By Gerald L. Maatman, Jr., Alex W. Karasik, and Christian J. Palacios
Duane Morris Takeaways: In Thompson, et al., v. Matcor Metal Fabrication (Illinois), Inc., Case No. 2020-CH-00132 (Ill. Cir. Ct. 10th Dist. Dec. 8, 2023), a class of metal fabricators prevailed on a motion for summary judgment against their employer in what is believed to be the first summary judgment ruling for a certified class under the Illinois Biometric Information Privacy Act (BIPA). An Illinois state court, determining there was no dispute of material fact, entered the pre-trial liability judgment against the defendant employer for collecting employee biometric data through its timekeeping system in violation of BIPA.
This decision highlights the danger that companies face under state privacy “strict liability” statutes, and should serve as a warning for employers that lack robust policies governing the way they collect biometrics data from their employees.
Background
In September of 2019, Matcor Fabrication rolled out a new timekeeping policy whereby it collected its employees’ fingerprints using “biometric scanners” for the purposes of determining when employees clocked in and out of work. Id. at 3. The scanners that collected this information were connected to Matcor’s timekeeping vendor – ADP – and the company sent finger-scan data to ADP every time an employee scanner their fingertips. The named Plaintiff and class representative William Thompson subsequently brought the lawsuit in May of 2020, alleging the company’s timekeeping policy violated the Illinois BIPA. Nearly one year after the lawsuit had commenced, Matcor implemented BIPA-compliant policies, which included distributing a “Biometric Consent Form” to employees that stated that the company’s vendors “may collect, retain, and use biometric data for the purposes of verifying employee identity and recording time” as well as describing Matcor’s policies for retaining and destroying employee data. Id. at 4. The Court previously had certified a class of Matcor employees who enrolled in the company’s finger-scan timekeeping system between May 13, 2015 and June 16, 2021, prior to the policy update. After a lengthy discovery period, both parties filed motions for summary judgement.
The Court’s Ruling
The Court held that there was no genuine dispute of material fact that Matcor’s timekeeping policies during the class-wide time period violated the BIPA. In its ruling, the Court dismissed a series of defenses offered by the company, including that in order for the BIPA to apply, Matcor’s timeclocks needed to “collect” and store its employees’ fingerprints, rather than just transmit it to a third-party vendor. The Court was unconvinced. It opined that the BIPA also applied when timeclocks collected biometric information “based on” a fingerprint. Id. at 7. Matcor further argued that there was a difference between the “fingertip” scans it took and the “fingerprint” scans covered by the BIPA, but it was unable to cite authority that showed a meaningful difference between the two. Finally, Matcor argued that the Court needed “expert testimony” to assess the type of information the company’s timeclocks collected. The Court rejected this contention. It observed that collecting employee’s fingertip information clearly fell under the BIPA’s definition of biometric information.
Based on the facts, the Court determined that it was undisputed that Matcor began using biometric timeclocks to collect employee’s fingerprints in 2019, and the company did not implement a BIPA-compliant policy until one year after the Plaintiff commenced his suit. The record also clearly showed that Matcor failed to obtain its employees consent before collecting their fingerprints, and only obtained BIPA releases 2 years after the suit was initiated. Accordingly, the Court granted the Plaintiff’s motion for summary judgement and the lawsuit will now proceed to the damages stage.
Implications
As this ruling emphasizes, employers can be held strictly liable for any period of time in which they collect their employees’ biometric data without having a corresponding BIPA-compliant policy. State privacy statutes like the BIPA pose unique dangers for unwary employers who do not keep up-to-date with evolving legal requirements relating to the collection, retention, and use of biometric data. Although Illinois was one of the first early adopters of such stringent privacy laws, it will certainly not be the last, and companies should begin taking preventative measures to limit liability associated with such statutes.