On April 24, 2024, Chicago Associate Richard Daniels and Partner Hayes Ryan obtained a complete dismissal of a class action lawsuit brought under the contentious Illinois Biometric Information Privacy Act (“BIPA”) in the Circuit Court of Cook County, Illinois. The plaintiff alleged that GRSM’s client, a transportation company, violated BIPA by requiring its employees to submit to fingerprinting for background checks, as required by state law. The plaintiff’s allegations raised novel issues of agency and other theories that, if accepted by the court, would have vastly expanded BIPA’s reach.
Daniels and Ryan filed a motion to dismiss on behalf of the client, arguing that the plaintiff cannot sufficiently allege violations of BIPA because the company never possessed biometric data, and an agency relationship did not exist. After the initial round of briefing, the court dismissed with prejudice all but one of the plaintiff’s allegations and allowed the plaintiff an additional chance to plead an agency relationship between the transportation company and the fingerprinting vendor. After the plaintiff amended his complaint, Daniels and Ryan filed another motion to dismiss. The court agreed with GRSM’s arguments that the plaintiff failed to establish an agency relationship and that the transportation company did not “otherwise obtain” biometric information. The court, therefore, dismissed the lawsuit in its entirety, with prejudice.
BIPA requires private entities doing business in Illinois to obtain written consent before collecting or possessing an individual’s biometric data. Before obtaining the data, private entities must also publish guidelines for the retention and destruction of such data.
Over the past five years, BIPA has been extensively litigated in Illinois, leading to billions of dollars in settlement funds distributed among millions of Illinois workers and residents, regardless of whether they have suffered actual injury. The Illinois legislature is currently working on amending the law to limit recovery to $1,000 (for negligent violations) or $5,000 (intentional or reckless violations) per person, as opposed to per collection/capture.
However, Illinois businesses believe this amendment does not go far enough, as it fails to clarify what “biometric information” actually is. The future of BIPA litigation is unclear. Given BIPA’s harsh penalties, any company doing business in Illinois should steer clear of biometric systems; if a company decides to utilize biometric processes or systems, it should strictly comply with BIPA and conduct periodic reviews of its hiring and data retention policies and practices.
If you have any questions about the Illinois Biometric Information Privacy Act, please reach out to a member of the GRSM Chicago office.