A recent ruling in the Illinois Appellate Court maintained that biometric data claims under the Illinois Biometric Information Privacy Act (BIPA) do not amount to wage-and-hour claims subject to a luxury hotel owner's arbitration clause. A number of states have recently passed laws concerning biometric data privacy, with more to come. Illinois led the field of states with its act. The Illinois BIPA is particularly concerning to employers, given that it includes a private right of action and does not require a plaintiff to suffer actual harm to warrant statutory damages.
In 2008, the Illinois legislature became concerned about the commercialization and use of biometric information. As such, it became the first state to enact legislation designed to protect consumers’ biometric information. The Illinois BIPA regulates the collection, storage and transmission of biometric information. BIPA applies to two different types of data: biometric identifiers and biometric information. Biometric identifiers include retina/iris scans, fingerprints, voiceprints, hand geometry or face geometry. Biometric information is any information that is based on a biometric identifier. More specifically, biometric information is legally distinct and is intended to prevent evasion of the statute’s requirements.
BIPA also creates regulatory hurdles prior to capturing biometric data. Those steps include (1) informing the subject that a biometric identifier is being collected or stored; (2) informing the subject in writing the specific purpose and length of term for which the data is being collected, stored and used; and (3) receiving a written release by the subject. The statute prohibits an entity from selling or otherwise profiting from biometric data. BIPA allows for disclosure in limited circumstances, including:
The subject of the biometric identifier or biometric information consents to the disclosure
The disclosure is necessary for a financial transaction requested or authorized by the subject of the biometric identifier or biometric information
The disclosure is required by law or order
BIPA requires businesses that store biometric identifiers or biometric information to use the same processes that it would store other confidential information. Furthermore, businesses must follow the reasonable standard of care used within their industry when storing, transmitting and protecting biometric identifiers and biometric information. Unlike other states, Illinois allows for a private right of action. Under BIPA, penalties range from $1,000 to $5,000. A technical violation of BIPA is enough to trigger penalties.
In Liu et al. v. Four Seasons Hotel Ltd. Et al., case number 1-18-2645, Appellate Court of Illinois, First District, the appellate panel found that at the outset, BIPA is a privacy law that applies both in and out of the workplace. Moreover, BIPA must be expressly acknowledged as a claim subject to arbitration in an arbitration clause. In Liu, the employer had an arbitration provision that subjected only four categories of claims to arbitration. The employer argued that BIPA claims fell under a "wage or hour violation." The panel stated, "simply because an employer opts to use biometric data, like fingerprints, for timekeeping purposes does not transform a complaint into a wage or hours claim." That meant that the BIPA claim in Liu was not subject to the arbitration clause in the plaintiffs' employment agreement. The plaintiffs alleged that the hotel did not get consent to use biometric data, did not disclose that it shared fingerprint data with the payroll vendor, did not tell them in writing how their data will be used and did not provide a retention schedule for biometric information.
While this case will clearly impact employee related claims under BIPA, it also has implications in other areas where a court might also find that a claim involving privacy or other rights falls outside of an arbitration clause. Employers may want to consider reviewing their arbitration clauses to ensure that they cover such statutory claims.