22 February 2023

Illinois Opens Door to Huge Employer Damages Under Biometric Information Law

Since its 2008 enactment, the Illinois Biometric Information Privacy Act, or “BIPA,” has required employers with employees in Illinois to carefully handle employee biometric information.  BIPA violations create significant liability for the unwary or unsavory employer.  To top it off, last week, an Illinois Supreme Court decision exponentially expanded the potential damages that Illinois employers may face.  In some cases, the money damages could make your jaw drop.

Let’s cover the basics first.  BIPA allows private entities (including employers) to collect and keep “biometric identifiers” or “biometric information” of various types.  Think retinal scans, fingerprints, voiceprints, hand/face geometric scans, and information based on those types of identifiers.  Before collecting biometric information, the employer must tell the employee that it is collecting or storing the data, specify why the data is being collected or stored and how long it will be stored or used, and get written consent from the employee.  Then, after the data is collected and stored, the employer must have a written policy available to the public that describes its retention schedule and guidelines for permanently destroying that data within certain timelines.  On top of that, the employer has to protect the data using a “reasonable standard of care” in the employer’s industry.  And the employer must also protect the data from disclosure at least as well as it protects other confidential and sensitive information it stores, transmits, or protects.

If the employer negligently fails to comply with these requirements, an individual can recover $1,000 plus attorneys’ fees and court costs.  And, if the employer intentionally or recklessly violates BIPA, that $1,000 minimum becomes at least $5,000.

Given these easy-to-miss requirements and potential payday for employees (and their attorneys), BIPA was already a significant risk for class action litigation and a thorn in employers’ sides.  Two recent Illinois Supreme Court decisions drive the thorn even deeper.  On February 2, the court clarified that the statute of limitations under BIPA is five years—rejecting an argument that the statute allowed for just one year to sue entities that violated BIPA.

Just two weeks later, the court again gave Illinois employers bad news.  In that case, a White Castle employee sued the chain and alleged that the company violated her biometric privacy rights when it collected her fingerprint without her written consent each time she clocked in and out of the timekeeping system.  White Castle argued in defense that BIPA allowed the employee to claim damages for only the first unlawful scan or transmission, meaning that the employee was limited to $1,000 in damages plus costs and fees.

The Illinois Supreme Court agreed with the employee.  It rejected White Castle’s argument and held that an employee has a separate claim for damages each time a business fails to seek permission to gather biometric data from workers, and each time the business fails to disclose its written policy regarding retention.

The practical consequences of the decision are obvious and a bit mind-numbing.  Biometric timekeeping systems are quickly growing in popularity, and if they are not implemented correctly, each employee could be entitled to $1,000 in damages (plus costs and attorneys’ fees) every time the employee uses the system to clock in and out.  An employee who works 200 days a year and uses his or her fingerprint to clock in at the start of the shift and out at the end of it could be entitled to $400,000 in damages for that one year.  Multiplying that over the five-year statute of limitations, and multiplying it again by the number of employees who use the timekeeping system leads to an incomprehensible number.

Even employers who do not use biometric data for timekeeping practices should be cautious.  For example, BIPA may be triggered if an employer provides a cell phone to employees and requires the employee to use a face scan to securely unlock the phone.  After all, the face scan is a “biometric identifier” that is stored on an employer-owned device.

The Supreme Court’s decision was not unanimous, and the dissenting opinion wrote that the majority’s interpretation “will lead to consequences that the legislature could not have intended[.]”  That may well be the case, but unless (or until) the legislature changes the law to something more reasonable, employers must comply with the law or prepare for these astronomical penalties.

We strongly encourage employers with employees in Illinois to review their biometric data policies and practices before it’s too late.  Miller Johnson’s National Employment Law Compliance practice group and its employment and labor attorneys are staying on top of employment law developments across the country and are ready to help however they can.

Please contact the authors of this client alert if you have any questions.