Biometric identifiers are distinctive, biological patterns or characteristics used to uniquely identify an individual. Common biometric identifiers include fingerprints, voiceprint, eye retinas, iris scans, or full hand or facial geometry scans. As technology that uses biometric identifiers expands, warehouses are increasingly replacing antiquated keycards, time clocks, and security protocols with biometric identifiers. As the use of this technology grows, so does state regulation around the collection, storage and protection of this type of data. Illinois is at the forefront of biometric privacy regulation, and a recent decision from the Illinois Supreme Court—Rosenbach v. Six Flags Entertainment Corporation— is useful in understanding the key provisions of biometric information privacy regulations as well as the possible litigation risk warehouses can face by failing to comply with these regulations.
- Illinois Biometric Information Privacy Act
In 2008, the Illinois legislature passed the Illinois Biometric Information Privacy Act to “regulat[e] the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”
BIPA applies to all “biometric identifiers”—defined as retina scans, iris scans, fingerprints, voiceprints, or scans of hand or face geometry. It also placed certain requirements on entities that collect, store, use, and disseminate such information. For example, BIPA requires any company, including warehousing operations, to develop a written policy that establishes a retention and destruction schedule for biometric information. Companies must make these policies publicly available. BIPA also requires warehouses gathering biometric information to make certain disclosures in writing, such as why the warehouse is collecting the data and the length of time they intend to store it, before collecting or disseminating biometric identifiers. Further, BIPA requires that a warehouse receive authorization from an individual before collecting their biometric data. These disclosure and authorization protections are common in biometric information privacy statutes.
Failure to comply with these protections can be costly. BIPA provides a private right of action for any “aggrieved” individual and allows that individual to recover liquidated damages of $1,000 for each negligent violation of the statute, $5,000 for each reckless violation of the statute, and reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses.
- Rosenbach v. Six Flags Entertainment Corporation
In Rosenbach v. Six Flags Entertainment Corporation, the Illinois Supreme Court addressed the question of whether a plaintiff can pursue liquidated damages under BIPA when the only injury alleged is a violation of the disclosure and written consent requirements of the Act. Relying on the “preventative and deterrent” purposes of BIPA, the Illinois Supreme Court held that an individual need not allege or prove “actual harm” to bring a claim under the statute. Rather, an individual is “aggrieved” when a company fails to comply with BIPA’s disclosure, authorization, and retention requirements.
Prior to this ruling, over 200 BIPA cases have been filed in state and federal courts. Following this ruling, due in large part to the onerous statutory penalties and the availability of attorneys’ fees, litigation against companies using biometric information will only increase. But all is not lost for a warehouse faced with a BIPA lawsuit. While Rosenbach undoubtedly widens the potential plaintiff pool, it does not negate other possible defenses a warehouse can advance, such as lack of judicial standing, implied consent to the collection of biometric identifiers, and improper extraterritorial application of the law.
- How to Protect Yourself
Warehouses using biometric identifiers in their operations, whether for payroll, safety, or increased efficiencies, should take the following three steps to protect themselves against future BIPA lawsuits:
- Ensure that proper retention and destruction policies are both in place and publicly available. If a company does not have a retentions and destruction policy in place, it should implement one as soon as possible.
- Ensure that its biometric identifier destruction policies fit within the applicable timelines set forth in the statute.
- Review all notice and authorizations forms and ensure such forms are being distributed before any biometric identifiers are collected or disseminated to third-parties.
While Illinois, Washington, and Texas are the only states that have enacted major stand-alone biometric identifier privacy legislation, other states are likely to join the fray in short order. Early investment in proper biometric identifier notifications, authorizations, policies, and procedures can save a warehousing operation a great deal of time and money over the long run.
Andrew J. Butcher, Partner
Chip Andrewscavage, Attorney