PHOENIX—More than 100 class actions have been brought in recent months against employers for violations of the Illinois Biometric Information Privacy Act (BIPA), the strictest biometric law in the nation. That number is likely to rise as a new wave of class actions will target employers that forget about the timely destruction of biometric identifiers or information, said Anne Larson, an attorney with Ogletree Deakins in Chicago, at the firm's recent 2018 National Workplace Strategies Seminar.
BIPA requires covered entities, including employers, to develop a written policy made available to employees or the general public that establishes a retention schedule and guidelines for permanently destroying biometric identifiers or information. Employers can meet the requirement of making the policy available to the public by placing it on their intranet, Larson said.
Thomas Deer, an attorney with Ogletree Deakins in Chicago, noted that a biometric identifier is a retina or iris scan, fingerprint, voice print, hand scan, or face geometry. Biometric information is any information—regardless of how it is captured, converted, stored or shared—based on an individual's biometric identifier.
The biometric information may not be collected unless the employer first:
- Informs the employee in writing that a biometric identifier or biometric information is being collected or stored.
- Tells the person in writing of the specific purpose and time in which a biometric identifier or biometric information is being collected, stored and used.
- Receives a written release from the employee.
BIPA applies to any company, association or individual.
The first class actions were over the failure to give notice and obtain written consent, Larson said. Class actions in the future are likely to target employers that fail to destroy their biometric identifiers and information no later than three years after an employee quits or is fired.
Companies need to remember their duty to protect and then destroy biometric information, she cautioned.
[SHRM members-only toolkit: Introduction to the Discipline of Human Resources Technology]
If an employer has biometric identifiers and information, it must protect them. Vendors understand BIPA's requirements but typically put all the responsibility on employers to uphold the law, Larson said.
Penalties
BIPA provides that for each violation a prevailing party may recover:
- The greater of $1,000 or actual damages for a negligent violation.
- The greater of $5,000 or actual damages for an intentional violation.
- Reasonable attorney fees and costs, including expert witness fees and other litigation expenses.
- Other relief, including a court order, as the state or federal court may deem appropriate.
It's unclear what "per violation" means, Larson noted. Is it per employee? Or is it per clock-in and clock-out in the case of biometric time-keeping? If the latter is the case, the numbers for damages become astronomical, she said.
Defenses
Larson said that BIPA does not provide for a statute of limitations—a time period in which a lawsuit must be brought. She has argued it should be two years, but plaintiffs' attorneys have maintained it should be five years.
One case decided at the end of last year concluded that purely technical violations are not actionable (Rosenbach v. Six Flags Entertainment Corp.), which Larson called a "great decision."
Other possible defenses are:
- Class actions were waived in arbitration agreements (as long as the Supreme Court upholds such waivers in upcoming decisions).
- Workers' compensation is the exclusive remedy because the injury arises out of and in the course of employment.
- The application of BIPA outside Illinois is unlawful.
Other Jurisdictions
Keith Kopplin, an attorney with Ogletree Deakins in Milwaukee, noted that there are other biometric data regulations in other states:
- New York prohibits private employers from requiring employees to be fingerprinted as a condition of employment.
- Texas requires consent to capture biometric information for commercial purposes.
- Washington mandates disclosures, notice and consent regarding the collection and use of biometric information.
- Alaska, Idaho, Massachusetts, Montana and New Hampshire all are considering legislation protecting individuals from the use of their biometric information.
Plus, the EU General Data Protection Regulation (GDPR) characterizes biometric information as a special category of personal data, which generally cannot be processed for purposes of uniquely identifying someone, Kopplin observed. Employees' consent to use their biometric information is not valid under the GDPR due to unequal bargaining power between employers and workers, he cautioned. Other legal bases must be relied upon, such as legitimate interests of the company outweighing privacy rights.