It was a normal day at the Six Flags amusement park in Gurnee, IL. After buying a season pass, a teenage boy went to the park's security checkpoint, and Six Flags scanned his thumb so that he could use his thumbprint to gain access to the park over the course of the season.
Now, the boy's mother is suing Six Flags under Illinois' Biometric Information Privacy Act (BIPA), claiming that Six Flags captured her son's biometric data without written consent. The Illinois Supreme Court heard oral arguments on this case in November, and a decision is expected early next year.
The results of this case could have implications far beyond amusement parks, as employers increasingly collect and use "biometric data" from their employees or use it for security purposes. Although definitions vary, biometric data consists of a person's unique physical features or other biometric measurements, such as a person's fingerprint or facial structure. Examples of biometric data scanners include the iPhone X's Face ID feature, as well as Touch ID on older models.
In the workplace, many employers use tech-savvy time clock software that scans employee fingerprints to clock in and out of work. Other employers may use high-tech retinal scans for security purposes or facial recognition software to verify employee cafeteria purchases or to know who is coming in and out of the workplace.
These types of biometric scanners have come under attack in Illinois. Experts estimate that 88 percent of BIPA lawsuits are filed against employers - and most involve biometric devices to keep track of work hours. Damages could add up quickly - statutory penalties for violating the law range from $1,000 to $5,000 per violation. In other words, employees could seek $1,000 or $5,000 for each time they clocked in or out of work.
- Just last month, a hotel agreed to pay $500,000 to resolve an Illinois class action regarding a timekeeping system that used employees' fingerprints.
- In December 2016, a tanning salon settled another BIPA class action involving customer fingerprints for $1.5 million.
- Many more employment class actions have been filed alleging BIPA violations through timeclock software, including lawsuits against United Airlines, the Kroger subsidiary Roundy's (which operates Mariano's grocery stores), and Speedway (the gas station and convenience store chain).
- An Illinois court recently certified a class of employees to proceed against the fast food chain Wendy's.
- In the last several months, more than 100 class actions have been filed in Illinois alleging BIPA violations. These costly class actions show no sign of slowing down.
Beyond Illinois, California, Texas, and Washington have passed their own biometric privacy laws that could have implications for employers. Several other states, including New York, may have laws in the works. Employers in all states should exercise caution when using biometric information and ensure that their use of this sensitive data is consistent with the law.