The use of biometric, or biologically derived, information in ordinary life is becoming more commonplace every day. Apple’s iPhones have allowed users to unlock their devices with their fingerprints for years, and people have speculated that the company will include facial recognition technology in the newest iPhone to be released in September, according to Business Insider.
In the workplace, many employers have replaced card-operated punch clocks with devices that use fingerprints to track employees coming and going.
And biometric information litigation is proceeding right alongside this development, as employers are increasingly finding themselves the target of lawsuits under Illinois’ Biometric Information Privacy Act, or BIPA, for their use of biometric information in the workplace. Whether these suits will address legitimate employee privacy concerns or represent yet one more way for plaintiffs’ lawyers to drum up business while burdening employers with expensive litigation is yet to be determined.
Consumer litigation based on Illinois’ Biometric Information Privacy Act
In 2008, Illinois enacted the BIPA, the most stringent law of any state regarding the consent, notice and disclosure procedures private entities must follow when collecting, storing or using people’s biometric information such as fingerprints, iris scans and face prints.
Under the BIPA, Illinoisans have the right to sue private parties for violations of the act and to collect the greater of $1,000 or actual damages for each violation negligently committed, and the greater of $5,000 or actual damages for each violation recklessly or intentionally committed.
Illinois consumers have sued under the BIPA for alleged violations by companies that use facial recognition technology, such as Facebook, Shutterfly, Google, Snapchat, Take-Two Interactive Software and others, as well as companies that have used fingerprint scans, such as L.A. Tan.
Allegedly deficient consent and notice procedures connected with Facebook’s “tag suggestions” program, which uses photographs uploaded to the site to create face prints based on people’s facial geometry, were the impetus for a class-action case against the tech giant. Similarly, Take-Two Interactive’s use of facial recognition technology to create photo-derived avatars for players of its video games spurred a lawsuit against the game maker for its alleged failure to comply with the BIPA’s consent, notice and disclosure requirements.
The BIPA is a relatively new and developing area of law, and the extent of potential recoveries in BIPA cases isn’t yet clear. Many of the lawsuits, including those against Facebook and Google, are still working their way through the courts, while others, such as the one against Take-Two Interactive, have been dismissed. Meanwhile, the parties have settled the Shutterfly and L.A. Tan cases.
Employee lawsuits under the BIPA
The latest avenue for BIPA litigation is lawsuits by employees against employers based on the use of biometric information in the workplace.
In March a former employee of Mariano’s grocery store sued the parent company, Roundy’s Supermarkets Inc. (a subsidiary of Kroger Co.), for allegedly using fingerprint-operated punch clocks without obtaining employees’ consent to use and store their fingerprint data or disclosing to the employees how and for how long the data would be used or stored, according to the Cook County Record. Another Mariano’s employeehas also filed a separate lawsuit against the company for the same reason, according to Supermarket News. Kronos, which supplies fingerprint-operated time clocks, is also a defendant in at least one of the cases, Supermarket News has reported. Court filings show that damages in one of the cases could total $10 million.
In June, a former employee sued InterContinental Hotels Group, which includes InterContinental, Holiday Inn, Crowne Plaza and Kimpton hotels, for allegedly violating the BIPA by using fingerprint time clocks without complying with the consent and notice requirements under the statute, according to the Cook County Record.
And in July, an employee of a tenant of Zayo Group, a communications infrastructure services provider, sued over hand scans at one of its properties, according to the Chicago Tribune.
Plaintiffs in these cases have sought class-action status, alleging that their claims are representative of those of numerous other employees.
Potential impact of employee BIPA lawsuits
Employees, consumers and others have every reason to be concerned about the privacy and security of their biometric information. As the General Assembly noted, “Biometrics … are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
It is not yet known whether the employers in these BIPA cases failed to comply with the requirements under the statute. Nor is it known whether, even assuming the employers had not followed the mandated consent, notice and disclosure procedures, the employees’ fingerprint data was ever put at risk of being compromised or the employees were harmed in any way. It is also unclear to what extent any monetary recoveries would benefit the victims of the alleged statutory violations – or whether plaintiffs’ attorneys would take the lion’s share, with comparatively small sums going to the actual plaintiffs in the cases.
It remains to be seen to what extent the proliferation of litigation under the BIPA will suppress the technological innovation that has the potential to make life easier for Illinoisans, as well as to stoke a job-creation engine Illinois desperately needs.
One thing is certain, however: Litigation against employers does have the potential to drive up costs and make employing people more difficult and more expensive. In a state where recent jobs growth has been 40 percent slower than the national average, this is not a minor concern.