Illinois courts recently made two key decisions to explain the Biometric Information Privacy Act (“BIPA”). Passed in 2008 as a consumer protection law, BIPA’s purpose is to regulate the collection, storage, and use of biometric data that companies collect from their consumers. Biometric data can include fingerprints, DNA, retinal scans, and information produced by iris and facial recognition technology.
Last year, the Supreme Court of Illinois made an important ruling: a technical violation of the Act is enough to support a legal claim, even without showing injury or adverse effect, such as data theft or identity fraud. In Rosenbach v. Sig Flags Entertainment Corp., a parent filed a class action lawsuit arguing that the Six Flags amusement park recorded and stored her child’s thumbprint without his informed consent, thereby violating the Act. Six Flags claimed that no violation occurred since the child did not suffer any demonstrable damages.
The Court recognized the importance of privacy protection in this context, since biometric markers are biologically unique to each individual and compromising such information can be irreversibly detrimental. The Court also said lawmakers had specifically intended for companies to provide notice of their data collection activity to consumers to permit them the right to withhold consent, to say no to the collection of their personal data. Lawmakers, according to the Court, determined “that individuals possess a right to privacy in and control over their biometric identifiers and biometric information.” The Court ultimately ruled that Six Flags violated the privacy provision in the Act by causing the child a loss of control over his own biometric identifiers. “This is no mere ‘technicality,’” wrote the Court. “The injury is real and significant.” The matter was therefore allowed to move forward.
A few months later, an Illinois appellate court explained that BIPA is not a “wage and hour” law, but a privacy law. In Liu v. Four Seasons Hotel, a class of employees argued that their employer violated BIPA by tracking their fingerprints to monitor their hours worked. The employees said they were never given an opportunity to give consent to the collection and use of their data, they were not informed that their employer was sharing their data with a third-party vendor, and they were never told for how long their information would be maintained by their employer. The employer claimed that the employment agreements the employees had signed mandated arbitration for “wage or hour violation” claims. The court found, however, that BIPA is a privacy law, and “[s]imply because an employer opts to use biometric data, like fingerprints, for timekeeping purposes does not transform a complaint into a wages or hours claim.” The employees’ claims were therefore not bound by arbitration and could move forward in court.
These two rulings demonstrate that Illinois companies will have to be careful about how they store biometric information. Moreover, employers will have to revise their employment policies in light of the recent appellate court decision. If companies fail to do so, their legal exposure could be costly. Indeed, litigation of the Act has increased in the wake of the judicial rulings cited above and will likely only increase further. Reach out to one of our knowledgeable employment and business law attorneys today if you need guidance on how to best comply with BIPA.