Companies hit with class actions under Illinois biometric data law

A private right to action and five-year statute of limitations are fueling a boom in class action lawsuits under the Illinois biometric privacy statute, a law protecting Illinois consumers and employees from company misuse of data taken from people’s facial imaging, fingerprints, voiceprints, retina scans and other types of imaging.

“This is a significant area of exposure right now,” said D. Reed Freeman, Jr., a partner in the Washington, D.C., office of Arent Fox Schiff LLP.

Facebook agreed to pay $650 million in 2021 to settle a class action lawsuit alleging that the app violated the state’s biometric privacy law by using facial recognition technology until November 2021.

In similar lawsuits, Google agreed to pay $100 million, TikTok $92 million and Snapchat $35 million.

The Illinois law requires companies that collect biometric data to obtain written consent from employees and customers and develop a written policy about its collection, retention and destruction.

Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples, demographic data or physical descriptions.

Protection pioneer

Illinois was the first state to enact a comprehensive biometric privacy law, in 2008, and several states have since followed suit. “It’s the most expansive statue” of this kind, said Jody Kahn Mason, a principal in the Chicago office of Jackson Lewis P.C. and a co-leader of the firm’s Biometric Privacy Litigation Group and its Privacy Litigation team.

Businesses other than social media companies have embraced the use of the technology. One popular use is in an employment context: employers are using it for clocking in employees through fingerprint scans.

Depending on how they get approval for the scanning, they could be on the hook for violations, not just in Illinois but any state that has a similar statute in effect.

More than 2,000 lawsuits have been filed under BIPA since 2018, according to data reported by NPR. The first class action lawsuit under the law was filed in 2015, according to an analysis by law firm Seyfarth Shaw.

Court rulings

Filing activity under the statute remained minimal until around 2017, when a plaintiff’s law firm started filing cases, the Seyfarth Shaw analysis shows. More lawsuits got a jumpstart earlier this year from two cases that were filed, Freeman said.

In Tims v. Black Horse Carriers, the court clarified that a five-year statute of limitations applies to most BIPA violations. The defendants argued that a one-year statute of limitation should apply.

“That is a long tail on these types of claims,” Kahn Mason said.

Just a few weeks later, the court ruled on the question of whether the statute of limitations began to run with the first collection of biometric data that violates the statute or every action, including the most recent. In Cothron v. White Castle Systems, the Illinois Supreme Court held that a company can be subject to violations of BIPA each time it scans or transmits biometric data without an individual's prior informed consent. The defendant argued that such a finding could make it liable for billions of dollars in damages, but the court rejected the argument, stating that its job is to interpret the law, Freeman said. The tribunal suggested that changes to the law are the legislature’s responsibility.

The statute calls for $1,000 per violation for each negligent violation and $5,000 for each reckless or intentional violation.

The White Castle decision is widely believed to have increased the possibility of large fines for violations, a potential risk especially for employers using employee scans for clocking in. Penalties can total in the thousands or hundreds or thousands, each day that companies use biometric devices to clock their employees into and out of the workplace.

“The Illinois courts are being permissive with this statute,” said Freeman, adding that “when given the choice between a more restrictive interpretation and a broader one, we're seeing a trend to a broader interpretation, which increases the incentive for plaintiffs’ lawyers to bring cases.”

These two decisions made suing under the statute more attractive to the plaintiffs’ bar, defense lawyers say.

In September 2023, the Illinois Supreme Court heard oral arguments in a pair of class action suits brought by two nurses who allege their employers violated the statute. The plaintiffs say the hospital system did not collect written releases allowing the organizations to use their fingerprint data, nor did the hospitals provide information about how the biometrics would be stored or eventually destroyed.

Could it happen elsewhere?

Texas and Washington are two other states that have biometric laws on the books, but they’re not generating similar levels of activity. The Washington law is more limited in scope, and in Texas, the law is similar but there’s no private right of action. Only Illinois has that. What’s more, because of a 2019 Illinois Supreme Court decision, plaintiffs don’t have to show harm to be considered aggrieved under the law. “We have seen cases where there was no actual harm,” Kahn Mason said.

Freeman said he wouldn’t be surprised to see more of these types of laws adopted by states given the way legislators influence and copy each other.

Some cities have biometric privacy laws on the books, too. According to Seyfarth Shaw, Portland, Ore., and New York City have ordinances that create a private right of action for individuals that could subject local businesses to millions of dollars in liability. Both laws went into effect in 2021.

There is no federal biometric privacy law. However, Freeman noted, the Federal Trade Commission has issued a policy statement on the collection and use of biometric information – an indicator that, on a national level, “they are on the biometric information beat,” he said, “looking for cases” and won’t hesitate to use their law enforcement authority to go after practices that are considered deceptive or unfair.

Compliance best practices

The lawsuits and multimillion-dollar settlements are a wakeup call for companies that collect, use or store the data on Illinois residents, but compliance isn’t difficult, Freeman said.

You want to start by knowing whether you’re collecting the restricted data, he said. It might not be obvious.

For example, there are several class action lawsuits against apps or websites that offer a virtual “try on” tool for makeup, clothes, jewelry or a haircut. Participants can use their camera to take a selfie and have the element superimposed on their face or body. Plaintiffs are alleging in some cases that this is collecting facial scans, Freeman said. You have to think about whether you are collecting faceprints or voiceprints or fingerprints or any other kind of identifier that’s tied to a biometric element.

If you are, you need to set up a system to get people’s informed, written consent prior to collecting their data. Then you need to disclose and publish your retention and destruction schedule for the data.

“The trickiest issue is having an inventory of where you’re collecting this information,” Freeman said. Once you have that inventory, you can create a compliance plan.

It then becomes an ongoing task to ensure you remain in compliance; the five-year statute of limitations is a “long tail” that can result in claims being brought under BIPA even if you start out in compliance, Khan Mason said.

Legal experts note that the public’s appetite for increased privacy protection and the evolving legal landscape around data privacy mean that companies and in-house counsel should regularly assess their corporate practices over the use of consumer data and stay on top of local, state and federal legislative activity.