Illinois employers flooded with class-action lawsuits stemming from biometric privacy law

In 2017, increasing numbers of employees have sued their employers for alleged violations of Illinois’ biometric privacy law through the use of fingerprint-operated time clocks.

Since July, employees have filed at least 26 class-action lawsuits against employers in Illinois state court under Illinois’ Biometric Information Privacy Act, or BIPA, according to Law360.

These lawsuits are largely based on the use of fingerprint-operated time clocks. The employee-plaintiffs have alleged their employers used those time clocks to collect, use and store biologically derived, or biometric, information in a manner that violates the consent, notice and disclosure requirements of the BIPA.

Illinois’ Biometric Information Privacy Act

In 2008, Illinois enacted the BIPA, the most stringent law of any state regarding the consent, notice and disclosure procedures private entities must follow when collecting, storing or using people’s biometric information, such as fingerprints, iris scans and face prints.

The BIPA requires private entities to inform persons in writing about the specific purposes and length of time for which their biometric information will be collected, used or stored. And no private entity may collect, use or store biometric information without first receiving a written release by the person whose biometric information is sought. The statute further requires a written schedule and guidelines for the retention and destruction of the biometric information to be made public. And the BIPA mandates consent and notice procedures that private entities must follow before disclosing someone’s biometric information to a third party.

Under the BIPA, Illinoisans have the right to sue private parties for violations of the act and to collect the greater of $1,000 or actual damages for each violation negligently committed, and the greater of $5,000 or actual damages for each violation recklessly or intentionally committed. Plaintiffs can also collect attorneys’ fees and costs under the BIPA.

Illinois consumers have sued under the BIPA for alleged violations by companies that use facial-recognition technology, such as Facebook, Shutterfly, Google, Snapchat, Take-Two Interactive Software, Wow Bao and others, as well as companies that have used fingerprint scans, such as L.A. Tan.

Employee lawsuits under the BIPA

A recent and increasingly popular avenue for BIPA litigation is class-action lawsuits by employees against employers based on the use of biometric information in the workplace, such as fingerprint-operated time clocks. Between March and July, Roundy’s, which operates the Mariano’s grocery store chain, InterContinental Hotels Group and Zayo Group were sued under the BIPA over the allegedly improper collection and storage of employee biometrics such as fingerprints and hand scans.

And between July and October, more class-action lawsuits were filed in Illinois state court by current and former employees alleging their employers had violated the BIPA. Here are just a few of the employers who have been sued for alleged BIPA violations:

• Speedway LLC, a gas station and convenience store chain

• Greencore USA-CPG Partners LLC, which does business as Peacock Foods, a food manufacturing, packaging and supply chain solutions company

• Superior Air-Ground Ambulance Service Inc., an emergency medical services provider

• Millard Group LLC, which provides janitorial services to offices, educational institutions, restaurants and home associations

• Alliance Ground International LLC, which provides cargo, mail and ramp handling services to airlines

• Pineapple Hospitality Company and Pineapple Restaurant Group LLC, which run hotels and restaurants, including The Alise in Chicago

• ABRA Auto Body & Glass, an auto repair company

Though some of the details vary, in nearly all of the employee BIPA cases, the plaintiffs have alleged their employers used fingerprint-operated machines (and in at least one case, a more elaborate system that recognizes a person’s finger vein patterns) to clock employees’ work hours. The plaintiffs allege their employers failed to inform employees about the companies’ policies for use, storage and ultimate destruction of the fingerprint data or obtain the employees’ written consent before collecting, using or storing the biometric information.

In at least one case, the employee has also alleged fingerprint data was improperly shared with the supplier of the time-tracking machines, and has named that supplier as a defendant as well.

Potential impact of employee BIPA lawsuits

The BIPA is a relatively new and developing area of law, and the extent of potential recoveries in BIPA cases isn’t yet clear. Many of the lawsuits, including those against Facebook and Google, are still working their way through the courts, while others, such as one against Take-Two Interactive, have been dismissed. Meanwhile, parties have settled cases involving Shutterfly and L.A. Tan. (A new facial-recognition BIPA suit against Shutterfly is now pending in federal court, according to the Chicago Tribune.)

Employees, consumers and others have every reason to be concerned about the privacy and security of their biometric information. As the General Assembly noted, “Biometrics … are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

It is not yet known whether any of the employer-defendants in the recently filed BIPA cases failed to comply with the statute’s requirements. Nor is it known whether, even assuming the defendants had not followed the mandated consent, notice and disclosure procedures, the plaintiffs’ fingerprint or finger scan data were ever put at risk of being compromised or how the plaintiffs might have been harmed. And in the event the courts grant class-action status, it is also unclear to what extent any monetary recoveries would benefit the victims of the alleged statutory violations – or whether attorneys would take the lion’s share, with comparatively small sums going to the actual plaintiffs in the cases.

But one need look no farther than the attention garnered by the facial-recognition features of Apple’s new iPhone X to see that biometric-based innovation is increasingly important in the U.S. economy, and in people’s daily lives.

Yet it remains to be seen what effect the proliferation of BIPA litigation will have on technological innovation in the Prairie State. Such innovation has the potential to make life easier for Illinoisans, as well as to stoke a job-creation engine Illinois desperately needs.

One thing is certain, however: Litigation against businesses does have the potential to drive up costs – and make employing people more difficult and more expensive. And as authors of a Law360 article noted in discussing the BIPA’s damages provisions, “It is easy to see how damages can become enormous when aggregated through a class action.” Indeed, articles by attorneys warning about the hazards of biometric class-action litigation against employers have cropped up in the wake of these lawsuits.

Whether businesses will take extra precautions to comply with the BIPA, hoping to escape enterprising class-action lawyers and litigants – or decide hiring people in Illinois is not worth the expense and hassle – will play out as the cases progress. In a state where recent jobs growth has been less than half the national average and worse than every neighboring state, this is not a minor concern.