The Illinois Biometric Information Privacy Act ("BIPA") is yet another Illinois law drafted with ambiguities which beg, unfortunately, for litigation. Where a statute is drafted with holes of ambiguity, (and this one has many), it is up to the judiciary to fill those voids, and that, of course, means costly litigation. One ambiguity was recently clarified by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corporation. 2019 IL 123186. Rosenbach is bad news for employers.
The Illinois Supreme Court agreed to review the Rosenbach case to address the issue of whether a 14 year old who had his biometric information captured at Six Flags amusement park without a signed consent, was "aggrieved" such as to have standing to sue under BIPA. The plaintiff in Rosenbach had suffered no actual damage meaning that there was no allegation of the sale or transfer of his biometric data to a third party. In other words, the question was whether the "technical" violation of BIPA alleged in Rosenbach, of Six Flags capturing plaintiff's data without the statutory required consent, could alone support a lawsuit. The Illinois Supreme Court reviewed this issue because there was an interpretive conflict between the Illinois appellate courts on this issue. The Second District Appellate court in Rosenbach had dismissed the case on account of the fact that the plaintiff had not alleged that he had suffered any actual harm. Rosenbach, 2019 IL 123186. However, the First District appellate court had reached the opposite decision in Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175, decided in September, 2018. The Illinois Supreme Court, disagreed with the Second District's analysis and concluded that it was enough to allege that biometric data had been secured to support a lawsuit under BIPA.
Although Rosenbach decision determined, unfortunately for employers, the issue of who is "aggrieved" under BIPA, issues remain as to whether an individual who suffers no "injury in fact" has "standing" to sue in federal court. The most recent decision from the Northern District Court of Illinois held that a technical violation of BIPA alone is insufficient "injury-in-fact" to support federal jurisdiction. See McGinnis v. United States Cold Storage, Inc., No. 17 C 08054, 2019 U.S. Dist. LEXIS 848 (N.D. Ill. Jan. 3, 2019).
In addition, substantial areas of ambiguity remain. For example, the meaning of recovery "for each violation" will certainly be a matter of substantial dispute. While plaintiffs' attorneys will argue that "for each violation" means every unauthorized scan, such an expansive interpretation should be rejected by courts under standard rules of statutory construction. More fundamentality, technology developed since the passage of BIPA will certainly challenge whether captured information constitutes biometric information covered by BIPA. Finally, because the BIPA fails to identify a limitation period to bring a claim under the Act, very significant disputes will arise with plaintiffs' attorneys arguing for the application of the Illinois five year "catch-all" limitation period and defense counsel arguing that the one year, (most closely related) limitation period for privacy violations should apply.
Unfortunately, legislation introduced last year by Sen. Bill Cunningham in the Illinois legislature to amend BIPA so that it would be not be applicable to employers who use the information exclusively for employment or human resource purposes, would appear to have died and, at this point, no bill has been introduced in the new legislative session to amend BIPA.
Regardless of partisan position, this legislation requires amendment.
Until such time as BIPA is, hopefully, amended, employers should be vigilant to:
- Collect and retain BIPA compliant consent forms before using biometric scanning devices;
- Ensure the security of all collected biometric identifiers and information;
- Develop and enforce policies to ensure that biometric identifiers and information are not transferred to any third party except under the limited and specific conditions set forth under BIPA; and
- Develop and retain a BIPA compliant written biometric identifier and information retention and destruction policy.
Questions? Contact attorney Jennifer Adams Murphy in our St. Charles office at (630) 377-1554 or by email at [email protected]