Despite an Illinois Supreme Court ruling seeming to fling wide the gates for a surge of new lawsuits against employers and others under an Illinois biometric privacy law, businesses targeted by such litigation can still take steps to reduce their risk of massive damages, an attorney with expertise in the field says.
Earlier this year, the Illinois Supreme Court ruled plaintiffs do not need to show actual harm to move forward with lawsuits claiming defendants should pay for alleged violations of the Illinois Biometric Information Privacy Act. The court resolved a split at the state appeals court level regarding the applicability of the admittedly imprecise law.
The state Supreme Court decision conflicted with other rulings from federal judges, who had largely followed the guidance of the U.S. Supreme Court's decision in Spokeo v Robbins, determining a plaintiff had no claim under BIPA unless actual harm could be shown.
Critics claim the Illinois Supreme Court ruling will lead to a flood of class actions at the state level.
Michael Galibois ReedSmith
Privacy advocates and other organizations, including the ACLU, welcomed the ruling, claiming that it upheld the principal that simply losing control of one's biometric privacy was injury enough.
The Illinois Supreme Court case involved a mother and her 16-year-old son who sued theme park operator Six Flags, accusing the company of violating his rights by requiring a fingerprint to verify his identity when using his park pass at Six Flags Great America in Gurnee. A state appeals court ruled against the plaintiffs on the principal of actual harm, a decision overturned by the state Supreme Court.
Michael Galibois, a Chicago attorney in the Intellectual Property, Tech & Data Group at the firm of ReedSmith, said the case is similar to dozens of others filed mostly in state courts. Claims in those cases have largely centered on accusations businesses violate their employees' rights when making them scan fingerprints or some other biometric identifying characteristic when punching in and out of work shifts.
"You have to show that that those biometrics were collected and captured" or purchased by a third party without written consent, Galibois said, adding, however, there is "imprecision" in the wording of the statute.
Galibois noted employers use so-called biometric time clocks to help track employee work hours and verify payroll. In such cases, he said employers should seek to collect employee consent, which can protect both employer and employees.
Defense lawyers generally advise companies that store biometric data to make sure they are familiar with BIPA's notice and consent requirements. Businesses can further lessen monetary damages if they can show no actual harm.
However, the potential for large class-action awards is embedded in the statute as it states violations bring $1,000 damages, while an intentional breach can allow for damages of $5,000. Violations under the law could be defined as each time an employee punches the clock, meaning damage awards could quickly spiral.