United States: District Court Finds Biometrics Data Vendor May Be Liable For Illinois BIPA Violations

Highlights

• The U.S. District Court for the Northern District of Illinois held that a vendor of biometric time clocks could be liable for violations of Illinois' Biometric Information Privacy Act (BIPA) in an employment context.
• BIPA provides, in part, that consent must be obtained from persons providing biometric information. Liability extends to persons who "collect" this information.
• The court determined that the plaintiffs had sufficiently alleged the "collection" function extended to the biometrics time clock vendor, and therefore the vendor was, along with the employer, responsible for obtaining employee consent for fingerprinting.

The U.S. District Court for the Northern District of Illinois held that Kronos Inc., a vendor of biometric time clocks that allow employees to sign in and out using a fingerprint or handprint, could be liable for violations of the Illinois' Biometric Information Privacy Act (BIPA) in an employment context.

BIPA provides, in part, that consent must be obtained from persons providing biometric information. Liability extends to persons who "collect" this information.

Hundreds of class actions have been filed on behalf of Illinois employees alleging that employers failed to obtain consent prior to permitting their employees' fingerprints to be scanned for time-keeping purposes. In some instances, third-party vendors of biometric time clocks also have been named as defendants. The vendors have argued that they are not in a position to obtain consent from employees and hence should not be considered responsible for "collection" of this information. A number of Illinois state courts, and at least one district judge sitting in the Northern District of Illinois, have accepted this argument and granted motions to dismiss filed by the vendors in an employment context.

However, in Figueroa et al. v. Kronos, Incorporated, No. 19 C 1306, District Court Judge Gary Feinerman held that the plaintiffs had sufficiently alleged that the "collection" function extended to Kronos and, therefore, Kronos was, along with the employer, responsible for obtaining employee consent.

The decision is significant in two respects. First, it provides class counsel with a new target defendant in BIPA consent cases. Second, it potentially widens the opening for third-party contribution claims brought by employers against the vendors of the biometric time clocks for failure to obtain the required consents. The second point also benefits employment practices liability (EPL) insurers in that those insurers can seek contribution from the time clock vendors for any judgment assessed against their insured employers. One employer has previously sought contribution but had its third-party complaint dismissed. Contribution claims also have been brought by the authors against two vendors with the outcome still pending.

Originally published by Holland & Knight, April 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.