What is BIPA?
The Illinois Biometric Information Privacy Act (“BIPA”) was first put into place in 2008 to govern the use, collection, and storage of biometric data. Biometric data includes fingerprints, retinal scans, and other individually identifiable information. Many employers use this data for timekeeping, security protocols, or other purposes.
Because Illinois’ BIPA law creates a compliance burden for employers and creates a private right of action for employees, lawsuits against Illinois employers have become increasingly common in recent years. While the law has already created headaches for employers, recent Illinois Supreme Court decisions have heightened the potential risk.
What is new?
Illinois Supreme Court Decision One - Tims
The Tims decision, which was released by the Illinois Supreme Court on January 31, 2023, applied a five-year statute of limitations for violations of BIPA. Prior to this decision, some employers argued that a one-year statute of limitations should apply. By clarifying that claims can be brought within a five-year period after an alleged violation, the court’s decision opens the door to larger classes of affected employees when an employer is targeted for a BIPA lawsuit.
Illinois Supreme Court Decision Two – Cothron
Latrina Cothron, a manager of a White Castle restaurant, sued on behalf of a class of defendant’s employees who allegedly scanned their fingers to access their paystubs and computers. Cothron alleged that White Castle unlawfully collected her alleged biometric information and disclosed it to its third-party vendor in violation of BIPA. Cothron argued each scan is a separate violation of BIPA and therefore subject to a separate fine. White Castle argued that the capture happened once, and every subsequent scan was a comparison, not a capture.
In its decision on February 17th, 2023, the Illinois Supreme Court ruled that claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party. This significantly increases the potential penalties for employers sued under the law.
Tims and Cothron combine to create massive awards reaching into the billions of dollars, even for small and medium size companies. Such untenable awards are irresistible to class action law firms.
For example: one employee who scans in and out 4 times a day (at the start of their shift, out for lunch, back from lunch, and out at the end of their shift) five days a week, for 50 weeks a year. That is 1,000 scans per employee per year, which over the course of 5 years would be 5,000 scans. At $1,000 per scan, that single employee could be entitled to a $5M award based on these decisions. Multiplied over a larger employee base, potential awards can grow to eight-, nine-, or ten-figure amounts.
It is crucial that you review your current procedures and take steps necessary to ensure compliance with Illinois’ BIPA statutes immediately. Given the outsized risks associated with collecting biometric data in Illinois, you should consider whether such collection is necessary at all. If you do utilize biometric data, we recommend consulting with an employment attorney to ensure that your policies and informed consent procedures are adequate. Importantly, keep records to demonstrate that each employee has been notified of your practices and has provided informed consent.
For informational purposes:
What is considered biometric data?
- Retina or iris scans
- Scans of hands
- Face geometry
The law requires that private entities collecting or storing biometric data:
- Receive written consent prior to obtaining the data.
- Develop a written policy that is made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric data.
- Do not engage in selling, leasing, or trading any of the data. You are not to profit from the biometric data you store.
- Refrain from disclosing or disseminating biometric data.
- Store, transmit, and protect from disclosure all biometric data in a manner that protects all sensitive and confidential information.
This information is provided as risk management advice. Increasingly, insurance policies are incorporating exclusions that bar coverage for BIPA-related claims. While there may be coverage under a small percentage of Employment Practices Liability or Cyber / Privacy Liability policies, this is not typical. Because this is an uninsured exposure for most employers, mitigating risk and ensuring compliance are especially important.
If you have questions about the law’s requirements or your insurance coverage, please reach out to our team directly.