employee biometric privacy

An Illinois district court remanded to state court for lack of standing a biometric privacy suit brought by employees over the collection and storage of individuals’ fingerprints allegedly in violation of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 (“BIPA”). (Aguilar v. Rexnord, LLC, No. 17 CV 9019 (N.D. Ill. July 3, 2018)).  This decision echoes other recent rulings where federal courts have found a lack of Article III standing in disputes where employees claimed procedural violations of BIPA over the knowing collection of fingerprints for timekeeping purposes, absent any claims of wrongful sharing or disclosure.  See e.g., Howe v. Speedway LLC, No. 17-07303 (N.D. Ill. May 31, 2018) (even if failing to provide certain disclosures and obtain his written authorization prior to collecting and storing plaintiff’s fingerprints may constitute a violation of BIPA, such procedural violations did not cause an injury in fact where the employee was aware of the nature and purpose of collection); Goings v. UGN, Inc., No. 17-9340 (N.D. Ill. June 13, 2018) (remanding BIPA claims for lack of Article III standing because claims were too abstract and employee was aware he was providing fingerprint data to his employers and did not claim any non-consensual disclosure of such data). 

Last December, an Illinois appellate court, in the Rosenbach v. Six Flags decision (2017 IL App (2d) 170317 (Dec. 21, 2017)), dismissed biometric privacy claims lodged against theme park operators for collecting fingerprints to authenticate season-pass holders allegedly in violation of the notice and consent provisions of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information.  BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party.  In interpreting what “aggrieved” means under BIPA, the Rosenbach court ruled that a “person aggrieved by a violation of [the] Act” must allege some harm (“[A] plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under…the Act”).  While federal courts have weighed in on whether litigants have Article III standing when asserting mere procedural violations of BIPA’s consent and data retention requirements, it was not clear if such procedural violations, without any showing of harm or data misuse, were actionable under the statute.  Rosenbach was the first time an Illinois appellate court weighed in on the meaning of an “aggrieved” party under BIPA.

Following Rosenbach, we speculated whether the decision would curb the wave of BIPA class actions asserting procedural violations filed against employers and businesses that used biometrics to authenticate employees or customers; the answer to that question remains in flux, with subsequent rulings falling both ways.  For example, at least two Illinois trial courts followed Rosenbach in dismissing BIPA claims, though without intensive analysis of the issue. See: Rottner v. Palm Beach Tan, Inc., No. 15-CH-16695 (Ill. Cir. Ct. Mar. 2, 2018) (bound by Rosenbach‘s holding that neither liquidated damages nor injunctive relief is authorized under BIPA when the only injury alleged is a statutory violation; court stated that plaintiff allowed defendants to scan her fingerprint and there had been no publication of plaintiffs private information to sustain injury to a privacy right); Sekura v. Krishna Schaumburg Tan, Inc., No. 16-CH-04945 (Ill. Cir. Ct. Jan. 16, 2018) (brief order dismissing claims “[f]or the reasons outlined in Rosenbach”) (on appeal).

However, the recent California district court ruling in the Facebook biometric privacy litigation parted company with a reading of Rosenbach that would require a litigant to show an “actual” injury beyond the invasion of privacy rights outlined under BIPA and instead ruled that the plaintiffs had “sufficiently alleged” an intangible injury to a privacy right to be “aggrieved” under BIPA. It should be noted that the California court did look differently at Rosenbach and other cases involving voluntary fingerprinting where individuals knew that their biometric data would be collected before they accepted services as opposed to the social media photo tagging situation where such plaintiffs allege that they were not put on adequate notice that biometric data could be collected from uploaded photos.

This past month, in a notable ruling, an Illinois district court followed Rosenbach yet still declined to dismiss a suit brought by a former employee who asserted BIPA and negligence claims, among others, against a senior living center (“Defendant” or “Smith”) and its time clock vendor over the scanning of her fingerprints onto an employee biometric timekeeping device. (Dixon v. The Washington and Jane Smith Community – Beverly, No. 17-8033 (N.D. Ill. May 31, 2018)).  Specifically, the complaint alleged that Smith required new employees to have their fingerprints scanned by the defendant Kronos’s fingerprint scanner and entered into a database so employees could be authenticated when clocking in and out.  According to the plaintiff, Smith, among other things, failed to give adequate notice or obtain written consent before colleting her fingerprints, or post a biometric data retention policy.  Moreover – and really the allegation that pushed the complaint over the line – plaintiff claimed that, in addition to collecting and storing her biometric information, Smith also “systematically disclosed” that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric time clocks, without informing her that it was doing so.

As 2017 drew to an end, we noted the continuing flood of Illinois biometric privacy suits filed over the past year.  There are literally dozens of cases pending, most in Illinois state courts, alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information.  The suits initially targeted the use of biometrics on social media platforms, but, perhaps reflecting the increased use of biometrics in the workplace, have increasingly been asserted against businesses that collect biometric data to authenticate customers or employees.

While federal courts have weighed in on whether litigants have standing for asserting procedural violations of BIPA, it was not clear if mere procedural violations of BIPA’s consent and data retention requirements, without any showing of actual harm or data misuse, were actionable under the statute (i.e., whether persons pleading procedural violations are “aggrieved” under the statute, as BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party).

As the year came to a close, an Illinois appellate court may have cooled the New Year’s Eve celebrations of BIPA class action lawyers a bit, as the court issued a decision which could provide defendants with a shield against BIPA suits.  The court ruled that if a party alleges only a technical violation of BIPA without alleging any injury or adverse effect, then such a party is not “aggrieved” under the Act and may not seek remedies (i.e., monetary damages or injunctive relief).  (Rosenbach v. Six Flags Entertainment Corp., No. 2-17-0317, 2017 IL App (2d) 170317 (Ill. App. Dec. 21, 2017)).

After noting the flood of Illinois biometric privacy suits in September, it appears that the flow of such suits remains robust.  Dozens of suits have been filed in Illinois state court against Illinois-based employers and other businesses alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which generally regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, and encourage businesses that collect such personal data to employ reasonable safeguards.

In recent years, biometric privacy suits initially involved social media services and video game makers, but have increasingly been asserted against businesses that collect biometric data to authenticate customers or employees, especially Illinois-based employers that use biometric timekeeping devices to verify employees when clocking in and out.  

This month, in one of the many recently-filed Illinois biometric privacy suits, a class action complaint alleging violations of Illinois’s Biometric Information Privacy Act (BIPA) was lodged against Wow Bao, a restaurant chain, over its use of self-order kiosks that allow customers to use faceprints as a method to authenticate purchases. (Morris v. Wow Bao LLC, No. 2017-CH-12029 (Ill. Cir. Ct. filed Sept. 5, 2017)).  The suit against Wow Bao was not the only BIPA-related suit filed in September, as several businesses with an Illinois presence, including Crunch Fitness and Speedway, Inc., were served with complaints. And more than a week ago, an Illinois federal court refused to dismiss BIPA claims against photo storage service Shutterfly over claims that its photo tagging feature created a faceprint of the non-user plaintiff after a friend uploaded a group photo, and upon the service’s suggestion, then tagged the plaintiff, thereby storing plaintiff’s faceprint and name in Shutterfly’s database without his notice or consent. (Monroy v. Shutterfly, Inc., No. 16-10984 (N.D. Ill. Sept. 15, 2017)).