CHICAGO – Businesses in Illinois should be taking steps to protect themselves against class action lawsuits after the Illinois state Senate missed a deadline to amend a state biometrics privacy law, a labor and employment attorney said.
"There are a series of disclosure and consent steps employers can take to comply with the statute and insulate themselves from liability," attorney Shawn D. Fabian told the Cook County Record.
Since 2015, lawsuits have piled in by the hundreds and only continue to grow against businesses of many sizes in Illinois under the Illinois Biometric Information Privacy Act (BIPA). In particular, lawsuits have targeted employers who use so-called biometric time clocks, or employee punch clocks which require workers to scan fingerprints or other biometric identifiers when beginning or ending a work shift.
Shawn D. Fabian, an associate in Sheppard, Mullin, Richter & Hampton's Chicago and New York offices
| Photo courtesy of Sheppard, Mullin, Richter & Hampton
Businesses that collect, store or disclose their employees' biometric identifiers or biometric information for timekeeping or other reasons should inform the employee in writing that their biometric identifier or information is being collected or stored, Fabian said. Those employers also should inform their employees in writing about the specific purpose and length of term for which their biometric information is being collected, stored and used, and also collect a written release from the employee.
"These can be accomplished by drafting an appropriate policy and an acknowledgement and release," Fabian said. "As part of the policy, employers should also establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such information has been satisfied or within three years of the employee's last interaction with the employer, whichever occurs first."
Fabian, an associate in the labor and employment practice group in Sheppard, Mullin, Richter & Hampton's Chicago and New York offices, said those steps should help protect Illinois businesses against potential future liability under BIPA.
Illinois' BIPA passed the Illinois General Assembly in October 2008, supposedly to limit collection and storing of biometric information. But the law also allows private individuals to sue for damages, and plaintiffs' lawyers have rushed to do just that in recent years. The potential damages can stack up, as well, as BIPA prescribes $1,000 to $5,000 per violation, based on how intentional the alleged violations are found to be.
This can amount to many millions of dollars in potential liability for even a relatively small employer.
BIPA has prompted a bloom in class action lawsuits since the act's passage more than a decade ago, with the bulk of those lawsuits filed since 2015. Most recently, the lawsuits have targeted a range of employers from the boutique Magnificent Mile confectionary Dylan's Candybar to freight railroad operators CN and CSX and Chicago's Roosevelt University, among many others.
Businesses could also be left to fend for themselves. Earlier this year the insurer for suburban grocer Chicago supermarket chain Caputo's Fresh Markets asked the Cook County Circuit Court to be excused from funding Caputo's legal defense in a lawsuit over alleged BIPA violations.
The lawsuits particularly have surged in recent months after the Illinois Supreme Court in January unanimously overturned an earlier state appellate court ruling in Rosenbach v Six Flags, saying the lower court should not have dismissed the BIPA class action against the theme park operator. In that ruling, the state's highest court said plaintiffs don't need to prove any actual harm to sue businesses over fingerprint scan and other biometric identification rules under BIPA.
Following the Rosenbach decision, employers in the state looked to the General Assembly to amend BIPA, specifically the act's private right of action section. However, Senate Bill 2134, which would have amended BIPA and deleted language in the act that creates a private right of action, didn't make it out of a state Senate committee before a March 28 deadline.
While not impossible, it is unlikely the state Senate will yet act on the bill, Fabian said.
"More likely is that a bill may be reintroduced next session," he said. "Whether that bill makes it out of committee is, of course, yet to be seen."