Proceeding With Biometric Caution: Illinois Courts to Decide Critical BIPA Issues

March 16, 2021

2021 is shaping up to be a groundbreaking year for employment litigation topics, and Illinois’ Biometric Information Privacy Act (BIPA) is no exception. State and federal appellate courts in Illinois are poised to decide several open BIPA issues, including the proper limitations period, whether the Workers Compensation Act pre-empts BIPA claims and what constitutes a violation.

Since its enactment in 2008, the BIPA has provided a new avenue for employee class actions. Such actions most commonly assert that employers violate the BIPA by utilizing timekeeping systems that require employee fingerprints, or other “biometric identifiers” or “biometric information,” as the BIPA defines those terms. These costly cases have skyrocketed in recent years due to employee-friendly interpretations of the BIPA, including the Illinois Supreme Court’s 2019 decision in Rosenbach v. Six Flags Entertainment Corp., which concluded that an employee need not have suffered an actual injury to seek liquidated damages under the BIPA.

Three pending federal and state appeals are poised to affect BIPA claims’ continued viability and employers’ potential exposure from them. These cases could grant employers partial or complete immunity from BIPA claims or cause BIPA actions to explode and become exponentially more costly for employers.

The Potential Complete Defense — McDonald v. Symphony Bronzeville Park LLC

On Jan. 27, 2021, the Illinois Supreme Court granted the appeal of Symphony Bronzeville Park, a nursing home that allegedly violated the BIPA by requiring an employee to provide her fingerprint for timekeeping purposes without adhering to BIPA’s consent and disclosure requirements. The appeal will resolve whether the Illinois Workers’ Compensation Act (IWCA) outright pre-empts BIPA claims in the employment context.

The Illinois Appellate Court rejected this contention in the fall of 2020, concluding “that the exclusivity provisions of the [IWCA] do not bar a claim for statutory, liquidated damages, where an employer is alleged to have violated an employee's statutory privacy rights under the [BIPA], as such a claim is simply not compensable under the Compensation Act[.]" The court reasoned that because the IWCA protects workers from actual injuries, and Rosenbach teaches that plaintiffs need not have suffered actual damages to bring a BIPA action, the IWCA cannot pre-empt a BIPA claim for statutory damages.

However, Symphony Bronzeville contends that this holding circumvents the IWCA’s safe harbor for workplace injury claims and that the IWCA pre-empts such actions for work-related injuries. Should the Illinois Supreme Court agree, employers would have a virtual complete defense to BIPA actions, leaving only injunctive relief available to employees.

The Potential Limitations Defense — Tims v. Black Horse Carriers, Inc.

Also pending are two appeals involving statute-of-limitations defenses to BIPA claims. Illinois’ appellate courts are set to settle the longstanding debate regarding whether a one-, two- or five-year statute of limitations applies to BIPA claims. The BIPA does not contain an express statute of limitations. Accordingly, plaintiffs have argued that Illinois’ five-year “catchall” limitation, which generally applies to laws that do not explicitly include a limitations period, controls.

Tims v. Black Horse Carriers is likely to be the first of these two cases to be decided. There, the Appellate Court will decide whether the five-year catchall theory is correct, or if a one-year limitations period is more appropriate. Black Horse Carriers contends that, like other invasion-of-privacy claims, a one-year limitations period applies to BIPA actions. A second case will decide whether Illinois’ two-year limitations period for statutory penalties applies to the BIPA.

A favorable holding in either of these cases would significantly reduce potential BIPA exposure for employers. However, it could also lead to Illinois Supreme Court review of this question.

The Potential Per-Scan Defense — Cothon v. White Castle Systems, Inc.

On Nov. 9, 2020, the Seventh Circuit Court of Appeals granted an interlocutory appeal of a district court’s decision that each scan of an employee’s biometric information is a separate violation of sections 15(b) and (d) of BIPA. Thus, instead of an employee being potentially entitled to a $1,000 or $5,000 liquidated damages award due to an employer’s unlawful use or dissemination of her fingerprints, the employee would be entitled to a $1,000 or $5,000 damage award for each time she scanned her fingerprint in the employer’s timekeeping system.

The Seventh Circuit's decision in this case, Cothon v. White Castle Systems, Inc., will therefore significantly affect the size of potential BIPA classes and the amount of potential recovery. Presently, briefing of this appeal is set to conclude on May 19, 2021.

What Employers Should Do in the Meantime

Given the number of pending appeals and the significant impact these appeals could have on BIPA claims and defenses, many defendants have successfully petitioned courts to stay pending BIPA actions until the cases discussed above are decided. Employers not facing a BIPA lawsuit should continue to ensure they are meeting BIPA requirements.

  • Before they (or their timekeeping vendors) collect, receive or store biometric data in Illinois, employers should:

    • limit what data is collected;

    • inform employees in writing (1) that they are collecting or storing their biometric data, (2) of the purpose of collecting their biometric data, and (3) how long their biometric data will be collected, stored and used for;

    • obtain written releases from employees;

    • maintain a publicly available written policy regarding how employees’ biometric data will be safeguarded and permanently destroyed, and whether it will be destroyed within the shorter of three years or when the original collection purpose is satisfied; and

    • have a plan for handling potential biometric data breaches.

  • After they (or their timekeeping vendors) collect, receive or store biometric data in Illinois, employers should:

    • store, transmit and protect the data from dissemination with the same care and in the same manner they handle other confidential and sensitive information;

    • disclose or disseminate the data only if the employee consents to the disclosure, the employee requests the disclosure to complete a financial transaction, or the disclosure is otherwise required by law;

    • not sell, lease, trade or otherwise profit from the data; and

    • limit the length of time during which they collect the data to the shorter of either three years or until the original collection purpose is satisfied, as outlined in the employer’s publicly available retention and destruction policy.

For assistance monitoring and complying with state and local biometrics privacy laws, please contact the authors, other members of the McGuireWoods labor and employment team, or your McGuireWoods contact.  

Back to top