Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
In the two years since the Illinois Supreme Court ruled that a failure to obtain written consent prior to collecting an individual’s biometric data is enough to maintain an action under the Illinois Biometric Information Privacy Act (BIPA), over 800 class actions have been filed against Illinois employers. With the question of liability unsettled and the case law stacked in favor of employees, employers that have implemented biometric timekeeping systems, access controls, and temperature scanners have almost universally agreed to settle BIPA class actions. This has resulted in millions of dollars being paid to employees who have not—and in most cases cannot—demonstrate that they suffered any type of harm. That may soon change.
The Illinois General Assembly is currently considering House Bill 559 (“the Bill”), which seeks to materially revise BIPA’s rigid compliance obligations and limit an individual’s ability to file a class action lawsuit against a non-compliant entity. If passed, the Bill would make the following key changes to BIPA:
- Narrow Scope of Biometric Information Covered by the Act: It is now industry standard for biometric technology, such as biometric timeclocks, to convert a scan of an individual’s body feature (fingerprint, retina or iris, handprint, facial geometry) into what amounts to a unique numerical identifier. For employees who use biometric timeclocks, this unique identifier is often based on the distance between points on their fingerprint—the timeclock applies an algorithm to create a mathematical representation of the fingerprint, which serves as a “template.” Each time the employee clocks in or out, the biometric timeclock applies the same process to the fingerprint and compares the result to the template to confirm the identity of the person who clocked in or out. As a result, most of the biometric timeclocks on the market do not actually store any biometric data.
Recognizing this, the Bill seeks to exempt from BIPA’s purview “information derived from biometric information that cannot be used to recreate the original biometric identifier.”
- 30-Day Cure Period: The Bill takes direct aim at the ease by which an aggrieved employee can file a class action lawsuit by requiring individuals whose biometric information was collected in violation of BIPA to give the violating entity an opportunity to cure the issue. The Bill uses language similar to that found in the California Consumer Privacy Act (CCPA)1 to require an aggrieved individual to take the following steps before filing suit:
- The aggrieved individual must draft a written notice that explains the specific provisions of BIPA that have been / are being violated.
- The notice must be served upon the entity in violation of BIPA 30 days prior to any action being filed.
If the company cures the violation within the 30-day period and provides the aggrieved individual with a written statement explaining that the violation has been cured and that no further violations shall occur, the aggrieved individual could not file an action against the company.If, however, the company continues to violate BIPA, an action could be filed.
- One-Year Statute of Limitations: The Bill would require any action to be filed “within one year after the cause of action accrued.” This could prove particularly important in the coming months, as the Illinois Appellate Court is scheduled to release an opinion answering the question of the statute of limitations applicable to BIPA class actions. The courts that have answered the question thus far have held a 5-year period to be applicable. The Bill would substantially shorten that period, and in turn reduce employers’ exposure under BIPA.
- Removal of Statutory Penalties: The Bill would remove three provisions that have facilitated the significant settlements in this area: (1) BIPA’s $1,000 liquidated damages provision for “negligent violations” of the Act; (2) BIPA’s $5,000 liquidated damages provision for “intentional or reckless” violations of the Act; (3) BIPA’s “for each violation” language that proceeded these penalties. Taken together, these provisions have been used by the plaintiff’s bar to support an argument that an employer that risks taking a BIPA case to trial could be faced with $1,000 in liability for every clock-in by every employee who used the clock. The Bill would limit an aggrieved individual’s recovery to actual damages plus attorney’s fees. Liquidated damages would be available for individuals who prove that an entity willfully violated BIPA—for example, a company that continues to violate BIPA after sending the written attestation outlined above—although the Bill would cap liquidated damages at the amount of actual damages.
- Exclusion for Unionized Employers: Other than consent, the one successfully tested defense for employers named in BIPA actions has been a preemption argument under the Labor Management Relations Act.2 The Bill appears to recognize this in part, and would exempt from BIPA’s purview any private entity that has employees covered by a collective bargaining agreement “that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information.”
- Permitting Electronic Consent: Finally, the Bill would remove the requirement that a company obtain a “written release.” The Bill would add language to BIPA making clear that informed written consent, which can be obtained electronically (on the biometric technology, for example) would satisfy BIPA’s consent requirement. Notably, the Bill would also add language to BIPA clarifying that written consent is needed for any redisclosure of biometric data to a third party, such as a vendor.3
The Bill, introduced in February, was advanced by a House Judiciary Committee on March 9, 2021. The Committee voted 10-5 in favor of the bill, which will now proceed to the House floor for debate. A nearly identical bill—House Bill 560—was simultaneously introduced alongside the Bill. House Bill 560 is materially similar to House Bill 559, but in lieu of BIPA’s private right of action and the proposed 30-day cure period, House Bill 560 would instead restrict enforcement of BIPA to the Illinois Attorney General and State Attorneys offices, or to the Illinois Department of Labor in the case of employees. House Bill 560 has not yet advanced out of committee.
This is not the first attempt to revise BIPA, and in particular, to remove the law’s private right of action. Bills intended to remove BIPA’s private right of action and/or exempt employers from liability under BIPA were introduced during the 2018 and 2019 legislative sessions and failed to pass. House Bill 559 is the first bill intended to amend BIPA that has advanced out of committee, however.
Littler will continue to monitor these bills as they work their way through the legislative process, and report on significant developments.
1 See California Civil Code §1798.150(b).
2 See Barton v. Swan Surfaces, LLC, No. 20-CV-499-SPM, 2021 WL 793983 (S.D. Ill. Mar. 2, 2021).
3 The Bill would make one other notable change, although it is unlikely to impact employers. The Bill would require companies to distribute a BIPA-compliant policy only to the employees whose biometric data is collected—companies would no longer need to make their BIPA policy publicly available. Given that most employers that use biometric technology incorporate their BIPA policy into their existing workplace policies (that are not available to the general public) this provision is unlikely to benefit employers.