A new legislative proposal pending before Illinois lawmakers has the potential to make life a lot easier for employers and businesses when it comes to exposure and liability for biometric privacy claims. While the Illinois Biometric Information Privacy Act (BIPA) has been the source of headaches for employers for the last several years, leading to expensive class action lawsuits, arbitrations, and settlements, and court interpretations of the Act have largely led to employee-friendly results, much of that could soon be changing. With the introduction of House Bill 559, the Illinois legislature is seeking to curb the burdens the Act imposes on employers. What do employers need to know about this pending proposal?
What Does BIPA Require?
Before we take a closer look at HB 559, it’s important to understand the stringent requirements and penalties currently imposed on employers by BIPA. The statute mandates that private entities — including employers — that collect or maintain employees’ fingerprints, retinal or iris scans, voiceprints, hand scans, or face geometry must first receive written consent from the employee. The law also requires employers to develop a publicly available policy that establishes the retention schedule for the applicable biometric data, among other things. Moreover, the Act’s requirements apply to information derived from biometric data, which could include electronic representations of biometric data. The statute also contains various data retention requirements concerning individuals’ biometric data.
Failure to comply with BIPA’s requirements can result in liquidated damages of $1,000 per negligent “violation” and $5,000 per intentional “violation,” or actual damages, whichever is greater. Indeed, employees do not need to show that they have suffered any actual harm in order to prevail. The law also provides for attorneys’ fees, costs, and any other relief that a court may deem appropriate.
While the foregoing may appear straightforward, like many matters relating to the Act, the definition as to what constitutes a “violation” is ambiguous. Significantly, a recent decision by a federal court sitting in Illinois ruled that a “violation” of the Act occurred each time an individual scanned their biometric data, rather than one violation as a result of a failure to obtain written consent, leading to potentially astronomical penalties against employers who may not have strictly complied with the Act. Notably, this decision has been appealed to the 7th Circuit Court of Appeals, although that court has yet to render a decision on this issue.
In addition, the appropriate limitations period associated with the Act is far from certain. While several Illinois trial courts and federal courts sitting in Illinois have held that the Act is subject to a five-year limitations period, two separate appeals at the Illinois Appellate Court are evaluating whether the Act is subject to a one-, two-, or five-year period. These decisions, along with the definition of a “violation,” have remarkable implications as to employers’ financial exposure in cases pursuant to the Act. For example, a putative class action that encompasses five years of employees on a per-swipe basis will generally entail more financial exposure than a class action that looks back one year and limits damages on a per-person basis.
What Does HB 559 Do?
HB 559, if passed, would change much of the foregoing and provide much-needed relief and clarity for employers who collect biometric data.
Limit Types of Biometric Data Covered by the Law
First and foremost, the bill would limit the type of biometric data governed by the statute. Currently, the Act pertains to biometric data and information derived from that data. For example, many biometric clocks translate a fingerprint into a mathematical representation that cannot recreate the fingerprint itself. The collection of the mathematical representation would remain under the purview of the Act based on the statute’s current language. HB 559 would change this, as the bill provides that such derivations of biometric data – if they cannot be used to recreate the biometric data itself – would not be subject to the Act’s requirements.
Create Clear One-Year Statute of Limitations and Cure Opportunity
Moreover, the proposed amendments to the Act would not only implement a one-year statute of limitations but also establish additional procedural requirements before a party could file a lawsuit.
As noted above, there is no defined limitations period for BIPA and, furthermore, no statutory prerequisites to filing a lawsuit. Under HB 559, prior to filing a lawsuit, an individual would first need to provide an employer 30 days’ written notice of a specific purported violation of the Act. If, within those 30 days, the employer cures the alleged violation and provides a written notice to the individual stating as such and that no further violations will occur, then the individual would be barred from filing a lawsuit based on the alleged violations. Only if the employer does not cure the alleged violation or violates the statements contained in the written notice would an individual be permitted to file a lawsuit on a class basis or otherwise. This measure could vastly limit the number of lawsuits faced by employers under the Act.
Revise Damages Recovery Scheme
Another substantial change from the current statutory scheme concerns how damages are calculated and recovered under the Act. As it currently stands, BIPA provides for liquidated damages and does not require an individual to prove actual damages in order to be considered a prevailing party. If HB 559 is passed, no predetermined liquidated damages would be available and an individual would need to prove actual damages in order to be eligible to recover liquidated damages, attorneys’ fees, and costs.
Further, in an effort to delineate alleged negligent violations of the Act from purported willful violations, individuals who prove willful violations and actual damages would additionally be entitled to a liquidated damages sum in the amount of the actual damages suffered.
These proposed changes to the Act’s damages provisions could have far-reaching effects. Not only would employees need to prove actual harm if they file a lawsuit (which is not a present requirement), but the possible variation in the calculation of putative class members’ damages could be used to decertify a class action if there is sufficient differentiation. Needless to say, HB 559 could benefit employers in these respects.
Questions Would Remain
Of note, the aforementioned amendments do not represent all of the potential changes identified by HB 559 – and the bill would still leave some unanswered questions. For example, HB 559 still does not define what constitutes a “violation.” As yet another open issue, it is unknown whether HB 559 will apply to matters prior to its potential passage. The proposed legislation does not specifically state as such and, in Illinois, whether an amendment applies retroactively is contingent upon whether the change impacts substantive or procedural rights. If an amendment affects substantive rights, it is unlikely that it would apply retroactively. Changes to procedural rights, on the other hand, are more likely to be applied retroactively. HB 559 appears to impact both categories (creating more ambiguity), though Illinois generally considers statutes of limitations to be procedural in nature, which potentially supports an argument that HB 559’s changes in this regard will apply retroactively.
In any event, time will tell whether the Illinois legislature passes these measures and, if so, whether the governor will sign them into law. If the law does pass as written, you should consult with counsel as to the implications of any such amendments to the Act.
What Should Employers Do In The Interim?
While we wait to see the fate of this proposal, you must remain vigilant in complying with BIPA’s requirements. Whether or not HB 559 is passed, BIPA demands strict compliance – and creates serious consequences for even the most innocent of mistakes. You need to implement lawful policies, procedures, and authorizations before they collect any biometric data. These measures are essential to defending against any claims under the Act.