Signed into law in 2008, the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.), or BIPA, imposes a range of compliance obligations on companies that collect biometric data, including fingerprint scans. Among other requirements, companies using biometrics must provide notice and obtain written consent. They must also establish and make publicly available a policy and procedure for storage of such biometric information.

Failure to comply with BIPA can be costly, as the law provides for a private right of action that allows plaintiffs to recover statutory damages for violations. Negligent violations of BIPA can result in a $1,000 fine and intentional violations can result in a $5,000 fine.

Given the rate at which fines can add up, BIPA has, not surprisingly, become a new favorite of the plaintiffs’ bar. Numerous actions have been brought against businesses, many of which involve the use of biometrics to authenticate or “punch-in/punch-out” employees. Although success by claimants thus far has been limited, companies should take steps to minimize their exposure to potential lawsuits.

BIPA Requirements and Penalties

Compliance with BIPA requires at least the following: (1) creating a written, public policy detailing the company’s guidelines for retention and destruction of the biometric information; (2) informing employees in writing about the biometric retention policy and the purposes for storing employees’ biometric information; and (3) obtaining a written release/consent from employees authorizing such collection.

BIPA creates a private right of action enabling a plaintiff to potentially recover $1,000 for each negligent violation and $5,000 for each intentional violation. This means, for example, that potential damages for clocking employees into work using their fingerprints can quickly run into the millions of dollars. With these figures in mind, it makes sense that BIPA has become a new favorite of the plaintiffs’ bar, and that numerous employers have already been targeted with class actions.

BIPA Class Actions on the Rise

In a typical fact pattern, an employer will establish a new nationwide policy of using biometric fingerprint identification to authenticate access to corporate information or to identify when employees have begun and ended their work shifts. In some cases, these systems have been introduced by third-party vendors as part of software updates or as additional features for existing software. In all cases, the plaintiffs allege: (1) the failure to inform the plaintiff (or the class of plaintiffs) of the specific purpose and length of time of the collection; (2) the failure to make the guidelines and retention schedule publicly available; and (3) the failure to obtain a written release and/or consent.

There has been only one settlement under BIPA to date; the defendant in that matter was LA Tan Enterprises. The settlement was approved on December 1, 2016, in Cook County (Klaudia Sekura v. L.A. Tan Enterprises, Inc. Case No. 2015 CH 16694). The total settlement amount was $1.5 million, which equated to approximately $150 per claim. 

Potential Defenses: the Courts Remain Split

Some defendants have had success arguing that the plaintiffs were not damaged by the retention of their information, and that accordingly the plaintiffs lack standing to assert any claim, including the claim for statutory damages. While a full analysis of this issue is beyond the scope of this update, it bears mention that courts analyzing this issue have split: some have held that plaintiffs have no standing (e.g., McCollough v. Smarte Carte, 2016 WL 4077108 (N.D. Ill. 2016)), whereas others have held that plaintiffs did have standing (Rosenbach v. Six Flags, Case No. 16 CH 13 (Lake County, IL)). At present, this issue is far from settled.

Indeed, until the threshold question of plaintiff standing is addressed fully by the appellate courts, employers and businesses can continue to expect class actions from the plaintiffs’ bar attacking any collection of biometric information in Illinois. As such, compliance with BIPA is key, and businesses should investigate whether collection of such data is necessary at all.