December 2017 • Volume 105 • Number 12 • Page 10
Thank you for viewing this Illinois Bar Journal article. Please join the ISBA to access all of our IBJ articles and archives.
Illinois’ biometric privacy law back in the news
The Illinois Biometric Information Privacy Act is unique in allowing private parties to sue and including a fee-shifting provision.
Biometric privacy lawsuits are in the news again - there has been a spike in litigation against employers over fingerprints and other biometric data. Biometric data is a measurement or copy of a unique physical characteristic of an individual. It can be a fingerprint, retina or iris scan, voiceprints, hand scans, or facial geometry.
In March 2016, Google faced a class-action lawsuit alleging violations of the Illinois Biometric Information Privacy Act (see "Class action suit alleges Google is violating Illinoisans' 'biometric' privacy," May 2016 LawPulse, at http://bit.ly/2zE4FRQ). As of November 11, 2017, the case is still in the discovery phase.
Illinois has become a center of biometric privacy litigation. The Illinois Biometric Information Privacy Act is the only one in the nation that allows private parties to sue and has a fee-shifting provision allowing plaintiffs to recover attorney fees.
Employers must get written consent from workers
Because biometric data is unique to the individual, it cannot be changed like a password or user name. This creates security concerns, some of which have been raised by U.S. Senator Al Franken. When discussing face ID technology, he pointed out that abuse and unauthorized disclosure of biometric data could have permanent ramifications because "you can't change your face" (see Eric A. Packel, "Moving Beyond Passwords - Does Your Face Raise Privacy Concerns?" on BakerHostetler's Data Privacy Monitor at http://bit.ly/2iep32r).
What's more, the same technology enables facial tracking. Advertisers and marketers could use this technology to monitor people's reactions to advertisements or other data mining. Once biometric data is "in the wild," it is next to impossible to control.
This represents a major privacy concern - how secure is biometric data when it is stored? In an era where data breaches occur with increasing frequency, the risk of biometric data being stolen is high.
In Illinois, most new lawsuits are based on employers and retail businesses that allegedly fail to obtain written authorization before collecting fingerprint scans ("Spike in IL lawsuits vs employers over fingerprints, other biometric data may be just the beginning," Cook County Record, at http://bit.ly/2jqsTc0). Two firms that have been handling these types of cases are Stephan Zouras LLP and Edelson P.C.
As is noted above, the Illinois Biometric Information Privacy Act (BIPA) is a fee-shifting statute - successful plaintiffs can recover attorney's fees in addition to statutory damages of $1,000 to $5,000 from defendants. This makes even technical violations of BIPA ripe for lawsuit, to the extent plaintiffs aren't responsible for paying high attorney fees. What's more, if an employer has a blanket requirement that employees provide fingerprints or other biometric data, that can open the door to class action lawsuits.
Another source of future litigation could be facial recognition features on cell phones. The face scans used for facial recognition fall under BIPA's definition of biometric data, which includes "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." If the scan is stored locally on a phone but not uploaded to the manufacturer or carrier's servers, there may be no issue. However, if the collected biometric data does leave the phone, users must give consent beforehand.
Some employers are moving toward using biometric data to track employee hours and limit access to certain areas. Roundy's, the company that owns the Mariano's grocery chain, was sued this year in a class action alleging that it obtained fingerprint and handprint data without written consent. According to a Chicago Tribune report, the company estimates that the damages in one lawsuit could potentially reach $10 million (http://trib.in/2zJ6r28).
Technology does exist for employers to use biometric data without storing it, which would eliminate the risk of a data breach or liability under BIPA. Whether employers choose to incur that cost will remain a business decision. In Roundy's case, it has more than 10,000 Illinois employees. It maintains that the system only scans a portion of the finger, thus taking the company out of BIPA's purview.
So far, at least two BIPA lawsuits have settled. L.A. Tan Enterprises paid $1.5 million to its customers - the company allegedly shared fingerprint scans with an out-of-state vendor. A lawsuit against photo-sharing website Shutterfly settled for an undisclosed amount.
Attorneys advising employers and other corporations should warn their clients about BIPA and its requirements - certainly, employees and customers should be providing informed consent. This means that employers must disclose that they are collecting biometric data. Given the financial damage a successful lawsuit can do, it makes good business sense to be aware of BIPA landmines.