CHICAGO — Illinois employers anxious to not get caught in a dragnet of state Biometric Information Privacy Act (BIPA) class actions may be able to breathe easier - for now - after a state appeals court ruling in December.
"The decision allows employers to breathe easy, at least for the time being, as there is a much smaller chance that they will be swept up in the wave of BIPA class action lawsuits," Kwabena Appenteng, an attorney at Littler Mendelson's Chicago office, said during an email interview with the Cook County Record. "However, it is only a matter of time before new types of BIPA class action lawsuits arise that allege new types of 'harm.'"
Kwabena Appenteng, an associate in Littler Mendelson's Chicago office | Photo courtesy of Littler Mendelson
The definition of "harm" figured significantly in the ruling handed down by the Illinois Second District Appellate Court in Elgin in December against a mother who sued over the fingerprinting of her son by amusement park operator Six Flags when he purchased a season pass. Businesses who use similar forms of bio-identification should take certain precautions, Appenteng said.
"Businesses that use biometric time clocks or other types of biometric scanners who were not previously in compliance with the BIPA should obtain written consents from employees to the ongoing collection," he said. "Businesses also should not lose sight of BIPA's data security requirement for biometric data. BIPA requires a business to protect biometric data 'using the reasonable standard of care within [its] industry.'"
That requirement is important because it could serve as the basis for a BIPA claim, Appenteng said.
"For example, if a business stores employees’ biometric data on its servers (from a biometric timeclock) and suffers a data breach, the business may have a notification obligation under Illinois' Personal Information Protection Act (PIPA), which is Illinois' data breach notification statute," he said. "PIPA also includes a data security requirement. Specifically, PIPA requires that businesses protect personal information, which is defined to include biometric data, using 'reasonable security measures.' Therefore, if an entity that suffers a data breach is alleged not to have 'reasonable security measures' in place under PIPA, it will likely also have violated BIPA's standard of care for biometric data, and could be subject to claims under both laws."
In the putative class-action, Rosenbach v. Six Flags Great America, plaintiff Stacy Rosenbach claimed Six Flags violated the Illinois BIPA when her son was fingerprinted without written consent or a document disclosing the park's plans to collect, store, use or destroy his biometric identifiers or information. Under BIPA, a plaintiff must allege actual harm, which doesn't have to be monetary, but could be a technical violation.
Rosenbach did not claim any harm, but she said she wouldn't have purchased the season pass if she'd known Six Flags intended to violate the BIPA.
The Second District ruled on Dec. 21 Rosenbach had failed to show a legal harm resulting from the fingerprint scan.
"The court ruled that merely alleging that a business collected a person's biometric identifier (a scan of a fingerprint, iris or retina, hand or face, or a voiceprint) or biometric information (information based on a biometric identifier) without first providing a written disclosure that explained why the data was collected and the length of time it will be stored, and obtaining the persons written consent is not enough to maintain a claim under the BIPA," Appenteng said. "A cognizable injury or adverse harm must be alleged in order for a person to have a claim under the BIPA."
The appeals court ruling is binding on the state's trial courts, which since August 2017 have experienced a surge of BIPA class actions, Appenteng said.
"There are over 40 BIPA class action lawsuits currently pending in Illinois state courts. The precedential effect of the appellate court's holding in Rosenbach means companies that are sued under BIPA by individuals who allege 'technical violations' of BIPA's notice and consent requirements, without any attendant harm, have a basis to seek a dismissal," he said.
Trial courts also may choose "of their own volition" to dismiss those types of BIPA claims, though such "unilateral court action is atypical," Appenteng said. "The likely net result of all of this will be a slowdown - but not a complete eradication - of BIPA class action lawsuits."
The decision in Rosebach will have the most disruptive impact on BIPA class action lawsuits filed in Illinois state courts, Appenteng said.
"However, the appellate court's ruling can also be used by companies that are defending BIPA claims brought in federal court to support an argument for lack of standing and/or to dismiss a BIPA claim on the merits," he said.