Contributed By Carlos Arévalo and Molly Arranz, May 4, 2021

fingerprint scan provides security access with biometrics identification

For the past several years, we have periodically reported regarding the proliferation of class actions and other litigation under the Illinois Biometric Information Privacy Act (BIPA).

Under BIPA, entities may not “collect, capture, purchase, receive through trade or otherwise obtain” or store a person’s biometric information without informing an individual in writing about the collection or storage of said information. Entities collecting biometric information must also specify the purpose for its collection and storage and how long it will be kept. Finally, entities must obtain a written release signed by the individual whose information has been collected.

While it has been approximately 13 years since BIPA was enacted, there are still a number of issues being litigated. One thing is certain: BIPA packs a punch with eye-popping statutory damages and monetary awards that can lead to anywhere from $1,000 to $5,000 per violation plus attorneys’ fees. Moreover, considering that an alleged violation is enough to bring a suit, BIPA is a class action dream – bearing in mind that if an employer is collecting biometric data on one individual, it is likely collecting it on many individuals.

Two critical questions will soon be addressed. First, at the Illinois appellate level, clarification is expected on the applicable statute of limitations. While a federal court in the Southern District of Illinois seemed prepared to accept a five-year statute of limitations as controlling, that court acknowledged that BIPA precedent was still “developing.” Indeed, two pending cases, namely Tims v. Black Horse Carriers, Inc. and Marion v. Ring Container Techs, will likely decide “whether BIPA claims are potentially subject to a one-, two-, or five-year statute of limitations.”

Secondly, the Seventh Circuit is expected to rule on the issue of whether or not claims accrue with each scan as opposed to only the first collection of biometric information.  In Cothron v. White Castle, the district court found that each biometric scan was a “discrete, individual act and not an accumulated course of conduct” and not a “continuing violation.” The court fully acknowledged that such interpretation might lead to large damages. However, citing Illinois precedent, the court added that where the statutory language is clear, it must be given effect even though the consequences may be “harsh, unjust, or unwise.”

In light of these risks and ongoing filings, employers must remain vigilant and ensure compliance with BIPA requirements by:

  • Analyzing the type of biometric information being collected
  • Evaluating what BIPA compliant disclosures are in place
  • Ensuring that a BIPA policy is in effect and properly applied
  • Staying alert and on top of court decisions and pending regulations

For our part, we will monitor the status of the Tims, Marion and Cothron cases and ongoing BIPA litigation and will continue to provide updates as developments arise.