Illinois’ Biometric Privacy Law
The BIPA states that no private entity may “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information” unless it first:
- Informs the subject in writing that a biometric identifier or biometric information is being collected or stored;
- Informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
- Receives a written release executed by the subject or the subject’s representative.
The BIPA also prohibits businesses from disclosing a person’s biometric information without first obtaining consent and requires businesses to develop and comply with a publicly available written policy for retention and destruction of the information. The BIPA is recognized as one of the strongest state laws protecting individuals’ biometric data and expressly excludes photographs and information from a patient in a health care setting from the definition of biometric identifier.
Family Dollar Class Action
A putative class of employees recently filed a complaint against Family Dollar and Dollar Tree Inc. in Cook County, Illinois alleging violation of the BIPA. Herron, the representative plaintiff, worked as an hourly employee at Family Dollar in 2017 and had to provide finger scans to clock in and out. The complaint alleges that Family Dollar did not inform the employees in writing of the purpose or obtain consent.
Other Lawsuits and Developments
Lawsuits alleging employer violations of BIPA have become commonplace in Illinois in recent years. Walmart recently settled a BIPA employee class actionfor $10 million. A case currently before the Illinois Supreme Court could decide whether the exclusive remedies under the workers’ compensation law preclude claims for statutory damages under the BIPA where an employee alleges a violation of statutory rights. A defense victory could have a considerable effect on the pending class actions, including the Herron matter.
BIPA critics suggest the law has been abused and leads to frivolous lawsuits. A bill introduced in the Illinois General Assembly would revise and limit the BIPA’s reach.
As of now, the BIPA provides for statutory damages of $5,000 for each willful and/or reckless violation, or $1,000 for each negligent violation. According to the Illinois Supreme Court, an individual need not allege or prove an actual injury to recover damages; the mere violation will create the statutory liability.
While other states have regulated the use of biometric information, Illinois is currently the only one that creates a private right of action. A National Biometric Information Privacy Act of 2020 was introduced in August 2020 and is pending in the Senate now. As drafted, it includes a private right of action.
If You Are in Illinois or Have Illinois Contacts You should …
If you have facilities in Illinois or some contact with Illinois, you should examine and comply with the BIPA’s requirements. Any clock in, clock out procedures should not involve biometric information unless you have met and documented the consent requirements. Lawsuits alleging BIPA violations have been filed outside of Illinois if a company has sufficient contacts, so you need to be careful. State biometric protection laws may become more common, so carefully examine your practices if fingerprint scanners or any type of biometric recognition technology is part of your operations.