Shook Partner Anna Knight and Associate Patrick Castle have authored an article for Workforce detailing an uptick in putative class actions challenging companies' compliance with Illinois privacy laws. "Finger and facial recognition have become so commonplace that you might not think twice before asking your employees to authenticate their time using similar technologies, especially because traditional punchcard systems can be inefficient and vulnerable to fraud or abuse," Knight and Castle write. "But a recent spike in litigation illustrates the legal risks to introducing biometric authentication devices and practices to your business. More than 50 companies are now defending class-action lawsuits under the Illinois Biometric Information Privacy Act, or BIPA, which provides rules for the disclosure, retention and protection of biometric data, and permits any person aggrieved by a violation to recover $1,000 for each negligent violation and $5,000 for each intentional violation."
Knight and Castle advise on how to comply with BIPA, including providing necessary written disclosures and abiding by restrictions on the use of the data. They also describe a December 2017 decision from the Illinois Appellate Court determining that a plaintiff "must allege some actual harm" to sue under BIPA rather than a mere technical violation that caused no injury.
"The recent spate of BIPA lawsuits represents a coordinated effort by the plaintiff’s bar to catch corporate legal departments off guard," the authors conclude. "Nevertheless, it is less likely an anomaly than a sign of things to come as biometric technologies continue to pervade our personal and business lives. Companies would do well to assess their technological and legal options and vulnerabilities now and to maintain vigilance over this emerging field in the future."