While the privacy world is focused on the Equifax data breach, another development is taking place that could have a more lasting effect on privacy law.  In the last month, plaintiffs’ lawyers in Illinois have filed over 20 lawsuits against companies that authenticate their employees or customers with their fingerprints.  The lawsuits are based on the Illinois Biometric Information Privacy Act (BIPA), which requires companies that possess or collect biometric information to provide notice to and obtain a written release from individuals whose biometric information the companies collect.

Why Do These Lawsuits Matter?

Companies are increasingly collecting biometric information from their customers and employees (“data subjects”) because this information helps authenticate users with greater accuracy.  It allows the company to provide customers a more seamless, secure, and tailored experience.  It also allows employees to securely and conveniently punch in and out of work by placing their finger on an electronic reader, which has the additional benefit of minimizing “buddy punching” (where employees ask their colleagues to check them in/out of work improperly).

What Is Biometric Information?

BIPA applies to “biometric Identifiers” and “biometric Information.”  A biometric identifier is a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.  Biometric identifiers do not include, among other things, writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.  Biometric information means any information based on an individual’s biometric identifier used to identify an individual.  Because BIPA does not treat biometric identifiers differently from biometric information, this blog post refers to both categories collectively as “biometric information.”

To Whom Does BIPA Apply?

BIPA applies to companies in possession of biometric information or companies that collect, capture, purchase, receive through trade or otherwise obtain biometric information about Illinois residents.  BIPA does NOT apply to entities governed by HIPAA or GLBA.  Nor does it apply to state or local government agencies or any court of Illinois.

What Does BIPA Require?

Companies that possess biometric information must develop a written policy, made available to the public, that establishes a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting or obtaining the information has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever occurs first.  The company must comply with this retention schedule and destruction guidelines, unless a valid warrant or subpoena issued by a court of competent jurisdiction provides otherwise.  The company must also adopt reasonable security safeguards to protect the storage and transmission of biometric information.  These safeguards must be at least the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

Companies that collect, capture, purchase, receive through trade, or otherwise obtain a person’s biometric information must:  (1) inform the subject in writing that biometric information is being collected or stored, and the specific purpose and length of term for which the information is being collected, stored, and used; and (2) obtain a written release executed by the subject of the biometric information.

What Conduct Does BIPA Prohibit?

Companies that possess biometric information are not allowed to sell, lease, trade, or otherwise profit from a person’s biometric information.  Additionally, disclosure, redisclosure, and other dissemination of the information is prohibited unless:  (1) the data subject consents to the disclosure; (2) the disclosure completes a financial transaction requested or authorized by the data subject; (3) the disclosure is required by law; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Can My Company Be Sued For Violating BIPA?

Any person “aggrieved by a violation” of BIPA can sue the violating company.  He or she may be entitled to $1,000 in liquidated damages for a negligent statutory violation or $5,000 in liquidated damages for an intentional statutory violation.  (If actual damages are greater, the plaintiff may seek those instead, but for the reasons discussed below, this is not usually the case).  Additionally, the prevailing party (plaintiff or defendant) may recover attorney’s fees and costs.

What Is This Latest Wave Of BIPA Lawsuits All About?

Between BIPA’s enactment in 2008 and a couple months ago there were relatively few lawsuits based on violations of BIPA.  Within the last couple of months, however, the Illinois plaintiffs’ bar has filed over 20 BIPA lawsuits.  Almost all of those lawsuits are based on the same underlying factual scenario:  an employee places his/her finger on a time clock to authenticate himself/herself when checking in or out of work.  In addition to suing the employer, plaintiffs are also suing the companies that sell/distribute the time clocks that use fingerprint readers.

Given the timing of the lawsuits and their almost identical language, this is surely a coordinated effort by the plaintiff’s bar to obtain quick settlements from risk-averse companies that would prefer to avoid or cannot afford the cost of litigation.  It is also a shotgun approach to flood the courts with these lawsuits in the hope that one or two of them will result in favorable precedent that can be used to file more lawsuits, so I don’t see this trend ending anytime soon.

Do The Lawsuits Have Merit?

No.  You can expect to see strong arguments by the defendants on the underlying technology and the meaning of biometric information.  But these lawsuits are meritless primarily because the plaintiffs didn’t suffer any real harm.  The lawsuits appear to be filed by former employees with axes to grind against their former employers.  Setting that aside, however, the arguments in the complaints are not persuasive.

The complaints allege that BIPA was designed to ensure that the plaintiffs receive notice that their biometric information is being collected, and that the plaintiffs should have been asked to sign written releases.  This lack of notice argument is silly when you remember that these individuals were essentially receiving notice every day by placing their fingers on a time clock to log in and out of work.  This latest wave of cases does not present the situation, as other BIPA cases have, where biometric information is being collected without the data subject’s knowledge.

The complaints also allege that the plaintiffs were not provided a policy explaining the use of their information. If we assume first that the plaintiffs would have read these policies (because we all read policies provided to us during the onboarding process), then what would those policies have told the employees?  Anyone familiar with the technology will tell you that the policies would say that the company does not actually collect fingerprint images at all, that there isn’t a database of employee fingerprints somewhere, that to the extent the company has access to numerical representations of their fingerprints those representations are useless to anyone else because they can’t be reverse-engineered, and the information is not shared with third parties (primarily because it serves no use).

The complaints are also significant in what they do NOT allege.  They do not allege, for example, that unauthorized third parties (like hackers) accessed the information.  Nor do the complaints allege that the employers shared the information with any authorized third parties.  So again, what is the harm suffered?

For these reasons, most courts that have addressed the lack of harm argument in the BIPA context have dismissed the lawsuits.  See, e.g., McCollough v. Smarte Carte, Inc. (N.D. Ill. Aug. 1, 2016); Vigil v. Take-Two Interactive Software, Inc. (S.D.N.Y. Jan. 27, 2017).  Those courts concluded that even if there was a technical violation of BIPA, the plaintiffs were not “aggrieved by those violations.”

What Can Companies Do To Minimize These Risks?

First, determine whether BIPA even applies to you.  This may require consulting with counsel knowledgeable in the requirements of BIPA and the underlying technology.  Even if you are not currently collecting biometric information from Illinois residents, could you in the future?  Additionally, while Illinois is currently the only state that creates a private right of action for violation of its biometric information privacy statute, other states have similar laws enforced by their respective Attorneys General.

Second, if BIPA applies, use experienced counsel to ensure that you comply with BIPA – draft a BIPA retention policy, prepare and obtain written releases, and evaluate the security and use of the information.  This process may require coordination with your information technology staff and the vendor you use for your authentication devices.

Finally, if your company has already been sued, there are strategies that counsel should immediately bring to your attention that will lower the cost of litigation, increase the likelihood of success, and help you identify traps for the unwary.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.