action filings under the BIPA.
In terms of jurisdiction, the large majority of class actions are filed in the Circuit Court of Cook County – a traditionally plaintiff friendly jurisdiction. In fact, approximately 82% of filings have been initiated in Cook County. The next most popular jurisdiction is the U.S. District Court for the Northern District of Illinois. However, this federal court represents a distant second to the Circuit Court of Cook County, accounting for just 4% of all class action filings under the statute. While the plaintiff’s bar has filed biometric privacy class actions in a total of nine different courts, the BIPA is, by all accounts, being primarily litigated in the Circuit Court of Cook County.
With the rising number of filings in Illinois, the plaintiff’s class action bar have been staying busy and some plaintiff’s class action firms have carved out a niche in this arena. As indicated below, three firms alone account for more than half of all class actions file under the BIPA in Illinois.
Finally, it is important for employers to know which types of businesses are commonly targeted in these types of biometric privacy cases. As the bar graph below demonstrates, there is no clear target of class actions in terms of industry. One of the most targeted industry of class actions under the BIPA is the business services industry, which includes all companies designed to service other businesses, such as those performing staffing, logistics, or janitorial services. The healthcare industry is also a popular BIPA class action target, and the manufacturing and retail industries are not far behind. Furthermore, though the filing numbers are not as large, the software and technology industry is also notable because it includes many businesses who produce, maintain, or sell the types of timekeeping software at issue.
Best Practices For Compliance
Given the rising class action litigation activity, businesses must proactively implement biometric privacy compliance measures. First and foremost, companies utilizing biometric technology must obtain written consent from individuals prior to storing or collecting their biometric data. This action alone resolves some of the core privacy issues at issue in many biometric privacy class actions. Additionally, companies must maintain a publically-available written policy stating the company’s retention and destruction schedule for all biometric data. Companies should also take steps to ensure that biometric data is not sold or disclosed to third parties by implementing security guidelines for the protection of individuals’ biometric data and ensuring that company vendors provide the same level of data protection, if not higher, than that of the business.
Compliance is key, and there no better time to think about your company’s biometric privacy compliance than right now.