This week, an Illinois House Judiciary Committee advanced House Bill 559, which would require potential plaintiffs to give employers a 30-day opportunity to cure alleged violations of the Biometric Information Privacy Act (BIPA) prior to filing a lawsuit. BIPA, passed in 2008, regulates the collection and use of biometric information. As it currently stands, no actual injury is required to bring a BIPA lawsuit, which means plaintiffs can collect $1,000-$5,000 in liquidated damages per violation if the defendant fails to comply with BIPA's technical provisions, which, at a high level, require entities that collect biometric information to have a policy regarding its collection and destruction and to obtain informed, written consent from the individuals whose information is being collected.
According to House Minority Leader Jim Durkin, who introduced the Bill, this framework has led to a “cottage industry for a select group of lawyers to file class action lawsuits.” While Facebook's $650 million BIPA verdict has grabbed headlines, proponents argue that BIPA litigation has also hit small business and non-profits such as the Salvation Army, and that damages awards can be “enough to put any small business into insolvency.” A common target of BIPA lawsuits are companies that use timeclocks that employ fingerprint or hand geometry technology to monitor employees' time at work.
The Bill's central revision would force a would-be plaintiff to send the allegedly violating party notice of its alleged BIPA violation. The would-be defendant would then have 30 days to cure the error. If the employer fails to cure the deficiency within that time frame, then, and only then, could a lawsuit be filed. According to Durkin, this change strikes “an appropriate balance between the rights of privacy and the employees.”
Opponents of the bill argue that it will “prioritize corporate profits over personal privacy” and that it would “present a massive step back for Illinois” as neighboring states are “modeling legislation around BIPA.” The California Consumer Privacy Act (CCPA), a similar (though broader) law that passed in 2020, however, includes a 30-day notice-and-cure opportunity like the one proposed here: “If within the 30 days the business actually cures the noticed violation…no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” Cal Civ. Code § 1798.150(b). Since the CCPA became effective, the amount of CCPA litigation has paled in comparison to the amount of BIPA litigation over the same period, possibly due to the presence of the notice-and-cure provision. Because it should be relatively easy for most defendants to come into compliance with BIPA (e.g., the violation would likely be cured by having the employee sign a consent form), the amount of BIPA litigation could decrease dramatically if this Bill became law.
Originally Published by Winston & Strawn, March 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
