Illinois Employers Face A Recent Rash of Class Action Lawsuits Filed Under State Biometric Information Privacy Law

Illinois enacted its Biometric Information Privacy Act (“BIPA”) in 2008 to regulate, among other things, employer collection and use of employee biometric information.  Biometrics is defined as the measurement and analysis of physical and behavioral characteristics.  This analysis produces biometric identifiers that include things like fingerprints, iris or face scans, and voiceprints, all of which can be used in a variety of ways, including for security, timekeeping, and employer wellness programs.

Illinois is not the only state with a biometrics privacy law on its books, however, its version is considered the nation’s most stringent.  BIPA requires a business that collects and uses biometric data to protect the data in the same manner it protects other sensitive or confidential information; to establish data retention and destruction procedures, including temporal limitations of three years; to publish policies outlining its biometric data collection and use procedures; and to obtain prior, informed consent from any individuals from whom it plans to obtain and use biometric data.   The statute also requires  businesses to notify employees in the event of a data breach.

Protection of biometric data is viewed as critical because, unlike passwords comprised of letters, numbers, or typographical characters, biometric data is unique and cannot be replaced or updated in the event of a breach.  Technology now allows biometric data to be captured surreptitiously, such as recording a voice over the phone, or face mapping individuals in a crowd or through photographs, increasing the risk for its theft or unauthorized or at least, unknown, use.  In fact, these more furtive methods of collecting and using biometric data is what led to the filing of five BIPA class action lawsuits in 2015 – four against Facebook, and one against online photo website Shutterfly – that alleged these companies used facial recognition software to analyze online posts, but did not comply with BIPA’s consent or other procedural requirements.  These first lawsuits brought attention to the private right of action authorized under BIPA, which provides that any “aggrieved” person may sue and recover $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, or, in both circumstances, actual damages if greater than the statutory damages.  Prevailing parties may also recover their attorneys’ fees and costs.

The plaintiffs’ employment bar recently has gotten seriously into the BIPA class action game; since August 2017, approximately 30 lawsuits have been filed in Cook County, Illinois (where Chicago is), alone.  These putative class actions have been filed against employers in many industries including gas stations, restaurants, and retail, and typically involve the employer’s use of fingerprint operated time clocks.  The cases allege that the defendant employers failed to obtain proper informed consent or fail to maintain and inform employees about policies on the company’s use, storage, and destruction of biometric data.  Many of these lawsuits also allege the employer companies have improperly shared employee biometric data with third-party time clock vendors, and some even name the vendor as a defendant.

In addition to the obvious cost of class action litigation, these suits present additional legal challenges because many aspects of BIPA remain untested.  For example, the statutory term “aggrieved” person leaves open the question whether a plaintiff must be able to prove actual harm in order to recover.  The U.S. District Court for the Northern District of Illinois and U.S. District Court for the Southern District of New York both have dismissed BIPA suits for lack of standing where the plaintiffs did not allege actual harm.  The latter case, Santana v. Take-Two Interactive Software, is currently before the United States Court of Appeals for the Second Circuit, which heard oral argument in October 2017, but has not yet issued its ruling.   Other aspects of BIPA also remain in flux – such as whether facial recognition through photography is biometric data, as defined under the statute, and what forms of consent are compliant.  On the other side, defendants are challenging the constitutionality of the damages provisions, arguing that their potentially disproportionate nature to any actual harm violates due process.  As these issues are flushed out under BIPA, they are certain to affect other states who have already enacted, or may seek to enact, laws regarding use of biometric data.

This post was written by Daniel B. Pasternak of Squire Patton Boggs (US) LLP., © Copyright 2017
For more Labor & Employment legal analysis go to The National Law Review 

Preparing for the Repeal of Cook County’s Beverage Tax: Requesting Credits and Refunds

Earlier this fall, the Cook County Board voted to repeal its constitutionally suspect, politically unpopular one cent per ounce sweetened beverage tax (Tax). The short-lived Tax will expire at the end of the County’s fiscal year on November 30, 2017.

Having been tasked with implementing the Tax, the Cook County Department of Revenue (Department) is now charged with unwinding it. Distributors and retailers who have paid the Tax are entitled to credits or refunds on their unsold inventory at month’s end. The Department recently issued guidance on the credit/refund procedure.

Retailers that have paid Tax to their distributors may claim a credit/refund from their distributors for Tax paid on their unsold inventory by completing the Department form entitled “2017 Sweetened Beverage Retailer Inventory Credit Request Form and Schedule A.” Retailers should complete and submit the form to their distributors, not the Department.

Distributors must file a final Tax return with the Department on or before December 20 (Final Return). To the extent a distributor already has refunded or credited Tax to its retailers, the distributor may claim a credit for the amount refunded on the “other deductions” line of its Final Return. Distributors must file the Department’s standard refund application, found on the Department’s website, to claim refunds for amounts refunded or credited to retailers after December 20. The Department has issued a new form (the “Sweetened Beverage Tax Distributor Credit Form Schedule”) to be submitted by distributors to the Department in support of any credit or refund claims. The form requires distributors to identify the retailers to which it has provided credits/refunds and the amounts thereof.

Retailers who self-remit the Tax may take a credit on their Final Return with supporting documentation. In addition, retailers that have unsold inventory as of December 1, on which they previously remitted floor tax, may obtain a refund of the floor tax through the Department’s standard refund procedure.

Practice Notes:

  1. To the extent possible, Taxpayers should take advantage of the opportunity to claim a credit on their Final Returns in order to avoid the time and expense associated with the County’s standard refund procedure.
  2. Since the Tax was repealed, enthusiasm has waned for various Illinois House Bills (HB 4082-84) proposing to limit the authority of localities to impose beverage taxes. It’s difficult to predict whether the bills will be enacted.
  3. However, the State of Michigan has passed legislation, signed into law by Governor Snyder on October 26, 2017, which prohibits municipalities from levying local taxes on food or beverages.
This post was written by Lauren A. Ferrante & Mary Kay McCalla Martire of McDermott Will & Emery., © 2017
For more legal go to The National Law Review

The Law of Unintended Consequences: BIPA and the Effects of the Illinois Class Action Epidemic on Employers

Has your company recently beefed up its employee identification and access security and added biometric identifiers, such as fingerprints, facial recognition, or retina scans? Have you implemented new timekeeping technology utilizing biometric identifiers like fingerprints or palm prints in lieu of punch clocks? All of these developments provide an extra measure of security control beyond key cards which can be lost or stolen, and can help to control a time-keeping fraud practice known as “buddy punching.” If you have operations and employees in Illinois (or if you utilize biometrics such as voice scans to authenticate customers located in Illinois), your risk and liability could have increased with the adoption of such biometric technology, so read on ….

What’s the Issue in Illinois?

The collection of biometric identifiers is not generally regulated either by the federal government or the states. There are some exceptions, however. Back in 2008, Illinois passed the first biometric privacy law in the United States. The Biometric Information Privacy Act, known as “BIPA,” makes it unlawful for private entities to collect, store, or use biometric information, such as retina/iris scans, voice scans, face scans, or fingerprints, without first obtaining individual consent for such activities. BIPA also requires that covered entities take specific precautions to secure the information. BIPA also carries statutory penalties for every individual violation that can multiply quickly … and the lawsuits against employers have been coming by the dozens over the past few months.

The Requirements of BIPA

Among other requirements, under BIPA, any “private entity” — including employers — collecting, storing, or using the biometric information of any individual in Illinois – no matter how it is collected, stored or used, or for what reason – must:

  1. Provide each individual with written notice that his/her biometric information will be collected and stored, including an explanation of the purpose for collecting the information as well as the length of time it will be stored and/or used.
  2. Obtain the subject’s express written authorization to collect and store his/her biometric information, prior to that information being collected.
  3. Develop and make available to the public a written policy establishing a retention schedule and guidelines for destroying the biometric information, which shall include destruction of the information when the reason for collection has been satisfied or three years after the company’s last interaction with the individual, whichever occurs first.

Also, any such information collected may not be disclosed to or shared with third parties without the prior consent of the individual.The Money Issue

Under the law, plaintiffs may recover statutory damages of $1,000 for eachnegligent violation and $5,000 per intentional or reckless violation, plus attorneys’ fees and other relief deemed appropriate by the court. Moreover, if actual damages exceed liquidated damages, then a plaintiff is entitled under the Act to pursue actual damages in lieu of liquidated damages.

These damage calculations are made and awarded under BIPA on an individual basis. Do the math: If an employer has 100 employees in Illinois and has allegedly been negligent in obtaining required BIPA consent from employees, this can be a potential exposure of an employer to $500,000 in penalties, before you add in the ability to recover attorneys’ fees.

Who is Getting Sued?

The list of companies sued under BIPA spans industries. The initial groups of defendants included companies such as Facebook, Shutterfly, Google, Six Flags, and Snapchat. Also, a chain of tanning salons and a chain of fitness centers were each sued for using biometric technology to identify members. Between July and October, nearly 26 class-action lawsuits were filed in Illinois state court by current and former employees alleging their employers had violated the BIPA. Companies range from supermarket chains, a gas station and convenience store chain, a chain of senior living facilities, several restaurant groups, and a chain of daycare facilities.

Facts vary from case to case, but nearly all of the recent employee BIPA cases implicate fingerprint or palm-print time-keeping technologies that collect biometric data to to clock employees’ work hours. The plaintiffs allege their employers failed to inform employees about the companies’ policies for use, storage and ultimate destruction of the fingerprint data or obtain the employees’ written consent before collecting, using or storing the individual biometric information.

In at least one case, the employee has also alleged fingerprint data was improperly shared with the supplier of the time-tracking machines, and has named that supplier as a defendant as well (Howe v. Speedway LLC, No. 2017-CH-11992 (Ill. Cir. Ct. filed Sept. 1, 2017)).

What Do I Do Now?

In order to avoid becoming the next target, employers with operations and employees in Illinois should ask some basic questions and review processes and procedures:

  1. First question to ask: are we collecting, storing or using individual biometric data for any purpose?
  2. If the answer is yes, has your company issued the required notice and received signed releases/consents from all affected individuals? This release/consent should be obtained at the commencement of employment before any collection of individual biometric data begins. Do you have a publicaly available written policy to cover the collection, storage, use and destruction of the data? The employee handbook is the most logical place for this policy.
  3. Review your processes: (a) make sure that any collected data is not being sold or disclosed to third parties, outside of the limited exceptions permitted by the Act, and this includes vendors and third party suppliers of biometric technology who process and store the information in a cloud-based service, and (b) make sure that you evaluate your internal data privacy protocols and processes for protecting this new data set, and be prepared to prove that you have “reasonably sufficient” security measures in place for the individual biometric data.
  4. Review your vendor processes: If a vendor has access to the individual biometric data (such as a software-as-a-service provider), make sure the vendor has sufficient data privacy protocols and processes in place and that you have representations regarding this protection from the vendor.
  5. Review insurance coverage for this type of exposure with your broker.
  6. Remember the data breach issues: Make sure your data breach policies recognize that individual biometric data is considered personal information under Illinois laws addressing data breach notification requirements.

This post was authored by Cynthia J. Larose of © Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. For more Labor & Employment legal analysis, go to The National Law Review

Right-to-Work Battle in Illinois Enters Cease Fire – For Now

Illinois is completely surrounded by right-to-work states that have laws making it unlawful for companies to require union dues as a condition of employment. Notwithstanding the recent trend of states enacting such laws, the Illinois legislature tried its best this year to block right-to-work legislation within its borders.

Earlier this year, the Illinois legislature passed a law that would prohibit local governments from enacting their own right-to-work laws after one Illinois municipality attempted to enact a right-to-work ordinance in 2015. Illinois Gov. Bruce Rauner vetoed the legislation – based on his belief that right-to-work laws promote business growth – and this week the legislature fell one vote short of overriding his veto. There are signals legislators may attempt to revive the legislation next year. Thus, this remains an issue for Illinois employers to watch.

This issue is not unique to Illinois; local governments in Kentucky enjoyed some success with their own right-to-work ordinances several years ago before the state enacted its own right-to-work law.

Right-to-work laws are permitted under Section 14(b) of the Taft-Hartley Act and make it unlawful for companies to require union dues as a condition of employment. In states where right-to-work laws are not enacted, most unionized employers have clauses in their labor agreements that require dues payments as a condition of employment – the clauses generally are known as “union seniority clauses.” At present, 28 states have right-to-work laws on the books. The National Right to Work Foundation maintains a current list.

This post was written by David J. Pryzbylski of BARNES & THORNBURG LLP., © 2017
For more Labor & Employment legal analysis, go to The National Law Review

Employees Sue for Fingerprint Use

Employees of Peacock Foods, an Illinois-based food product manufacturer, recently filed a lawsuit against their employer for alleged violations of Illinois’ Biometric Information Privacy Act. Under BIPA, companies that collect biometric information must inter alia have a written retention policy (that they follow). As part of the policy, the law states that they must delete biometric information after they no long need it, or three years after the last transaction with the individual. Companies also need consent to collect the information under the Illinois law, cannot sell information, and if shared must get consent for such sharing.

According to the plaintiff-employees, Peacock Foods used their fingerprints for a time tracking system without explaining in writing how the saved fingerprints would be used, or if they would be shared with third parties. According to the employees, this violated BIPA’s requirement for explaining -in the consent request- how information would be used and how long it would be kept. The employees also alleged that Peacock Foods did not have a retention schedule and program in place for deleting biometric data. The employees are currently seeking class certification.

Putting it Into Practice: This case is a reminder that plaintiffs’ class action lawyers are looking at BIPA and possible complaints that can be brought under the law. To address the Illinois law – and similar ones in Texas and Washington – companies should look at the notice and consent process they have in place.   

This post was written by Liisa M. Thomas & Mukund H. Sharma of Sheppard Mullin Richter & Hampton LLP., Copyright © 2017

For more Labor & Employment legal analysis, go to The National Law Review

Illinois Passes Religious Garb Law Clarifying Religious Protections Under Illinois Human Rights Law

On August 11, 2017, Illinois Governor Bruce Rauner signed into law Public Act 100-100, known as the “Religious Garb Law.”  The law amends the Illinois Human Rights Act (“IHRA”) by clarifying the scope of protection for sincerely held religious beliefs.

Specifically, the amendment makes clear that it is a violation of the IHRA for an employer to impose a requirement that would cause an employee to “violate or forgo a sincerely held practice of his or her religion including, but not limited to, the wearing of any attire, clothing, or facial hair in accordance with the requirements of his or her religion.”  However, the law indicates that “[n]othing in this Section prohibits an employer from enacting a dress code or grooming policy that may include restrictions on attire, clothing, or facial hair to maintain workplace safety or food sanitation.”  Moreover, employers may still prohibit attire, clothing and facial hair if failing to do so would result in an undue hardship to the employer’s business.

In essence, this amendment clarifies the scope of religious protections that exist under the IHRA.  Notably, the EEOC has taken the position that Title VII protects religious garb.

This post was written by Steven J Pearlman and Alex C Weinstein of  Proskauer Rose LLP.© 2017

Tax Changes Implemented As Part of Revenue Package Supporting Illinois Budget

Yesterday afternoon, after months of wrangling and a marathon 4th of July weekend session, the Illinois House of Representatives voted to override Governor Bruce Rauner’s veto of Senate Bill (SB) 9, the revenue bill supporting the State’s Fiscal Year (FY) 2017-2018 Budget. The vote ended Illinois’ two year budget impasse and may avoid a threatened downgrade of Illinois bonds to junk status. The key tax components of the bill as enacted Public Act 100-0022 (Act) are as follows:

Income Tax

Rate increase. Income tax rates are increased, effective July 1, 2017, to 4.95 percent for individuals, trusts and estates, and 7 percent for corporations.

Income allocation. The Act contains a number of provisions intended to resolve questions regarding how income should be allocated between the two rates in effect for 2017.

  • Illinois Income Tax Act (IITA) 5/202.5(a) provides a default rule, a proration based on the days in each period (181/184), for purposes of allocating income between pre-July 1 segments and periods after the end of June when rates increase. Alternatively, IITA 5/202.5(b) provides that a taxpayer may elect to determine net income on a specific accounting basis for the two portions of their taxable year, from the beginning of the taxable year through the last day of the apportionment period, and from the first day of the next apportionment period through the end of the taxable year.

Note: This provision will create planning opportunities for taxpayers. For example, a taxpayer who paid bonuses to employees early in the year may wish to elect specific accounting, whereas taxpayers who paid bonuses out after the effective date of the tax increase may wish to pro rate under the default rule.

  • A new sub-section (IITA 202.5(c)(3)) provides that a taxpayer who elects a specific allocation different from the default rule must divide any Section 204 exemptions between the respective periods in amounts which bear the same ratio to the total exemption allowable under Section 204 as the total number of days in each period bears to the total number of days in the taxable year. We note that no mention is made regarding the treatment of credits.
  • Finally, another new sub-section (IITA 202.5(c)(4)) provides that a taxpayer who elects a specific allocation different from the default rule may not claim negative net income for one portion of the year and not the other. If a taxpayer’s net income otherwise would be negative for a portion of the year, the taxpayer is required to attribute all of its net income to the portion of the taxable year with positive net income and report net income for the other portion of the taxable year as zero.

Elimination of non-combination rule. For taxable years beginning on or after December 31, 2017, the definition of “unitary business group” is amended to eliminate the non-combination rule for group members that use different apportionment methods. There is no exception for insurance companies.

Note: For calendar year corporations, this change will take effect this year.

Expanded definition of “United States.” For taxable years ending on or after December 31, 2017, the definition of “unitary business group” is amended to include an expanded definition of “United States” to include the fifty states, the District of Columbia and “any area over which the United States has asserted jurisdiction or claimed exclusive rights with respect to the exploration for or exploitation of natural resources,” but not any territory or possession of the United States.

Note: For calendar year corporations, this change will take effect this year.

Decoupling from Domestic Production Activities Deduction (DPAD). The Act decouples from the federal domestic production activities deduction.

Research and Development Credit Extended and Reliance Protected. The research and development credit is restored retroactively (it had expired on January 1, 2016) and extended through December 31, 2021. The Act provides that all actions taken by taxpayers “in reliance on the continuation of the credit” are “hereby validated.”

Income Cap on individual taxpayer eligibility for certain exemptions and credits. Taxpayers with adjusted gross income for a taxable year in excess of $500,000 (in the case of spouses filing a joint federal return) or $250,000 (for all other taxpayers) may not claim the standard exemptions set forth in IITA Section 204. (IITA 5/204(g)). In addition, they may not claim a tax credit for residential real property taxes (IITA 5/208) or the education expense credit (IITA 5/201(m)).

Increased education expense credit. The education expense credit is increased to $750 for tax years ending on or after December 31, 2007. (See note above about limitations on taxpayer eligibility for the credit.)

Instructional materials credit. A new credit (maximum $250.00) is created for taxpayers who are teachers, instructors, counselors, principals or aides in qualified schools (for at least 900 hours during a school year) for instructional materials and supplies.

Sales Tax

Sales tax base not expanded to include services. The Act does not change the sales tax rate or expand the base to tax services.

Gasohol, majority blended ethanol, biodiesel and certain biodiesel blends. The Retailers’ Occupation Tax Act, Use Tax Act and Services Tax Act are amended to provide that gasohol is taxed at 100 percent of sales proceeds, effective July 1, 2017. Exemptions for blended ethanol, biodiesel and biodiesel blends are extended through 2023.

Manufacturing, Machinery and Equipment Exemption expanded to include graphic arts. The manufacturing, machinery and equipment exemption is expanded to include graphic arts machinery and equipment, effective July 1, 2017.

State Tax Lien Registration Act

The Act creates a central state tax lien registration system, which eliminates the requirement for the Illinois Department of Revenue (DOR) to post liens for taxes due in counties throughout the state. Taxpayers are required to pay any administrative fee imposed by the DOR by rule when creating the State Tax Lien Registry.

Revised Uniform Unclaimed Property Law

The Act includes a complete rewrite of the Illinois Unclaimed Property Laws, which we describe in a separate post.

This post was written byMary Kay McCalla MartireFred M. Ackerson and  Lauren A. Ferrante of McDermott Will & Emery.