This month, the Illinois Supreme Court has issued two eagerly-awaited opinions on the Illinois Biometric Information Privacy Act, or “BIPA.”
Neither decision contains good news for employers.
BIPA basics
The BIPA, enacted in 2008, requires entities (including employers) who use biometrics to do the following:
- Develop a public, written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and information.
- Inform an employee in writing that biometric identifier or information is collected or stored (and the specific purpose and duration of period for collecting, using, or storing biometric identifier or information), and obtain a written release from the employee, before collecting or otherwise obtaining an employee’s biometric identifier or information.
- Protect from disclosure an employee’s biometric identifier or information.
The BIPA prohibits entities (including employers) from doing the following:
- Selling or otherwise profiting from an employee’s biometric identifier or information.
- Disclosing or otherwise disseminating an employee’s biometric identifier or information unless it meets certain exceptions.
“Biometric identifiers” are defined by the BIPA as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” The BIPA defines “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”
Decision One: BIPA claims have five-year statute of limitations
The BIPA does not itself contain a statute of limitations, so parties have been arguing since its enactment about what that limitation should be. In its first BIPA decision issued this month, Tims v. Black Horse Carriers, Inc., the Illinois Supreme Court ruled that claimants have five years from the date of the alleged violation to assert any type of BIPA claim.
The plaintiff in Tims filed a putative class action against his former employer, alleging that the employer violated the BIPA by requiring its employees to use a time clock that scanned fingerprints. The employer argued that the lawsuit was untimely, contending that a one-year limitations period should apply.
In rejecting the employer’s argument, the Court reviewed the intent of the legislature in passing the BIPA, citing to the “fears of and risks to the public surrounding the disclosure of highly sensitive biometric information,” and holding that Illinois’ five-year “catch-all” limitations period applies to BIPA claims.
Decision Two: Each BIPA violation gives rise to a separate claim
The second large area of dispute was what constituted an individual violation of the BIPA. If an employer failed to take the proper steps before scanning an employee’s fingerprints, did that amount to one violation (regardless of the number of fingerprint scans taken of that employee), or was it a violation each time the employer scanned the employee’s fingerprint? Unfortunately for employers, in Cothron v. White Castle System, Inc., the Supreme Court ruled that a separate BIPA claim accrues with each violation.
The plaintiff filed a putative class action against her current employer, alleging that the employer failed to comply with the BIPA’s notice and consent provisions before requiring employees to scan their fingerprints to access their pay stubs and work computers. From 2008 through 2018, the plaintiff alleged that the employer violated the BIPA every time it scanned fingerprints and provided those scans to a third-party vendor.
The employer argued that the plaintiff should have sued in 2008 when the BIPA became effective, and that only the first fingerprint scan or dissemination of the scan should count as a violation. The employer also argued that because the BIPA authorizes a certain recovery for each violation, applying the plaintiff’s interpretation would result in “astronomical” damage awards that could exceed $17 billion in this case alone.
But the Court again sided with the plaintiff, reasoning that the plain language of the BIPA applies to multiple collections and disseminations of biometric identifiers or information. Responding to the employer’s argument that the ruling would result in “annihilative liability,” the Court cited to the potential recovery as an incentive for employers to comply with the law. In any event, the Court said, trial courts presiding over BIPA class actions have discretion to fashion a damage award that fairly compensates class members, deters future violations, and does not destroy the defendant business.
What now?
In light of these rulings, employers with Illinois employees who collect, store, or share biometric information “ fingerprints, or retina, hand, or face scans “ should immediately review their compliance with the BIPA as these decisions highlight the potentially devastating consequences to employers who violate the law.
Although it is possible that the Illinois legislature will amend the BIPA to clarify the statutory language in the future, the burden for now will be on Illinois employers to comply with the BIPA or face potentially enormous liability.