In a first-of-its-kind biometric privacy trial, a class of 45,000 truck drivers won a $228 million judgment against their employer in October 2022 for violating Illinois’s Biometric Information Privacy Act (BIPA). The jury in Rogers v. BNSF Railway found that BNSF Railway had infringed its employees’ privacy rights by collecting their fingerprints without consent, despite the company claiming that its fingerprint scanners were solely intended for security purposes.

In recent years, companies have increasingly collected biometric information — which includes unique physical identifiers like fingerprints, facial screenings, and eye scans — for its purported productivity and corporate-security benefits. However, left unregulated, biometric data collection exposes individuals to risks including identity theft and employer monitoring. As a result, the truck drivers’ case is just one of a rising number of lawsuits alleging employer BIPA violations, with 74 published BIPA-related court rulings in 2021.

Unfortunately, Illinois’s BIPA stands alone in the U.S. as the chief statute protecting individuals from corporate misuse of their biometrics. Only Washington and Texas have passed similar legislation, though BIPA is the only one to supply a private right of action. As a recent white paper observed, the U.S. at all levels of government sorely lacks biometric data regulations, posing serious privacy and personal security risks to individuals, particularly given the inherently unique nature of biometric information.

BIPA Overview

In 2008, Illinois became the first state to regulate biometric information collection. Noting that the “use of biometrics is growing in the business and security screening sectors” and that “[b]iometrics are unlike other unique identifiers,” BIPA establishes several consent, disclosure, and disposal requirements for private entities using biometric data. The law also provides a private right of action to “any person aggrieved,” with statutory damages of $5,000 per intentional violation and $1,000 per negligent violation.

BIPA flew under the radar until 2015, when five class actions against Facebook and Shutterfly claimed unlawful collection of consumers’ facial scans to sell to third-parties. These cases paved the way for dozens more class actions that expanded into the employment context, with workers alleging employer BIPA violations stemming from unlawful time management and security systems collecting employees’ eye scans and fingerprints. By 2017, over 30 BIPA-related employment class actions were filed in Illinois state court, signaling BIPA’s rise as a practical tool to safeguard employee biometric data.

Employers have generally justified biometrics technology by highlighting their potential efficiency and security benefits, particularly in today’s work-from-anywhere environment. As one CEO explained, biometric technology “gives access [only] to authorized users, is difficult to steal and spoof, and does not allow scalable attacks.” Additionally, biometric data technology is easy to administer: furnishing a fingerprint scan to access a building is simpler and faster than typing an oft-forgotten password, for example. Thus, employers are increasingly instituting devices that collect employee data, with one survey finding that 62% of employers use biometric authentication technology.

Despite its potential productivity and security benefits for the workplace, unregulated biometric data collection runs several risks to the worker. First, corporate databases are not immune to breaches. Compromised biometric data is especially catastrophic because employees cannot change their biometric information (unlike social security numbers, for example, which can be changed if stolen). Furthermore, insecurely stored biometric data can expose workers to nefarious surveillance and behavior tracking. And finally, biometric information, if misinterpreted or deliberately abused, has yielded discriminatory results when used to assess employee qualifications and performance.

BIPA attempts to mitigate these concerns. In Illinois, companies must (a) obtain written consent, (b) explain the process of storing and destroying the biometric information, and (c) protect the data as safely as the company “protects other confidential and sensitive information.” Though not bulletproof, BIPA sets clear expectations for corporations and offers employees an avenue to act upon employer transgressions.

BIPA Case Law

Illinois courts have interpreted BIPA expansively to augment its impact on corporate behavior. In the landmark case Rosenbach v. Six Flags, the Illinois Supreme Court held that actual harm is not a requirement to establish standing under BIPA, substantially magnifying companies’ liability exposure. A Six Flags amusement park utilized fingerprint scanners to “make[] entry into the park faster and more seamless…” but failed to obtain consent from visitors to collect and store their biometric information. Though plaintiffs did not allege actual injury, the court reiterated the Illinois General Assembly’s concern with unregulated biometrics collection: “Biometrics…are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” Thus, any individual whose data was improperly collected may bring a BIPA suit, even if no specific injury resulted from the violation.

Employers had hoped to defend against employees’ BIPA lawsuits by arguing that the Illinois Workers’ Compensation Act (IWCA) preempted such claims and instead mandated workers to use the IWCA’s exclusive remedy provision. But the Illinois Supreme Court rejected the employers’ argument in McDonald v. Symphony Bronzeville Park, a case in which workers sued their employer for violating their privacy rights by non-consensually collecting fingerprint data for authentication and time tracking purposes. The court again focused on the General Assembly’s prophylactic motivations in implementing BIPA — “to ensure that the individuals’ privacy rights in their biometric identifiers…are properly protected before they can be compromised” — and ruled that privacy violations do not qualify as a IWCA work injuries, thereby permitting the BIPA litigation to continue.

BIPA’s robust protections within Illinois do not, however, extend to other states. In October 2022, the Western District of Washington granted summary judgment in favor of defendants Amazon and Microsoft, stating that BIPA does not apply extraterritorially. Defendants, whose conduct occurred primarily in Washington and New York, failed to satisfy BIPA’s requirements when they obtained facial scans without consent as part of a facial recognition research program. The Vance v. Amazon.com court held that, under Illinois law, statutes must contain an explicit extraterritoriality provision to apply to other states. BIPA lacks such a provision, rendering Microsoft and Amazon’s alleged missteps beyond BIPA’s purview.

Expanding BIPA

BIPA’s geographic limitations further underscore the importance of addressing the U.S.’s dearth of biometrics legislation. Fortunately, mounting BIPA litigation has inspired other states to start acting, with Maryland and New York currently evaluating proposals to institute their own BIPA equivalents.

At the federal level, Senator Jeff Merkley (D-OR) introduced the National Biometric Information Privacy Act of 2020 (NBIPA), building off of BIPA’s framework. NBIPA, which remains under review in the Senate, would impose disclosure, collection, and disposal requirements and enact a private right of action. Though some worry that a nationally available private right of action would overwhelm courts, a cohesive biometrics regulatory regime promises workers a bevy of vital protections. Namely, NBIPA would help secure employees’ invaluable, unique data and enable them to hold their employers accountable — rights that today only exist in Illinois. As other jurisdictions seek to regulate biometric data handling, Illinois’s model ought to serve as a guiding light.