Since November 2016, over thirty-five class action lawsuits have been brought under the Illinois Biometric Information Privacy Act (the Illinois “BIPA”) in Illinois state and federal courts. Under the Illinois BIPA (which was enacted in 2008), “biometric information” is defined as “any information, regardless of how it is captured, converted, stored or shared, based upon on an individual’s biometric identifier used to identify an individual,” including “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”

These new class action lawsuits under the Illinois BIPA are the result of businesses increasingly, using biometric information for timekeeping (clocking in and out of work with a fingerprint instead of punching a timecard), security access (using fingerprint, hand, or retina scanners or facial recognition software to allow access to company facilities or secure laptops, smartphones, or other electronic devices), wellness programs (measuring biometric data to assess health risks), and workplace safety and efficiency (using biometrics to track employee locations, information usage, training compliance, and job performance),  With the growth of businesses’ use of biometrics has come increased legal risks that include the threat of BIPA class actions in Illinois.

Much to the chagrin of Illinois businesses, Illinois is the only state that has enacted a law that allows employees (or customers) to file a lawsuit against a company that fails to provide notice that biometric information is being collected, obtain a written consent for the collection of biometric information, or maintain a written policy establishing guidelines for destroying the information. Violating the Illinois BIPA can result in statutory damages of $1,000 for each negligent violation and $5,000 for each willful violation, plus the recovery of actual damages and attorney’s fees.  Given the stakes involved in a BIPA violation, there has been a dramatic spike in the filing of BIPA class actions. 

Most of these new suits arise out of employers’ use of timekeeping systems that utilize employee fingerprints, but a few have involved the use of facial recognition software.  These new BIPA class actions are being filed , even though the biometric data has been protected, has not been lost or employee or customer may not have been damaged in any way. 740 ILCS § 14/15. Plaintiffs’ counsel are forging ahead with BIPA class actions, often in an effort to leverage massive settlements, based on technical violations involving the failure to provide notice, obtain written consents, or maintain a written policy establishing guidelines for retaining or destroying biometric information. The types of companies that have been named in BIPA class actions to date are varied and include Facebook, Shutterfly,  technology companies, long-term care facilities, grocery stores, restaurants, staffing companies, tanning salons, manufacturers and other businesses.

As more and more employers use facial recognition software and fingerprinting for security and other timekeeping purposes, employers can expect employees or ex-employees to have a greater awareness to the requirements of the Illinois BIPA, which may result in increased exposure to unwarranted litigation. Employers can reduce or eliminate the risk of a BIPA class action by  creating and publishing a policy that outlines the  collection, use and retention procedures for employee and customer biometric information, providing employees and customers with a written notice and obtaining the requisite written consents prior to collecting biometric information. In the event that a BIPA class action is filed against an employer, there are certain defenses to BIPA claims based on  a plaintiff’s lack of standing or that the plaintiff was not “aggrieved” or damaged by a technical BIPA violation of the statute,  the information collected does not constitute biometric data, the employee was subject to an arbitration agreement that covered Illinois BIPA claims, and that claims are barred by BIPA’s statute of limitations.  The success or failure of these BIPA defenses will depend on the facts of the case and further judicial interpretations of the Illinois Biometric Information Protection Act.