Does your company use fingerprinting or some facial recognition scanner as part of its clock-in, clock-out process? If your company has facilities or even some contacts with Illinois (and maybe other states in the future) you should pay heed to Illinois’s Biometric Information Privacy Act (BIPA) that is the subject of a new class action and has been the source of many prior lawsuits.
The BIPA states that no private entity may “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information” unless it first:
The BIPA also prohibits businesses from disclosing a person’s biometric information without first obtaining consent and requires businesses to develop and comply with a publicly available written policy for retention and destruction of the information. The BIPA is recognized as one of the strongest state laws protecting individuals’ biometric data and expressly excludes photographs and information from a patient in a health care setting from the definition of biometric identifier.
A putative class of employees recently filed a complaint against Family Dollar and Dollar Tree Inc. in Cook County, Illinois alleging violation of the BIPA. Herron, the representative plaintiff, worked as an hourly employee at Family Dollar in 2017 and had to provide finger scans to clock in and out. The complaint alleges that Family Dollar did not inform the employees in writing of the purpose or obtain consent.
Lawsuits alleging employer violations of BIPA have become commonplace in Illinois in recent years. Walmart recently settled a BIPA employee class action for $10 million. A case currently before the Illinois Supreme Court could decide whether the exclusive remedies under the workers’ compensation law preclude claims for statutory damages under the BIPA where an employee alleges a violation of statutory rights. A defense victory could have a considerable effect on the pending class actions, including the Herron matter.
BIPA critics suggest the law has been abused and leads to frivolous lawsuits. A bill introduced in the Illinois General Assembly would revise and limit the BIPA’s reach.
As of now, the BIPA provides for statutory damages of $5,000 for each willful and/or reckless violation, or $1,000 for each negligent violation. According to the Illinois Supreme Court, an individual need not allege or prove an actual injury to recover damages; the mere violation will create the statutory liability.
While other states have regulated the use of biometric information, Illinois is currently the only one that creates a private right of action. A National Biometric Information Privacy Act of 2020 was introduced in August 2020 and is pending in the Senate now. As drafted, it includes a private right of action.
If you have facilities in Illinois or some contact with Illinois, you should examine and comply with the BIPA’s requirements. Any clock in, clock out procedures should not involve biometric information unless you have met and documented the consent requirements. Lawsuits alleging BIPA violations have been filed outside of Illinois if a company has sufficient contacts, so you need to be careful. State biometric protection laws may become more common, so carefully examine your practices if fingerprint scanners or any type of biometric recognition technology is part of your operations.