Data privacy litigation is not a new frontier. The Illinois Biometric Information Privacy Act (“BIPA”) has provided a private right of action for the improper collection of biometric information from Illinois citizens without consent since 2008. Even so, employers and businesses alike were caught off-guard when plaintiffs began filing class actions complaints alleging BIPA violations in 2015. Defendants scored early victories in these cases, as evidenced in the Second District Appellate Court opinion finding that actual harm, and not merely a procedural violation, must be alleged to state a claim under the Act. That ruling placed the viability of private suits under BIPA in serious doubt—because actual harm from an improper collection of biometric information is not easily pled. But then in January 2019, the Illinois Supreme Court reversed the defendant-friendly intermediate appellate ruling and held that mere procedural violations of BIPA standing alone were sufficient to withstand a motion to dismiss. That ruling breathed new life into this pattern litigation, as recent docket filings show.
All BIPA defendants, which include many employers as well as businesses who collect biometric information from their customers, must now develop defense strategies to address the claims on the merits. Some of these defense strategies will involve drilling down into the nature of the specific technology any given defendant, employer or otherwise, uses in its biometric activities—such as exactly what is “collected” from the individual, employee or otherwise, and what data about that person is stored by the collecting entity. This is an expensive proposition, especially in a class action context. The Illinois legislature may be cognizant of this reality and may be rethinking the availability of the private right of action which, as it currently stands, has no damages cap and allows for fee-shifting awards.
Illinois SB 2134 is currently awaiting a committee hearing. As proposed, SB 2134 would amend BIPA to remove the private right of action. Where an alleged BIPA violation arises in the employer/employee context, enforcement would be vested with the Department of Labor and employees would have one year after the violation to file a complaint with the Department.
All other BIPA violations would qualify as violations of the Illinois Consumer Fraud and Deceptive Practices Act and would be enforced by the Attorney General of Illinois. SB 2134 includes an amendment to the Consumer Fraud Act reflecting this change.
The most recent activity on this amendment was on March 12, 2019, when it was submitted to committee for further action. It is unclear when the legislature will act on the proposed amendment or if it will be altered from its current form. But if passed as proposed, it will be effective immediately. While not helpful to the many currently pending cases, the amendment would place Illinois in the same posture as other states with similar biometric laws (such as Washington and Texas) where right of enforcement is conferred on specific agencies or the attorney general.
For more information, please email privacycompliance@dykema.com, and a team member – Cindy Motley (Director of Data Privacy and Security practice group) or Rosa Tumialán – will promptly contact you.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.