Greg Marcus – In 2008, Illinois’s Biometric Privacy Act (BIPA) became the first state law to regulate the collection and use of biometric data. The BIPA is often heralded as a “promising framework” for comprehensive biometric data privacy law, and thanks to two rulings in February 2023 it has become even more protective.
In Tims v. Black Horse Carriers, Inc., employees of Black Horse Carriers claimed multiple BIPA violations including that the company installed a fingerprint authentication timeclock without the employees’ consent. Since the BIPA does not include a statute of limitations provision, Black Horse claimed a one-year statute of limitations reserved for Illinois actions for “the publication of matter violating the right of privacy” applied to BIPA actions and the employees’ claim was therefore untimely. The Illinois Supreme Court disagreed, holding that Illinois’s “catchall” five-year statute of limitations for statutes without a stated limitation period applies to BIPA claims.
In Cothron v. White Castle System, Inc., a White Castle employee claimed that the company violated the BIPA by instituting a fingerprint scanning system operated by a third party without her consent. White Castle argued that the employee’s claim accrued when the BIPA was enacted in 2008, and was therefore untimely. Here, the Illinois Supreme Court also disagreed, holding that a separate BIPA claim accrues each time a private entity collects or transmits an individual’s biometric data in violation of the Act, which White Castle allegedly did each time it scanned the employee’s fingerprint without consent.
Thus, these two rulings have answered questions surrounding BIPA enforcement that have “plagued courts for years.” Since negligent BIPA violations are subject to $1,000 penalties,—and intentional or reckless violations are subject to $5,000 penalties—concerns have mounted that “exorbitant” damage awards will bankrupt defendant businesses. In the White Castle case, for example, if the employees scanned their fingerprints four times a day, five days a week, for 50 weeks per year without consent, White Castle could be liable for $1 million in statutory damages for one employee for one year under the BIPA. In fact, it is estimated that White Castle could face damages upward of $17 billion based on the size of the class-action it faces.
Due to the possibility of these steep damage awards, a private right of action is often pointed to as a crucial driver of deterrence in consumer protection laws like the BIPA. As the White Castle example illustrates, BIPA noncompliance can quickly spiral into significant liability exposure that businesses would generally seek to avoid. Additionally, these potential damage awards are attractive for would-be plaintiffs, who will be far less likely to settle now given the potential for billion-dollar judgments. Consequently, the private right of action has been a contentious provision in proposed data privacy legislation. Florida attempted to pass a data privacy law in 2021, but it ultimately faltered in the state Senate due to disagreements over including a private right of action. Industry interests excel at influencing legislatures that consider these bills, pushing the narrative that private rights of action are “just . . . win[s] for plaintiff’s attorneys” that would clog the court system with “frivolous lawsuits.”
Biometric data—defined as “personal data resulting from specific technical processing relating to the physical, physiological or [behavioral] characteristics of a natural person, which allow or confirm the unique identification of that natural person,”—has become a hot topic in state legislatures across the nation. Seventeen states have proposed state laws regulating biometric data privacy, nine of which are similar to Illinois’s BIPA. As a result, businesses nationwide may soon be exposed to similar liability that Illinois businesses are currently subject to regarding biometric data
With many states poised to pass biometric data privacy laws, companies should take steps to stay apprised of how compliance requirements for the collection and use of biometric data may affect their businesses. First, businesses should check if they deal with biometric data in relation to employment practices or consumer data in any way. Common practices include fingerprint scanners for employee timekeeping or facial scanners used by online applications for photo tagging and face filters. Second, if a business does leverage biometric data for any reason, compliance officers should investigate how that biometric data is collected, stored, and used. Third, businesses should track biometric privacy legislation in their applicable jurisdictions to ensure they are prepared for any compliance requirements on the horizon. Businesses should be acutely aware of any biometric privacy laws in their applicable jurisdictions that include a private right of action, as non-compliance in these jurisdictions could result in costly litigation. Finally, should any applicable biometric privacy legislation be enacted, compliance officers should immediately ensure conforming collection, storage, and transfer practices for biometric data are in place.