CHICAGO — A spike in the number of lawsuits in Illinois over biometrics data is a result of such data becoming more commonly used or misused by both business and social media. But whatever the reason, businesses should look for more and more of these lawsuits in coming days, a Washington, D.C.-based labor and employment attorney warns, thanks to a unique facet of Illinois' law.
In 2008, the Illinois General Assembly passed the Biometric Information Privacy Act (BIPA), ostensibly to protect people against identity theft. The act placed restrictions on the collection, storage and disclosure of personal biometric information by businesses.
“A biometric identifier is a measurement or copy of a unique physiological characteristic of a human,” Karla Grossenbacher, an attorney at Seyforth Shaw LLP, told the Cook County Record. “The term as used in the [BIPA] can include a retina or iris (eye) scan, fingerprint, voiceprint, a scan of your hand or face geometry.”
However, the law has been used in more recent months to bring a spate of class action lawsuits against employers and businesses, typically accusing defendants of technical violations of the law for failing to notify employees or customers of their policies related to the storage and retention of fingerprints and other biometric data used to verify a person's identity for such purposes as tracking hours worked or collecting points under a customer loyalty rewards program.
Karla Grossenbacher, an attorney and partner at Seyfarth Shaw in Washington, D.C., concentrates her practice on labor and employment law
Initially, the BIPA law been used by class action plaintiffs' lawyers to target tech and social media giants, like Facebook, Google and Shutterfly, for improperly identifying people in photo tags. Many of those lawsuits remain pending in Illinois and California courts.
However, the lawsuits against employers and retail businesses have marked a rapid expansion of litigation under the BIPA law. And the lawsuits continue to proliferate in Cook County and Chicago's federal courts.
On Oct. 10, for instance, lawyers with the firm of Stephan Zouras LLP added to their total of pending BIPA lawsuits, filing a complaint in Cook County Circuit Court on behalf of named plaintiff Amanda Kardos against her fomer employers, which the lawsuit said included Marriott International, TPG Hotels & Resorts and the local owners and operators of the Westin Chicago North Shore hotel.
She had been employed at the North Shore hotel from July 10-Aug. 28, 2017, her complaint asserted, where, as a condition of her employment, she and other employees were required to scan their fingerprints into a company database. She and other employees were then required to use their fingerprints to punch in and out of their work shifts and log their hours worked.
The lawsuit, much as others like it, accuses the defendants of failing to collect written authorization from employees before collecting their fingerprint scans, and of failing to inform employees of how they store the prints, how long they will keep the fingerprint scans after the employees leave the company, and how they will destroy the electronic records of the fingerprint scans.
The lawsuit, much as others, asks the court to order the defendants to change their policies, and pay statutory damages of $1,000-$5,000 per violation, plus the plaintiffs' attorney fees. The complaint asks the court to expand the action to include a class including virtually everyone employed by the defendant companies in Illinois who had their fingerprints scanned for timetracking purposes and was allegedly not provided with the required notices and authorization requests.
The complaint estimates the total of employees number "in the hundreds or more."
This most recent lawsuit marks the fifth such BIPA-related class action launched against employers and other businesses by the Stephan Zouras firm since the beginning of the summer. At the same time, Edelson P.C., another firm specializing in technology-related class actions, has brought at least five other similar class actions under BIPA against various business since August.
Grossenbacher said the act does require businesses to obtain consent before collecting biometric data on people and sets limits on how long such information can be stored. It also places restrictions on the disclosure or use of such information after a business collects it.
She said one reason that there has been a recent rise in the number of lawsuits regarding the collection of physiological data is because the practice has become more commonly used by businesses today. When the BIPA was passed in 2008, the use of biometrics data was still in its infancy.
Grossenbacher said that although Illinois, Texas and Washington have passed legislation to protect people’s privacy from biometric abuse, Illinois's law is unique.
“Illinois is the only state where individuals can bring suit,” she said. “In Texas and Washington, only the state attorney general can bring a lawsuit alleging a violation of the law. [The] plaintiffs' lawyers are taking note of this unique aspect of Illinois law, as the law also allows for recovery of attorney fees.”
Grossenbacher said an the increase in the number of such lawsuits should be expected.
“We suspect we have only seen the beginning of this type of litigation,” she said.