Seyfarth Synopsis: On November 30, 2022, the Illinois Second District Appellate Court reversed the trial court’s grant of summary judgment in Defendant’s favor in a case entitled Mora v. J&M Plating, Inc. The lawsuit was initiated by a former employee of the Defendant metal finisher, alleging that Defendant violated the Illinois Biometric Information Privacy Act (“BIPA”) by collecting employees’ fingerprints without first implementing a written retention and destruction schedule for biometric data. The trial court initially dismissed Plaintiff’s claims but the Appellate Court reversed, finding that the BIPA requires employers to have a retention and destruction schedule in place before they possess any biometric data.
Background on Mora v. J&M Plating, Inc.
Defendant J&M Plating, Inc. hired Plaintiff Trinidad Mora in July 2014, and shortly thereafter, the company began having employees clock into work using a finger scanner. In May 2018, the company implemented a written retention and destruction schedule for biometric data. Plaintiff signed this policy, thereby consenting to the collection of his biometric identifiers (i.e., his fingerprints). Defendant subsequently terminated Plaintiff’s employment in January 2021, and pursuant to its written biometric policy, Defendant destroyed Plaintiff’s alleged biometric data approximately two weeks after his termination.
One month later, Plaintiff filed a class action lawsuit alleging that the company violated Sections 15(a) and (b) of the BIPA by collecting employees’ biometric data without first providing notice, obtaining informed consent, or issuing a retention and destruction policy.
The company initially secured dismissal of Plaintiff’s Section 15(b) claim for failure to obtain written consent before allegedly obtaining biometric information, as the trial court held this claim was time-barred under the applicable five-year statute of limitations because the claim first accrued in September 2014. Defendant later filed a motion for summary judgment on the Section 15(a) claim for failure to maintain a BIPA collection and retention policy, arguing that this Section does not contain a timing requirement and ultimately, Plaintiff’s biometric data was properly destroyed pursuant to a destruction and retention policy. The trial court granted summary judgment for the company, and Plaintiff subsequently appealed.
Illinois Appellate Court Reverses Trial Court’s Dismissal
On appeal, Plaintiff relied on the legislative intent behind the enactment of the BIPA to support his interpretation that covered entities must publish a written schedule before collecting or possessing biometric data. To that end, Plaintiff emphasized the Illinois Legislature’s goal of protecting individuals’ biometric privacy rights through the BIPA, and that the company had six years before Plaintiff was hired to comply with the Act (which was enacted in 2008).
The company responded that Section 15(a) contains no timing component, as its primary concern is to ensure that entities have policies in place to destroy biometric data once the purpose for which the data was collected has ended. Because the company had a retention and destruction schedule in place when Plaintiff’s employment ended (and consistent with BIPA, when the need for using Plaintiff’s data ended), the company argued that any harm suffered by Plaintiff was purely hypothetical.
The Appellate Court reversed the trial court’s decision, finding that the lower court incorrectly interpreted the relevant section of the Act. More specifically, the Appellate Court cited the plain language of Section 15(a), which provides that “[a] private entity in possession of biometric identifiers or biometric information must develop a written policy . . . .” The Court thus reasoned that the implementation of a written policy is triggered by the entity’s possession of biometric data.
The Appellate Court also looked to Section 15(b) to reinforce its holding, as this Section requires that entities obtain an individual’s informed consent before collecting biometric data. Finally, with respect to the company’s argument regarding Plaintiff’s lack of harm suffered, the Court relied on the Illinois Supreme Court’s Rosenbach decision to reason that actual harm is not required to file suit under the Act, as the BIPA was enacted for “preventive and deterrent purposes.” Accordingly, the Court reversed the grant of summary judgment and remanded the case for the trial court to reassess Plaintiff’s claims under Section 15(a).
Implications for Employers
Even in situations where, as in Mora, a company implements a written policy and properly destroys biometric data, a company defendant may be liable for failing to implement the policy before possessing such data. As a result, Illinois businesses should ensure that their biometric privacy practices are entirely in compliance with the Act before beginning to collect any sort of biometric data.
