A Recent Wave of Lawsuits Hits Manufacturers for Using Fingerprint Scans

Day after day new lawsuits are being filed against manufacturers and other companies whose employees “clock-in and clock-out” using fingerprint scans. Almost 30 new lawsuits have been filed in Illinois since January 1, 2019, all thanks to a new ruling by the Illinois Supreme Court. Now, if manufacturers don’t have the proper disclosures and consents, your employees who scan fingerprints to clock in at any of your Illinois locations could file a class action under what’s called the Illinois Biometric Privacy Act or “BIPA” for short. There are very few defenses to BIPA suits, and would-be plaintiffs can still sue their employers, or former employers, if they’ve suffered no injury at all because of the fingerprint scan. In Rosenbach v. Six Flags Entm’t Corp., the Illinois Supreme Court held that an “aggrieved person” who has a claim under BIPA need not state a separate, real-world harm beyond a statutory violation, throwing the door wide to BIPA litigation. 2019 IL 123186. This decision has ramifications for any company that does business in Illinois and makes it easier for plaintiffs to sue. In fact, from what we’ve seen in the last two months, plaintiffs are flooding Illinois state court dockets right now.

Enacted in 2008, BIPA is the first state law concerning the growing number of businesses collecting biometric data. The statute was enacted in response to the bankruptcy sale of a company called Pay By Touch, which used biometric technology to allow consumers to pay for items using their fingerprint. In 2008, Pay By Touch attempted to sell its biometric data, spurring the ACLU of Illinois into action. As a result, the Illinois legislature passed BIPA. BIPA protects biometric data such as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 ILCS 14/1 et seq. Private entities that collect this data must adhere to requirements for collection, destruction, and disclosure of this data. Id. The statute requires entities that collect and retain this data to obtain informed consent and to make certain disclosures upon collection. Id. BIPA also provides for a private right of action for violations of the statute, with damages of up to $1,000 per negligent violation and $5,000 per intentional or reckless violation. Id. Of course it’s those big dollar amounts that have spurred the onslaught of recent litigation.

The statutory damages provision has made BIPA a magnet for plaintiffs’ attorneys who file these cases as class actions, claiming that each and every time an employee scans a fingerprint, the defendant has violated BIPA. A business with 50 employees who clock in once in the morning, clock out over the lunch hour, clock back in after lunch, and clock out to go home, potentially faces as much as $50 million in potential damages (50 employees x 4 time clock swipes x 5 days x 50 weeks x $1,000 = $50,000,000).

In Rosenbach, the plaintiff filed a putative class action lawsuit against Six Flags Great America, alleging her 14-year-old son’s fingerprint was collected without notice and consent when he purchased a season pass to the Great America theme park. 2017 IL App (2d) 170317. Plaintiff asserted Six Flags had violated BIPA by (1) collecting, capturing, storing, or obtaining biometric identifiers and biometric information from class members without written notification; (2) not informing them in writing of the specific purposes for which defendants were collecting the information or for how long they would keep and use it; and (3) not obtaining a written release before collecting the information. Id. Six Flags filed a motion to dismiss on the grounds that plaintiff’s son was not an “aggrieved” person, because his fingerprint data had never been stolen or sold. Id.

Ultimately the Illinois Supreme Court weighed in, Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186, at ¶ 1, and explained that the Illinois legislature could not possibly have intended to limit a plaintiff's right to bring a cause of action to circumstances where he or she has sustained some actual damage. Id. at ¶ 25. “To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to [BIPA’s] preventative and deterrent purposes,” said the Illinois Supreme Court. Id. at ¶ 37. The court rejected the appellate court’s characterization of the statutory violation as “technical,” finding instead that it was “real and significant.” Id. at ¶ 40. “When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, the right of the individual to maintain [his or] her biometric privacy vanishes into thin air.” Id. at ¶ 34. 

This decision is a weighty one for defendants that appears to make it easier for plaintiffs to state a cause of action in state court. Already these cases are pouring into Illinois courts. If you are an employer who does business in Illinois and uses biometric time clocks, plaintiffs may have you in their sights. If you are going to continue to use these time clocks, you should immediately take steps to make your biometric policy and consent language BIPA-compliant.

If you have further questions about BIPA, please contact Reena Bajowala, Isaac Colunga, or another member of our Data Security and Privacy Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.