Use of employee biometric data – including fingerprints, eye scans, voiceprints, and facial scans – continues to be a popular, yet legally risky, proposition for employers. Several states and municipalities have laws that specifically govern the use of biometric data, the highest profile of which is the Illinois Biometric Information Privacy Act (BIPA).
BIPA requires that, inter alia, employers obtain informed, written consent to collect employees’ biometric data, inform employees why the information is being collected and what use it will serve, develop a written policy regarding use of such data, comply with retention and destruction requirements, and avoid selling or otherwise unlawfully disclosing biometric information. BIPA is an attractive claim to class action plaintiffs’ attorneys given that it provides for a private right of action, allows for liquidated damages for technical violations, without the need to prove any actual harm, and also provides for awards based on both negligent ($1,000) and willful or reckless violations ($5,000).
Despite the filing of hundreds of lawsuits alleging BIPA violations since the law’s 2008 enactment, a great deal of legal uncertainty still surrounds BIPA. The Illinois Supreme Court agreed earlier this year to hear an appeal arguing that the Illinois Worker’s Compensation Act preempts BIPA liability. There is also a pending appeal at the Seventh Circuit concerning whether BIPA claims accrue at the time of initial violation (e.g., the collection of biometric information without informed consent), or whether they accrue with each allegedly unlawful usage or disclosure of that information. In addition, Illinois appellate courts in the First and Third Districts are both examining the appropriate statute of limitations applicable to BIPA claims, with arguments including one year, two years, and five years. With all of these open legal questions pending, resort giant Hyatt Corporation just settled a BIPA class action for 1.5 million dollars.
The class action complaint underlying the settlement is Rapai v. Hyatt Corp., No. 17-ch-14483, complaint filed, 2017 WL 5015841 (Ill. Cir. Ct., Cook Cty. Oct. 30, 2017). Ms. Rapai, a former server at a Hyatt restaurant outside of Chicago, alleged that she and her colleagues were required to use a fingerprint-based time clock to punch in and out, but Hyatt did not ask for permission before capturing employee’s fingerprint data. She also alleged that Hyatt did not maintain any written policy on use of employee biometric data or otherwise inform its employees about the use, retention, or destruction of said data. In addition to the obvious allegations of BIPA violations, the complaint claimed that Hyatt was putting members of the putative class at “serious and irreversible” risk for identity theft by inadequately safeguarding their biometric data.
While Ms. Rapai filed her complaint in 2017, Hyatt successfully moved for a stay while an Illinois appellate court decided the worker’s compensation preemption issue referenced above. After the appellate court determined that the worker’s compensation law did not preempt BIPA, Ms. Rapai moved for the stay to be lifted. Shortly thereafter, the Illinois Supreme Court agreed to review the issue, so her motion was denied and the stay remained in place. Following that ruling, the sides reached a class-wide resolution.
According to Ms. Rapai’s motion for preliminary approval of the settlement, the $1.5 million deal will likely result in more than $1,500 being awarded to each member of the settlement class. For Ms. Rapai, she and other class members receive approximately $500 more than they would be entitled to under BIPA for a single negligent violation of the statute and avoid the risks posed by the ongoing litigation and larger legal uncertainty relating to BIPA claims. The resolution also avoids Hyatt facing legal arguments relating to the $5,000 per violation for intentional or reckless violations provided under BIPA, including the risk of a finding of compound violations for each class member.
The takeaways for employers operating in Illinois are many, and similarly applicable in other jurisdictions with biometric privacy laws, such as Washington and Texas. Even in states without specific biometric privacy legislation, employers using biometric information without express employee consent risk litigation under various legal theories, including under privacy statutes and common law privacy concepts.
Regardless of jurisdiction, best practices for using employee biometric data in the workplace include:
• Obtaining written, informed consent from employees before collecting any biometric information.
• Maintaining a public, written policy governing your use of biometric data, explaining why and how the biometric information will be used, how long it will be retained, outlining destruction procedures, and providing information about security protocols to safeguard employee’s biometric information.
• Complying with such policy in all respects, paying particular attention to the procedures for safeguarding the employee’s information.
• Ensuring that vendors and service providers also maintain compliance with the biometric data policy, and updating contracts to ensure that they accept liability if they fail to do so.
• Discussing any changes to existing policies and procedures, as well as new uses of biometric data, with counsel to ensure compliance with state and local laws.