Last week, the Illinois Supreme Court put an end to the streak of unfavorable Illinois Biometric Information Privacy Act (BIPA) opinions for defendants before that court. In Walton v. Roosevelt University, the court unanimously held that where a collective bargaining agreement contains a broad management rights clause, and an employer invokes that clause in response to a BIPA claim, “there is an arguable claim for preemption,” and therefore the claim must be handled pursuant to the collective bargaining agreement.
The Walton opinion tracks federal BIPA case law where the Seventh Circuit previously held that, where a defendant makes an arguable claim for preemption, the claim is preempted by federal labor law. BIPA plaintiffs had tried to avoid the federal precedent in Illinois state court proceedings by arguing that the federal cases were wrongly decided. Walton puts an end to that strategy. In practice, these decisions mean that unionized BIPA plaintiffs may only bring a BIPA claim against their employer by going through the grievance or other similar process required by their collective bargaining agreement–and therefore cannot bring a class action in court.
Shook filed an amicus brief on behalf of the Illinois Chamber of Commerce in Walton.
Per-Scan Individual BIPA Lawsuits
Last week a series of individual (non-class action) BIPA lawsuits were filed in the Northern District of Illinois expressly seeking liquidated damages for each and every use of a finger-scan time clock by the individual plaintiff. While the damages sought in each case vary based on the individual plaintiff’s specific employment history, each lawsuit seeks to recover millions of dollars for a single plaintiff. The plaintiffs in all of these cases are represented by the same law firm, DC Law, PLLC, which is a newcomer to BIPA litigation. While the more experienced BIPA plaintiffs’ bar generally (but not always) has avoided invoking per-scan damages, adoption of per-scan damage theories by less-established BIPA plaintiffs’ firms bringing suit on behalf of individual plaintiffs may be a new trend to watch following the recent Cothron v. White Castle decision.
Legislative Activity
While potential BIPA reform remains in a holding pattern here in Illinois, legislative activity impacting biometric privacy continues around the country:
- Comprehensive Privacy Laws Continue to Pass: Iowa is poised to become the sixth state with a comprehensive privacy law after the legislation passed out of the Senate and House without a single vote in opposition. Iowa will include “biometric data processed to uniquely identify a person” in its definition of “sensitive data.” The law bears many similarities to the comprehensive privacy law passed in Utah last year, which is largely recognized as a more business-friendly approach to comprehensive privacy regulation. Of particular importance, Iowa’s law will not require affirmative consent for processing of biometric data (instead requiring only “clear notice and an opportunity to opt out”) and will not create a private right of action. Once signed by the governor, the Iowa law will become effective on January 1, 2025.
- BIPA-like Laws Are Introduced, But So Far See Little Progress: Numerous laws that specifically govern biometric privacy, which are often nearly identical to Illinois’ BIPA, have been introduced this year, including in: Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Missouri, New York, Tennessee and Vermont. Arizona’s BIPA copycat bill received a favorable vote in committee, but has not been advanced to the Senate floor. No other BIPA-like bill has seen any substantive activity so far, suggesting that many, if not all, are unlikely to pass at this point.