Scan Your Practices: Illinois Supreme Court to Resolve Biometric Privacy Standard

Advertisement

Fingerprinting, retina scans, and voiceprints – practices once reserved for FBI agents, criminals, and Jason Bourne – are now widely used by companies of all sizes. These “biometric identifiers” are collected, often by employers, to provide for workplace efficiencies such as clocking time and ensuring secure access to sensitive locations. Or they may be used by businesses looking to track and identify customers. Whatever the case may be, collection and use of biometric identifiers are landing companies in legal hot water.

There has been a frenzy of class action lawsuits filed under the Illinois Biometric Information Privacy Act (BIPA) in recent weeks, in anticipation of a pending decision from the Illinois Supreme Court regarding the statute’s scope. BIPA provides a roadmap for how to lawfully gather, store, and destroy biometric data. When companies flout these requirements, they expose themselves to legal liability.

Advertisement

Compliance with BIPA is not terribly difficult. A private entity must: 1) develop a written policy, available to the public, that establishes a retention schedule and guidelines for permanently destroying biometric data; 2) provide information to the subject in writing, and obtain a written release before collecting and using biometric information; 3) safely store and prevent disclosure or dissemination of the biometric data to unauthorized third parties; and 4) destroy the biometric data when there is no longer a reason for keeping it, or within three years of the individual’s last interaction with the entity, whichever comes first.

The statute provides that “any person aggrieved by a violation” of these rules can bring suit. The tricky question, which the Illinois Supreme Court will soon answer, is who is a person aggrieved? Is someone aggrieved if a private entity technically violates the statute, but does not otherwise cause harm to the individual through unauthorized dissemination or disclosure of his or her biometric data? If a company forgets to obtain written authorization, but otherwise posts appropriate notices and protects the security of the data, are its employees or customers aggrieved persons?

Advertisement

The answer once appeared favorable to companies. In Rosenbach v. Six Flags Entertainment Corporation, the Second District Appellate Court held that “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person” under BIPA. In other words, technical violations of the statute, without any accompanying harm, did not pave the way for litigation.

Advertisement

At the end of 2018, however, the First District Appellate Court, in Sekura v. Krishna Schaumburg Tan, Inc., signaled a more relaxed, plaintiff-friendly standard by agreeing that an injury to a privacy right may be enough to maintain a lawsuit. Though that case also involved allegations of actual harm (unauthorized disclosure of the data to third parties), it created a fissure and undermined whatever comfort came from knowing that technical violations alone would not produce viable lawsuits. And, while the federal courts sitting in Illinois continue to dismiss these cases for lack of constitutional standing, the majority of BIPA cases are filed and remain in state court, where state precedent controls. Companies will seldom find themselves in the more favorable federal venue.

Meanwhile, the plaintiffs in Rosenbach appealed to the Illinois Supreme Court, which heard oral arguments on this issue at the end of November 2018. The central question the court will soon answer is what type of harm must be alleged in order for a plaintiff to maintain suit under BIPA: Are allegations of mere technical violations enough, or must a plaintiff allege a more particular harm? BIPA aficionados across the state are waiting with bated breath to learn the answer.

In the meantime, companies would be wise to review their biometric data notification, collection, storage, and destruction practices. In many ways, regardless of Rosenbach’s outcome, companies need to be extremely vigilant in deciding whether to collect biometric data in the first place and, if so, in developing and implementing careful practices to ensure full compliance with BIPA. Even if the Illinois Supreme Court ultimately concludes that technical violations alone are not actionable, shrewd plaintiffs and their attorneys will not hesitate to articulate allegations of harm beyond mere technicalities. Now is the time to scan your practices.

Advertisement

 

© 2019 Much Shelist, P.C.
This post was written by Laura A. Elkayam and James L. Wideikis of Much Shelist, P.C.
Read more on emerging employment law issues at the National Law Review’s Employment Law Resources Page.

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.