Biometric privacy suits brought under the Illinois Biometric Information Privacy Act (“BIPA”) continue to remain one of the hottest areas of class action litigation today, which can be attributed primarily to the fact that high statutory damages awards can be recovered by large classes of employees, consumers, and similar groups of individuals for mere technical violations of the law. To further compliance matters, many BIPA decisions issued to date have skewed heavily in favor of plaintiffs, which has resulted in a significant expansion of potential litigation risk under the statute.
In Mora v. J&M Plating, Inc., No. 2-21-0692, 2022 IL App (2d) 210692 (Ill. App. Ct. 2d Dist. Nov. 30, 2022), the Illinois Second District Court of Appeals continued the trend of plaintiff-favorable BIPA decisions in 2022, holding that private entities run afoul of BIPA’s Section 15(a) data retention and destruction disclosure requirements where they fail to have in place a BIPA-compliant data retention/destruction disclosure at the time biometric data is initially possessed, and that subsequent disclosures cannot serve retroactively to remedy prior violations of this component of the law. Importantly, Mora underscores the need for companies to ensure they have satisfied all of the applicable requirements of BIPA prior to the time any biometric data is collected or possessed in order to mitigate the sizeable legal risks associated with legal non-compliance.
Factual and Procedural Background
The plaintiff, a former employee of J&M Plating, Inc., began clocking in and out of his job using a fingerprint time and attendance system in September 2014. In May 2018, J&M first established its written biometric data retention and destruction schedule, required under BIPA Section 15(a). At around the same time, the plaintiff signed and acknowledged his employer’s biometric data policy and consented to the collection and use of his biometric data. The plaintiff was terminated in January 2021, and, pursuant to J&M’s retention and destruction schedule, his biometric data was permanently destroyed two weeks later.
Just a month after his termination, the plaintiff filed suit against his former employer, alleging violations of BIPA Sections 15(a) and (b). After the trial court dismissed the plaintiff’s Section 15(b) claim at the pleadings stage as being time-barred, J&M moved for summary judgment on the remaining Section 15(a) cause of action, arguing that a cognizable Section 15(a) claim could not be established against it because its former employee’s biometric data was destroyed two weeks after his last day of work. The company further argued that Section 15(a) does not contain any timing language relating to the establishment of a data retention and destruction schedule; therefore, it was of no import that the company’s policy was not implemented prior to the time the plaintiff’s biometric data was first obtained.
The trial court agreed and awarded summary judgment on the Section 15(a) claim. In so doing, the court reasoned that BIPA’s statutory text contains no timing language and “is written as if the private entity is already in possession of” biometric data. Thus, because the company maintained a data retention destruction schedule at the time the plaintiff’s biometric data was no longer needed, obtained the plaintiff’s consent, and subsequently destroyed that individual’s biometric data shortly after his employment was terminated, the plaintiff could not maintain an actionable Section 15(a) claim, entitling the company to judgment as a matter of law. The plaintiff appealed.
Appellate Court Decision
On appeal, the court reversed the award of summary judgment in favor of J&M. The court reasoned that BIPA Section 15(a) requires a private entity, such as J&M, to develop a retention destruction schedule upon possession of biometric data. Applied to the dispute at hand, J&M’s establishment of its retention and destruction schedule four years after it first possessed the plaintiff’s biometric data violated Section 15(a).
In its decision, the court explained that Section 15(a) specifies a private entity “in possession of” biometric data must: (1) develop a written policy; (2) publish it; and (3) comply with it. The written policy must contain: (1) “a retention schedule”; and (2) “guidelines for permanently destroying biometric data” “when the initial purpose for collecting or obtaining such” data “has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.” Pursuant to the text of the statute, the court continued, the explicit trigger for the development of the written policy (i.e., the retention and destruction schedule) is the private entity’s possession of biometric data.
According to the court, this conclusion found support in BIPA’s statutory scheme, which imposes upon private entities an obligation to establish BIPA-compliant procedures to protect employees’ and customers’ biometric data. Similarly, this conclusion was also consistent with BIPA’s preventative and deterrent purposes discussed at length in the Illinois Supreme Court’s seminal BIPA decision in Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, ¶ 37.
Moreover, the court continued, a reading of Section 15(a) to require the development of a written retention and destruction schedule at or before the time of possession of biometric data is consistent with Section 15(b)’s requirement that, prior to the time a private entity collects or obtains biometric data, it must first inform the subject of the “length of term for which [biometric data] is being collected, stored, and used.” In the court’s opinion, this was especially so because no rational reason existed as to why the Illinois legislature would have intended for the development of a retention schedule and guidelines for permanently destroying biometric data at a different time from that specified in the notice requirement in Section 15(b), especially where Section 15(b) itself requires private entities to provide notice regarding the length of time for which the data will be stored (i.e., retained).
Ultimately, because J&M began collecting the plaintiff’s biometric data in September 2014—which triggered its obligation under Section 15(a) to develop a retention and destruction schedule—but failed to put a schedule in place until nearly four years later, it violated Section 15(a). As such, the Second District Court of Appeals reversed the award of summary judgment and remanded the action back to state court for further proceedings consistent with the decision.
Analysis & Takeaways
As indicated above, 2022 has been marked by a string of heavily plaintiff-friendly decisions in BIPA class action litigation. The Mora opinion continues that trend. At the same time, the legal risks and liability exposure associated with BIPA non-compliance has expanded significantly this year as well. In addition to a number of eight figure-settlements (as well as one in the nine-figure range), the first BIPA jury trial (which took place in mid-2022) resulted in a resounding win for the plaintiff—which will only make the plaintiff’s attorneys more aggressive in their litigation tactics and further evaluate their already-inflated settlement demands in BIPA disputes.
In addition, the Mora opinion is notable because it provides further support for the conclusion that compliance with the statutory requirements of BIPA does not suffice to cure prior violations of the law. This is consistent with other decisions analyzing this issue, which have suggested that attempting to obtain retroactive consent from the subjects of biometric data is not sufficient to remedy violations of the Section 15(b) component of BIPA. Importantly, then, companies should devote the necessary time and effort to ensure that they are in strict compliance with BIPA before the time any biometric data is collected or otherwise used in commercial operations.
The Mora decision also re-emphasizes the fact that no type of actual injury or harm need be sustained in order for plaintiffs to pursue class litigation for mere technical violations of BIPA. In this respect, the appellate court in Mora highlighted what it characterized as the “error” of the trial court in finding that—because the plaintiff sustained “no harm”—there could be no cognizable violation of BIPA, as this ran contrary to the Illinois Supreme Court’s interpretation of the statute. Specifically, the appellate court noted that in Rosenbach, Illinois’s highest court held that “a person need not have sustained actual damage beyond violation of his or her rights under [BIPA] in order to bring an action under it”; that is, “[t]he violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.” Rosenbach, 2019 IL 123186, ¶¶ 28, 33.
Lastly, companies should be aware that liability exposure may proliferate once again depending on how the Illinois Supreme Court decides the issue of claim accrual in the currently-pending Cothron v. White Castle Sys. BIPA appeal. The operative question at issue in Cothron is whether alleged BIPA violations accrue only the first time Section 15 is violated (for example, the first time an employee scans his or her fingerprint) or, alternatively, whether each subsequent, separate violation constitutes a distinct and separately actionable violation (i.e., each subsequent fingerprint scan). Put another way, does a claim accrue only on the date of the first biometric scan, or does a claim accrue separately for each scan? If the Illinois Supreme Court rejects a “one and done” theory of accrual and instead applies the continuing violation theory to BIPA claims, the overall scope of potential damages—which is already extremely broad at this time—will further expand exponentially.
What to Do Now
Taken together, all companies that intend to use biometric data in their operations should consult with experienced biometric privacy counsel before any biometrics systems are rolled out to ensure all applicable BIPA compliance boxes are checked prior to the collection or use of biometric data. At the same time, companies that currently use biometrics should also work closely with experienced biometric privacy counsel to review and thoroughly audit their current compliance practices to identify and remediate any gaps in advance of the Cothron decision and any resulting expansion in liability exposure.