The Illinois Biometric Information Privacy Act ("BIPA") continues to have employers wringing their hands over liability for the improper collection and/or publication of the biometric markers of their workforces. BIPA imposes certain requirements on employers, such as obtaining a signed consent form, as well as requirements about data safeguarding and destruction, on companies that collect biometric data such as fingerprints, handprints, and eye scans. BIPA litigation has exploded in the last several years, as opportunistic class action lawyers have sued many companies for failure to obtain proper consent forms from their employees prior to data collection. BIPA contains a damages provision providing for $1,000 in liquidated damages for every non-intentional "violation" of the statute.
Defense lawyers have successfully argued in most cases that each "violation" means that every employee is only entitled to $1,000 in damages. But, the Illinois Appellate Court recently issued an opinion in the case of Tims v. Black Horse Carriers, Inc. that casts doubt on the "per employee" damages scheme under BIPA. Tims is at first glance a case about the appropriate statute of limitations that applies to BIPA claims. However, buried in the opinion, the Court states, "a plaintiff who alleges and eventually proves violation of multiple duties could collect multiple recoveries of liquidated damages." This sentence could prove the most consequential of the case and could be catastrophic for employers.
For example, another case currently on appeal in the Illinois federal courts argues that each time an employee swipes in and out of the facility is a "violation." Think of a company with 100 hourly employees who swipe four times per day (in during the morning, out for lunch, in from lunch, and out at the end of the day). 4 violations per day, 365 days in a year, 100 employees, $1,000 per swipe: 4 x 365 x 100 x 1,000 = $146,000,000 in damages for one year of violating BIPA. Of course, this theory of stacking damages has not been explicitly endorsed by any appellate court yet. But, the prospect alone should encourage all companies to ensure they comply with BIPA's written consent and other requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.