No Party for Supply Chain Companies: The Illinois Biometric Information Privacy Act

No Party for Supply Chain Companies: The Illinois Biometric Information Privacy Act

Supply chain companies should review their collection of biometric identifiers or information in their warehouse operations. Here’s what to learn from the case against Party City:

In 2008, the State of Illinois passed the Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). In the first nine years, only 15 class actions were filed. Since that time, hundreds of putative class actions have been filed, mostly against employers.

Recently, supply chain company, Party City, was sued by a former employee, Marisol Marquez. This article provides some background on BIPA and how supply chain companies can avoid similar litigation.

BIPA

BIPA regulates the “collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.” The BIPA definition of biometric identifier includes “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.”

Illinois is the only state with a private right of action under its biometric information act. The act provides for the awarding of statutory damages in amounts of the greater of $1,000 or actual damages for each negligent violation and $5,000 or actual damages for intentional violations, plus reasonable attorney fees, litigation expenses and costs. The Illinois Supreme Court found in 2019, in Rosenbach v. Six Flags Entm’t Corp., that “a person need not have sustained actual damage beyond violation of her rights under the Act.”

BIPA requires a private entity in possession of biometric identifiers to develop a publicly available written policy, establishing a retention and destruction schedule. A private entity must inform each person from whom it collects biometric information that the information is being collected or stored, the specific purpose and length of term for which the information is being collected, stored, and used, and obtain a written release executed by the individual.

The Marquez Lawsuit

Marquez was employed at Party City’s Illinois distribution warehouse from August 26, 2018, to June 20, 2019. According to the complaint, Party City uses voice recognition technology to manage its warehouse operations. Employees must provide voiceprints, which are stored and used to identify workers during their shifts. The lawsuit alleges that Party City collected these voiceprints in violation of the requirements of BIPA.

Marquez filed a putative class action against Party City alleging that Party City failed to inform employees in writing about the collection and storage of their biometric data, failed to disclose the specific purpose and duration for which this data would be used, and did not obtain written releases from employees authorizing these actions.

Recent Developments in Illinois

In two cases in 2023, the Illinois Supreme Court opened the door to ruinous exposure for employers. The first, Cothron v. White Castle, held that “a separate claim accrues under the Act each time a private entity scans or transmits…” The second major case was Tims v. Black Horse Carriers, holding a five-year statute of limitations governs claims under BIPA.

White Castle if held to those standards would have faced potential liability of $17 billion. In May 2024, the Illinois Legislature amended BIPA to clarify that any person whose biometric identifier or biometric information is scanned may only recover damages for one, single violation. The bill is on the governor’s desk for signature. The next battle will be whether this amendment applies retrospectively.

How to Avoid Lawsuits

Supply chain companies should review their collection of biometric identifiers or information. If collecting, make sure you have provided the required notice, specific purposes and retention period, and have your employees’ waiver on file.

Make sure your contracts with third parties includes indemnification if they are using biometric information for their workers. Third, review any vendors you are using to collect biometric information to understand if the collection and analysis is localized, as some claims can be mitigated. Finally, stay informed about the amendment to BIPA and whether the Illinois Supreme Court finds that amendment is retroactive.

Conclusion

Every supply chain company doing business in Illinois with Illinois employees must review its biometric information practices and take steps to ensure compliance with BIPA so that their employees do not become parties against them.