Following Supreme Court Decision, It's High Time for Illinois Employers to Review Workplace Biometric Privacy Issues

With the Illinois Supreme Court unanimously ruling that employees need not plead or prove a traditional injury or adverse harm in order to prosecute a claim under the Illinois Biometric Information Privacy Act (BIPA) (see, Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019)), the time is now for Illinois employers to review their workplace policies for biometric privacy issues.

One of many reasons that the Court's ruling is significant: BIPA regulates an ever growing use in many workplaces of data that BIPA categorizes and covers as biometric identifiers and biometric information. Specifically, many employees submit their biometric data, whether retina or iris scans, fingerprints, voiceprints, or scans of their hand or face geometry, to access secure locations at their workplaces, or for computational purposes such as clocking in and out during their workday. While the Rosenbach case dealt with a minor who submitted his fingerprint information for access to an amusement park, BIPA specifically references the use of required written releases for satisfying informed consent requirements by way of "a release executed by an employee as a condition of employment." The informed consent and written release procedures mandated by BIPA regulate what employers must do if they collect and retain biometric identifiers and biometric information on their employees.

For employers, Rosenbach is important because it found that employees do not bear the burden of proving they were actually injured or harmed. Instead, BIPA only requires a plaintiff employee to qualify as "aggrieved" in order to prosecute a lawsuit, and show that their BIPA rights were violated. To bolster its reading of BIPA, the Court referred to another law, the Illinois AIDS Confidentiality Act, where the term "aggrieved" is undefined but understood to mean a person whose statutory rights are violated. Moreover, the Illinois Supreme Court adopted the broad interpretation of "aggrieved" discussed by a California federal court to mean that individuals, including employees, possess a privacy right under BIPA in their biometric identifiers and biometric information. (see, Rosenbach, ¶¶33-37, citing Patel v. Facebook Inc., 290 F.Supp.3d 948, 953 (N.D. Cal. 2018)).

While this is a new development in Illinois case law, for Illinois employers, the Rosenbach opinion may also be read as the next step in a series of Illinois laws already enacted in order to enhance privacy protections at the workplace. For example, the Illinois Right to Privacy in the Workplace Act grants an employee the right to file an action in court to enforce an employer to comply with the Act. If an employer is found in contempt by refusing to comply with a court order requiring compliance, that employer can be found liable for actual damages plus costs, and if found in willful and knowing violation, liable for specified liquidated damages and attorney's fees and costs. In such proceedings, no actual injury must be established if an employer is found to have willfully and knowingly violated the Right to Privacy in the Workplace Act. In addition, the Illinois Genetic Information Privacy Act ("Illinois GINA") sets out that Illinois employees who are "aggrieved" due to an employer's violation of the Illinois GINA need not show actual damage or harm to proceed with a claim in court for liquidated damages and attorney's fees unless they decide to prove that their actual damages are greater than what the Illinois GINA laws provide as recoverable liquidated damages. So from this perspective, BIPA is part of an evolving and increasing statutory set of privacy protections granted to Illinois employees.

The sum effect of Rosenbach for Illinois employers is that workplace biometric privacy policies should be reexamined. Failure to do so could subject Illinois employers to class actions if they widely use biometric data–and–might expose such employers to other related statutory actions and common law privacy tort related claims. Every Illinois employer should now prioritize conducting privacy audits and review their employee privacy policies with their employment counsel.