Another BIPA Violation Alleged in Illinois


As a follow-up to our blog post discussing the status of the Southwest litigation currently underway in the Seventh Circuit, another complaint alleging a violation of the Biometric Information Privacy Act (“BIPA”) was filed by a hotel employee in Cook County, Illinois. Donal Lydon v. Fillmore Hospitality, et al., Case No. 2019-CH-05679 (Circuit Court of Cook County, Illinois). Like the allegations against Southwest Airlines, the plaintiff in Lydon, alleges Fillmore Hospitality LLC, which manages hotels in several states, including Illinois, violated BIPA by collecting and then sharing its employees’ fingerprints for timekeeping purposes. The plaintiff filed his action as a class action, seeking to represent any individual in Illinois who has scanned their fingerprints for Fillmore’s biometric time clock.

Biometric technology, such as fingerprint scans and facial recognition, is becoming more common as a way for users to access bank accounts or post on social media sites. Similarly, it is also being used in many industries to replace timecards for employees who clock in and out at their workplace. In response to the increased use of biometric information, the Illinois legislature passed BIPA in 2008. The Act recognizes that, unlike other identifiers that can easily be changed when compromised, biometrics are “unique to that individual; therefore, once compromised, the individual has no recourse.” 740 ILCS 14/5(c). In light of this concern, the statute seeks to regulate how biometric information is collected, stored, and used. Id.

In January 2019, the Illinois Supreme Court held that an individual alleging a BIPA violation does not need to prove actual harm to recover; rather, a technical violation of the Act alone is enough to constitute standing. Stacy Rosenbach v. Six Flags Entertainment Corporation, Case No. 2019 IL 123196 (Ill. 2019). When coming to its decision, the court found persuasive the General Assembly’s intent when creating the Act, recognizing “the difficulty in providing meaningful recourse once a person’s biometric identifiers or information has been compromised.” Id. at ¶ 35. Essentially, once a BIPA violation occurs, an individual’s injury is already “real and significant” because “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air.” Id. at ¶ 34.

An increased number of lawsuits have been filed since the Rosenbach court decided plaintiffs can recover for technical violations alone under BIPA. In his suit, Lydon alleges Fillmore never provided its employees with the legally necessary disclosures to obtain written consent in order to collect and share biometric information, as required by BIPA. In fact, the suit alleges that “[t]o this day, plaintiff is unaware of the status of his biometrics obtained by defendant . . . Defendants have not informed plaintiff whether they still retain his biometrics, and if they do, for how long they intend to retain such information without his consent.” Lydon, 2019-CH-05679. Lydon’s suit seeks damages and injunctive relief requiring Fillmore to distribute the BIPA-mandated informational material.

The scope of BIPA and how far it will be used to protect individuals’ biometric information in Illinois has not yet been clearly established. To ensure companies are not caught up in a lawsuit of their own, they must be cognizant of the current law, the courts’ interpretations of the law, and provide their employees with written policies satisfying the BIPA requirements.

Photo: undefined

Get Updates By Email

Blog Contributors