Airlines hit with class-action lawsuit under biometric privacy law
United Airlines has become the latest Illinois employer to be sued for allegedly violating Illinois’ biometric privacy law through the use of fingerprint-operated time clocks.
UPDATE: A baggage handler filed suit against American Airlines Inc. in Cook County Circuit Court on Nov. 17 for allegedly violating Illinois’ Biometric Information Privacy Act. This is the latest of dozens of class-action lawsuits filed against Illinois employers since July over the use of time clocks that scan employees’ fingers.
On Nov. 7, Illinois skies got a little less friendly for United Airlines Inc. A former baggage handler filed a lawsuit against the airline for alleged violations of Illinois’ Biometric Information Privacy Act, or BIPA.
The BIPA mandates the consent, notice and disclosure procedures private entities must follow when handling people’s biologically derived, or “biometric,” information, and the plaintiff has alleged that United did not comply with the statute in its use of fingerprint-operated employee time clocks. The complaint requests class-action status, claiming, “there are hundreds, if not thousands,” of similarly situated United employees and former employees.
Since July, more than 30 class-action lawsuits against employers have been filed in Illinois under the BIPA, according to employment lawyers at Baker & Hostetler LLP.
As in the United case, the employee-plaintiffs have alleged their employers used those time clocks to collect, use and store biometric information – namely, fingerprints and hand scans – in a manner that violates the consent, notice and disclosure requirements of the BIPA.
Illinois’ Biometric Information Privacy Act
In 2008, Illinois enacted the BIPA, the most stringent law of any state regarding the consent, notice and disclosure procedures private entities must follow when collecting, storing or using people’s biometric information, such as fingerprints, iris scans and face prints.
The BIPA requires private entities to inform persons in writing about the specific purposes and length of time for which their biometric information will be collected, used or stored. And no private entity may collect, use or store biometric information without first receiving a written release by the person whose biometric information is sought. The statute further requires a written schedule and guidelines for the retention and destruction of the biometric information to be made public. And the BIPA mandates consent and notice procedures that private entities must follow before disclosing someone’s biometric information to a third party.
Under the BIPA, Illinoisans have the right to sue private parties for violations of the act and to collect the greater of $1,000 or actual damages for each violation negligently committed, and the greater of $5,000 or actual damages for each violation recklessly or intentionally committed. Plaintiffs can also collect attorneys’ fees and costs under the BIPA.
Illinois consumers have sued under the BIPA for alleged violations by companies that use facial-recognition technology, such as Facebook, Shutterfly, Google, Snapchat, Take-Two Interactive Software, Wow Bao and others, as well as companies that have used fingerprint scans, such as L.A. Tan.
Onslaught of employee lawsuits under the BIPA
A recent and increasingly popular avenue for BIPA litigation is class-action lawsuits by employees against employers based on the use of biometric information in the workplace, such as fingerprint-operated time clocks.
In addition to United, other employers that have been sued for alleged BIPA violations include:
- Roundy’s Supermarkets Inc., which operates the Mariano’s grocery store chain
- InterContinental Hotels Group
- Speedway LLC, a gas station and convenience store chain
- Greencore USA-CPG Partners LLC, which does business as Peacock Foods, a food manufacturing, packaging and supply chain solutions company
- Superior Air-Ground Ambulance Service Inc., an emergency medical services provider
- Alliance Ground International LLC, which provides cargo, mail and ramp handling services to airlines
- ABRA Auto Body & Glass, an auto repair company
- Hyatt Corp., which owns Hyatt hotels
- Bob Evans Restaurants
Though some of the details vary, in nearly all of the employee BIPA cases, the plaintiffs have alleged their employers used fingerprint-operated machines (and in at least one case, a more elaborate system that recognizes a person’s finger vein patterns) to clock employees’ work hours. The plaintiffs allege their employers failed to inform employees about the companies’ policies for use, storage and ultimate destruction of the fingerprint data or obtain the employees’ written consent before collecting, using or storing the biometric information.
In at least one case, the employee has also alleged fingerprint data were improperly shared with the supplier of the time-tracking machines, and has named that supplier as a defendant as well.
Potential impact of employee BIPA lawsuits
The BIPA is a relatively new and developing area of law, and the extent of potential recoveries in BIPA cases isn’t yet clear. Many of the lawsuits, including those against Facebook and Google, are still working their way through the courts, while others, such as one against Take-Two Interactive, have been dismissed. Meanwhile, parties have settled cases involving Shutterfly and L.A. Tan. (A new facial-recognition BIPA suit against Shutterfly is now pending in federal court.)
Employees, consumers and others have every reason to be concerned about the privacy and security of their biometric information. As the General Assembly noted, “Biometrics … are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
It is not yet known whether any of the employer-defendants in the recently filed BIPA cases failed to comply with the statute’s requirements. Nor is it known whether, even assuming the defendants had not followed the mandated consent, notice and disclosure procedures, the plaintiffs’ fingerprint or finger scan data were ever put at risk of being compromised or how the plaintiffs might have been harmed. And in the event the courts grant class-action status, it is also unclear to what extent any monetary recoveries would benefit the victims of the alleged statutory violations – or whether attorneys would take the lion’s share, with comparatively small sums going to the actual plaintiffs in the cases.
But one need look no farther than the attention garnered by the facial-recognition features of Apple’s new iPhone X to see that biometric-based innovation is increasingly important in the U.S. economy, and in people’s daily lives.
Yet it remains to be seen what effect the proliferation of BIPA litigation will have on technological innovation in the Prairie State. Such innovation has the potential to make life easier for Illinoisans, as well as to stoke a job-creation engine Illinois desperately needs.
One thing is certain, however: Litigation against businesses does have the potential to drive up costs – and make employing people more difficult and more expensive. And as authors of a Law360 article noted in discussing the BIPA’s damages provisions, “It is easy to see how damages can become enormous when aggregated through a class action.” In a case against a large employer like United with thousands of possible employee-plaintiffs, potential damages could total millions of dollars.
Whether businesses will take extra precautions to comply with the BIPA, hoping to escape enterprising class-action lawyers and litigants – or decide hiring people in Illinois is not worth the expense and hassle – will play out as the cases progress. In a state where recent jobs growth has been less than half the national average and worse than every neighboring state, this is not a minor concern.
Perhaps the frenzied filing of class-action lawsuits against Illinois employers will give other states pause as they consider enacting their own biometric privacy legislation.