Since Illinois passed the Biometric Information Privacy Act (BIPA) in 2008, it has given rise to protections to employees who felt that the employer’s biometric intrusions violated their privacy.  In 2019, however, biometric litigation floodgates were opened by the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., 2019 Ill. Lexis 7 (Ill. Jan. 25, 2019).  Although this is an Illinois law, Michigan is considering similar legislation currently.

Biometrics is the measurement and statistical analysis of an individual’s physical and behavior characteristics. The technology associated with biometrics has many uses but frequently is used to verify personal identity.  Examples of physiological characteristics include DNA, fingerprints, face, hand, retina or ear features, and odor. Examples of behavioral characteristics include gestures, voice, typing rhythm, and gait.

Biometrics is used by employers in different ways, for example, time keeping and security access.  Biometrics is also used by employers in wellness programs.  Under Illinois law, the biometrics obtained must be stored with an expectation of confidentiality and privacy.

The BIPA has the following requirements:

• Informed consent prior to collection

• Permits a limited right to disclosure

• Mandates protection obligations and retention guidelines

• Prohibits profiting from biometric data

• Creates a private right of action for individuals harmed by BIPA violations 

Statutory damages can reach $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.   Retention of biometrics is only for as long needed.  So, if an employee terminates, the information should be deleted as soon as practical.

So, what was the problem in Rosenbach?  Rosenbach’s son visited the Six Flags Great America amusement park in Gurnee, Illinois on a school field trip when he was 14 years old. In advance of the trip, Rosenbach purchased a season pass for her son online, but the process could not be completed until Alexander appeared in person at the amusement park. When he did appear, Alexander was asked to scan his thumb into Six Flags’ biometric data capture system, and after he did so, he was provided a season pass card. Rosenbach won a class action lawsuit for her son and all those similarly situated.

Rosenbach claimed she did not know of the fingerprinting requirement and that her son was never informed about the purpose and term for which the fingerprints were collected. Rosenbach also alleged they never signed any written release regarding the son’s fingerprints, and neither of them consented in writing “to the collection, storage, use[,] sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [Six Flags] to otherwise profit from, Alexander’s thumbprint or associated biometric identifiers or information.”

Six Flags tried to have the complaint dismissed, because Rosenbach was not aggrieved under the law.  The trial court denied the dismissal.   Six Flags then appealed, and the Appellate Court stated it should be dismissed because a technical violation does not give rise to being “aggrieved” under the law.  The case was appealed again to the Illinois Supreme Court, who overturned the appellate court and stated that Rosenbach was “aggrieved” under the law, ironically citing a 100-year-old case law.  In other words, Six Flags was subject to the class action for a technical violation. 

Currently Texas, Washington, Arkansas, and California have laws either signed or to be signed.  Michigan’s biometric privacy law, House Bill No. 5019, is still in committee after being introduced in September 2017. The text of the bill is nearly identical to the BIPA and includes a private right of action.  If the law eventually passes, and Michigan courts interpret the law as broadly as Illinois, Michigan employers could be swamped with lawsuits.  Therefore, HR should think proactively and work with legal counsel to develop a biometric compliance policy that incorporates retention schedule, consent, contractors and vendors, storage, and security and have counsel review any contracts with vendors providing biometric services.

Source: Seyfarth Shaw 7/11/19, Jackson Lewis, Paul Hastings 2/6/19