On Friday, January 25, 2019, the Illinois Supreme Court issued its long-awaited decision in Rosenbach v. Six Flags – and the unanimous opinion is bad news for businesses in the State. In essence, the Court has ruled that individuals alleging violations of the Illinois Biometric Information Privacy Act (BIPA) in state court – for example, in using a thumbprint to clock in and out of work on a biometric time clock, without the statutorily required notice and acknowledgments in place – do not need to allege any concrete injury to proceed in litigation. Simply pleading a violation of BIPA’s technical requirements will suffice, without alleging any actual injury to the individual(s) bringing the suit. As each violation of BIPA comes with a substantial fine, and the statute provides for a private right of action and recovery of attorneys’ fees, the Court has effectively opened the floodgates to the next giant wave of extremely risky and costly litigation for Illinois businesses.
Enacted back in 2008, BIPA had remained a virtual unknown for years. Unlike most laws, BIPA was passed ahead of the technology it was designed to address. Broadly speaking, BIPA requires that companies that collect or use biometric information, such as fingerprints, eye scans or voice prints, or even only the encrypted mathematical representations of those unique identifiers, obtain advance permission to do so and ensure the safeguarding of such information. BIPA’s requirements can be met through a one-page notice and acknowledgment form, which explains the appropriate purpose for which the biometric information is being collected or used, provides for the appropriate protection of and eventual destruction of that information, and requires the person’s signature to confirm consent.
The problem with BIPA is that many businesses did not consult with their counsel to take the steps necessary to comply with it before they rolled out biometric technology on a wide scale – for example, as a way to track time worked by their employees, or to identify and provide for an easy payment mechanism for their customers. Enter the plaintiffs’ lawyers. Illinois’ BIPA is literally the most restrictive and consequential state privacy law currently in existence. With a price tag of $1,000 to $5,000 for each violation, a private right of action, an attorneys’ fees provision and comparatively easy proof requirements, BIPA lawsuits make for an extremely attractive target for class action litigation.
To illustrate just how quickly damages in BIPA cases can skyrocket, consider a company with 25 non-exempt Illinois-based employees, who have been using a biometric time clock to track their time for one year. Estimating four thumb scans per day per employee (to account for the start and end of shift and lunch breaks), about 260 working days in a year, and a minimum statutory fine of $1,000 per violation, this seemingly “contained” scenario yields damages of a whopping $26 million dollars, not counting attorneys’ fees. Of all the bet-the-company litigation scenarios, FLSA class actions included, this one should be at the very top of any business’s nightmare list.
Before the Illinois Supreme Court’s ruling on Friday, dozens of previously filed BIPA class actions were left hanging in the balance relative to the so-called “Spokeo” or “actual harm” defenses. Stemming from the U.S. Supreme Court’s holding in Spokeo v. Robins (2016), the defense, which employers have been able to use with some success, generally requires that plaintiffs must allege an actual injury or some real harm, as opposed to just a technical statutory violation, in order to be able to proceed on a BIPA claim in a federal court. Similarly, in state court, a plaintiff generally needs to show that he or she was “aggrieved” by a violation of BIPA. As the defendant argued in Rosenbach, and the Second District Appellate Court agreed, a plaintiff should not be allowed to sue under BIPA without alleging having sustained some real harm or adverse effect – in that case, from once touching a finger to a scanner to enter an amusement park. The Illinois Supreme Court deemed that construction of BIPA to be “untenable,” concluding that the statute, when reviewed in context of other laws and the commonly understood meaning of the term “aggrieved,” evidences the legislature’s intent that the plaintiff need to plead only that BIPA was violated: “No additional consequences need to be pleaded or proved.” In so ruling, the Illinois Supreme Court effectively eliminated the main defense that numerous companies that were sued under BIPA in state court have been relying on.
Businesses currently defending BIPA lawsuits will need to promptly regroup with counsel and decide on a realistic, most effective defense strategy moving forward. Businesses that use biometric technology in Illinois without following BIPA protocol should immediately address and implement a smart strategy in response to the real risk they are facing. This issue is not going away in the foreseeable future; it is certain to become much more prominent and consequential. Ignore it, and sooner or later, you can expect a BIPA lawsuit.
The best positioned businesses are those that may be reading this Alert while considering, but before having implemented, biometric technology in their Illinois locations. These businesses can work with their counsel to timely prepare and provide the appropriate notices and obtain the necessary acknowledgment forms, leaving the way completely clear to take full advantage of new technologies without any BIPA-related risks. Of course, we can all expect to see a great deal of lobbying related to BIPA in the 2019 legislative session.
For more information about Rosenbach or BIPA, please contact Labor & Employment partner Sonya Rosenberg, Data Privacy & Information Governance practice group leader Gregory J. Leighton, or your attorney at Neal Gerber Eisenberg.