The Illinois First District Court of Appeals took a look at employers when it recently ruled that different statutes of limitation applied to various sections of the Biometric Privacy Act. Illinois, 740 ILCS Â§14 / (âBIPAâ or the âActâ). See Tims v. Black Horse Carriers, 2021 IL App (1st) 200563 (Sep 17, 2021). In addition to allowing aggrieved employees to look back five years for certain BIPA claims, another important takeaway from the ruling was the court’s informal observation that, since BIPA can be violated in five different ways, individual plaintiffs victims of multiple violations can recover the damages assessed by law. penalty ($ 1,000 for negligent violations or $ 5,000 for intentional violations) for each violation. In other words, an employer who violates multiple sections of the BIPA for their staff could see their exposure doubled, tripled or quadrupled in a class action lawsuit.
In order to put this decision into context, it is important to understand the different ways an employer can violate BIPA. As noted in a previous alert, the BIPA requires certain precautions and affirmative actions for employers who collect, store or use biometric identifiers, such as fingerprints, retinal scans, facial geometry, and voice prints. The law is generally applicable and protects consumers in the same way as employees, but it is the use of fingerprint clocks by employers that has spawned most of the hundreds of BIPA class actions filed in recent years. .
Employer’s Obligations Under Illinois Biometric Information Protection Act
The BIPA requires that any employer who collects, stores or uses the biometric information of its employees must:
- Develop and make available to the public a written policy setting out a retention schedule and guidelines for the destruction of biometric information, which must include destruction of the information when the reason for collection has been satisfied or three years after the last interaction of the employer with the employee, whichever occurs first. 740 ILCS Â§ 14/15 (a);
- Provide each employee with written notice that their biometric information will be collected and stored, including an explanation of the purpose of collecting the information as well as the length of time it will be stored and / or used and obtain the express written permission of the subject to collect and store their biometric information. 740 ILCS Â§ 14/15 (b);
- Refrain from selling, renting, trading or in any other way taking advantage of employee biometric information. 740 ILCS Â§ 14/15 (c);
- Obtain consent before disclosing or disseminating employee biometric data. 740 ILCS Â§ 14/15 (d); and
- Take reasonable precautions in the storage, transmission and protection of employee biometric data. 740 ILCS Â§ 14/15 (e).
The split decision of the First District Court of Appeal in Tims v. Black Horse Carriers
Responsible for determining which of the various Illinois statutes of limitation should govern BIPA claims, the Tim The court surprised observers by saying: “it depends”. Specifically, the court ruled that the one-year limitation period for privacy claims (Â§ 13-201) applies to BIPA claims involving the publication of biometric information which can be found in Sections 15. (c) – (d) and the catch-all five-year limitation period (Â§ 13-205) applies to claims brought under Articles 15 (a) – (b) and (e). This means that BIPA’s claims involving failure to obtain notice and consent before collecting, storing, or using biometric information can be dated as far back as five years from the date the complaint was lodged, but the claims regarding the improper transfer or “publication” of biometric information must be filed within one year of the alleged violation.
What does this mean for employers?
First, it highlights the need to ensure that you are BIPA compliant if you are using biometric information (information derived from biometric identifiers) in the workforce, as the ability to look five years back in certification a class action lawsuit and an award of damages dramatically increases the exposure for employers caught in violation of the BIPA.
The other takeaway from the ruling is the court’s flippant observation that employers can violate any of the five sections of BIPA and, if they do, employees can recover for each of those violations. In other words, a claimant who proves breaches of multiple obligations under the Act could collect multiple recoveries for standard damages – $ 1,000 for each negligent breach and $ 5,000 for each intentional breach. If other courts cling to this comment, courts could impose penalties under the Act that are considerably more onerous than if a single penalty were applied to each. employee whose rights have been violated.
It is not clear, however, whether employees can recover for violations of Section 15 (a) of BIPA as the Seventh Circuit has previously held that the requirement to make publicly available a written policy on retention and destruction of biometric information is “a duty to the general public”, not to the individual requester. See Bryant v. Compass Grp. United States, Inc., 958 F.3d 617 (7th Cir. 2020); Thornley v Clearview AI, Inc., 984 F.3d 1241, 1242 (7th Cir. 2021). Although these decisions were made under Article III to act, this decision could prevent employees from being compensated for a violation of Article 15 (a).
Outlook and recommendations
In addition to a possible appeal of the decision of the First District in Tim, employers should also be mindful of decisions in other cases, including:
- Seventh Circuit Court of Appeal ruling in Cothron v. White Castle System Inc., 7th Cir., No. 20-3202, regarding whether BIPA claims accumulate with every violation or just the first violation.
- The Illinois Supreme Court decision in McDonald v Symphony Bronzeville Park LLC, Ill. Sup. Ct., No. 126511, ruling on whether the Illinois Workers’ Compensation Act prevails over employee claims for statutory damages under the BIPA.
Regardless of how these issues are resolved in court, we continue to recommend the following proactive measures to mitigate the risk of a BIPA claim:
- Determine whether your business collects, stores, or uses individual biometric information (information derived from biometric identifiers) for any purpose.
- If the answer is yes, make sure your company has issued the required notice and has received signed disclaimers / consents from everyone involved. Also make sure you have a written, publicly available policy in place to cover data collection, storage, use, and destruction.
- Make sure that the data collected is not sold or disclosed to third parties, apart from the limited exceptions permitted by BIPA.
- Evaluate your data privacy protocols and processes to protect individual biometric data. If a provider has access to individual biometric data, make sure that they have sufficient data privacy protocols and processes in place.
- Make sure your data breach policies recognize that individual biometric data is considered personal information under Illinois laws regarding data breach notification requirements.