In a decision that is expected to lead to increased Illinois Biometric Information Privacy Act (BIPA) litigation, the Illinois Supreme Court ruled on Feb. 17, 2023 that claims under the law accrue each time data is unlawfully collected and disclosed rather than simply the first time.
BIPA, which was enacted in 2008, addresses the collection, use and retention of biometric information by private entities. Under the law, a private entity must inform an individual or their legally authorized individual of the following before obtaining and/or possessing their biometric information for the purposes of capturing, storing or sharing it:
- That biometric information is being collected or stored
- The specific purpose for the collection, storage and use of the biometric information
- The length of time for the collection, storage and use of the biometric information
In addition, before collecting any biometric information, the private entity must obtain a written release for the collection of the biometric information from the individual or the individual’s legally authorized representative after the above notice has been given.
BIPA has become a hotbed of plaintiff’s litigation, catching Illinois businesses off guard with little recourse other than to settle demands or face expensive, uncertain litigation. There is little doubt that this ruling will add to the large number of cases already pending.
In this most recent pro-plaintiff ruling, a 4-3 court ruled that the plain language of the statute states that a new scan is obtained each time an employee’s fingerprint is scanned and stored in the scanner’s database.
The court noted “[w]ith the subsequent scans, the fingerprint is compared to the stored copy of the fingerprint. Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.”
The defense argued that if a new claim accrued with each scan, it would result in the absurd result that informed consent would need to be obtained from the individual each time the fingerprint was collected. The plaintiff disagreed, stating that the companies would need consent only once as long as nothing changes about their collection and disclosure practices. However, the distinction is that if the company fails to obtain informed consent in the first instance, a BIPA violation would occur each time the company collects a scan without obtaining informed consent.
Companies with operations in Illinois need to be aware of and take steps to comply with BIPA if they use biometric technologies. BIPA requires private entities to develop a written policy that establishes a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Such a policy must be made available to the public.
BIPA also restricts private entities’ right to sell, lease, trade or otherwise profit from a person’s biometric identifier or biometric information. An employer who adheres to the requirements of BIPA should be able to avoid class action litigation on this issue and maintain compliance with industry standards.
[View source.]
