Employees in Illinois are continuing to file class action complaints against their employers. Bob Evans Restaurants and Suparossa Restaurant Group are two of the latest to be accused of violating the Illinois Biometric Information Privacy Act. Both companies’ employees took issue with their employers’ use of their fingerprints and other biometric information in time-clock and point of sale systems. The employees alleged that their employers collected and used their information without the written consent necessary under BIPA. As we have written previously class action lawyers are increasingly bringing cases alleging violations of the law.
The Illinois law states, inter alia, that entities in the state that collect biometric information must provide individuals with notice about how their biometric information will be used. There are also security requirements contained within the law, and limits on the ability to retain and share biometric information. BIPA permits recovery of statutory damages and attorney fees. Any “aggrieved” person may recover $1,000 or actual damages (whichever is greater) for each negligent violation and $5,000 or actual damages (whichever is greater) for each intentional or reckless violation, as well as attorney’s fees, expenses, and costs (including expert witness fees), in addition to “other relief, including an injunction.”
BIPA was the first state law of its kind. Similar laws now exist in Texas and Washington. Unlike the Illinois law, though, those statutes may only be enforced by the states’ respective attorneys general, not by private individuals. While initial proposed biometric privacy legislation has failed in a few states recently, there is new legislation pending in several states, and as public interest increases it is likely that more will follow.
Putting it Into Practice: Systems using biometric identifiers and information can be useful, especially for tracking employee hours and for building security. Companies who do business in Illinois, Texas, and Washington should keep in mind the requirements of the biometric laws like BIPA. Companies doing business in other states may also want to follow suit, as similar requirements may soon be in place in their jurisdictions.