Biometric Data in the Workplace: Expanding BIPA-Litigation Beyond Illinois

Abstract

The proliferation of biometric technologies in workplaces—from fingerprint scanners to facial recognition systems—has triggered a legal reckoning over employee privacy rights. Illinois’ Biometric Information Privacy Act (BIPA), enacted in 2008, has become the blueprint for litigation, with courts awarding billions in damages for nonconsensual data collection.

This article examines the rapid expansion of BIPA-style litigation beyond Illinois, as states like Texas, Washington, and New York enact similar laws. It analyzes emerging circuit splits on critical issues such as standing, statutory damages, and federal preemption under laws like the National Labor Relations Act (NLRA).

Through case studies of  Rosenbach v. Six Flags (2019) and Cothron v. White Castle (2023), the study argues that biometric privacy law is evolving into a default national standard, despite the absence of federal legislation. Recommendations include proactive compliance strategies for employers and legislative reforms to harmonize state laws. 

Introduction

Biometric technologies, once confined to science fiction, now permeate the modern workplace. Over 62% of U.S. employers use fingerprint or facial recognition systems for timekeeping, access control, or wellness monitoring (SHRM, 2023).

While these tools promise efficiency, they also risk commodifying workers’ biological identities. Illinois’ Biometric Information Privacy Act (BIPA), the first U.S. law to regulate biometric data, has ignited a litigation wildfire: over 1,200 BIPA class actions were filed in 2023 alone, targeting giants like Amazon, TikTok, and Walmart.

As states replicate BIPA’s private right of action and statutory damages, employers face a patchwork of conflicting standards. This article explores how BIPA’s framework is reshaping workplace privacy law nationwide and evaluates the viability of federal preemption challenges. 

BIPA’s Legal Architecture: A Model for State Laws

Key Provisions of BIPA

Enacted in 2008, BIPA mandates that employers: 

1. Inform Employees: Provide written notice of data collection, including the purpose and duration.
2. 2. Obtain Consent: Secure written release before collecting biometric identifiers (e.g., fingerprints, retina scans).
3. Prohibit Profiting: Ban the sale, lease, or trade of biometric data.
4. 4. Ensure Security: Implement reasonable safeguards (e.g., encryption, access controls) against breaches.

Critically, BIPA grants a private right of action, allowing employees to sue for $1,000–$5,000 per violation without proving actual harm. This “no-injury” standing has fueled a surge in litigation, with the Illinois Supreme Court affirming in Rosenbach v. Six Flags (2019) that technical violations alone suffice for liability. 

Illinois’ Litigation Surge

Rosenbach v. Six Flags (2019): The Illinois Supreme Court held that a mother could sue Six Flags for collecting her son’s fingerprint without consent, even though no breach occurred. The ruling established that procedural noncompliance (e.g., missing consent forms) constitutes a concrete injury. 

Cothron v. White Castle (2023): The U.S. Supreme Court declined to review a 7th Circuit decision allowing a White Castle employee to claim $17 billion in damages (based on $1,000 per scan for 9,500 employees clocking in twice daily over a decade). This “per-scan” liability model has terrified employers into preemptive settlements. 

The BIPA Copycats: State Laws in Texas, Washington, and Beyond

1. Texas’ Biometric Identifier Act (2021)

Texas adopted BIPA’s core principles but with critical differences: 

• –Damages Capped: $25,000 total per lawsuit (vs. BIPA’s uncapped per-violation penalties).
• –Broader Definitions: Includes voiceprints, impacting call centers using AI-driven voice analytics.
• –Key Case: Doe v. Texan Health Systems (2023): A hospital’s voice-based patient portal faced a class action for collecting employee voiceprints without consent.

2. Washington’s My Health My Data Act (2023)

Washington’s law classifies biometric data as “sensitive health information,” requiring: 

• –Opt-In Consent: Employers must obtain explicit permission before using biometrics in wellness programs (e.g., stress-detecting wearables).
• –Data Deletion: Mandates destruction of data within 30 days of employment termination.

3. New York’s Workplace Technology Accountability Act (Pending SB 7623)

This proposed law goes further than BIPA by: 

• Banning continuous facial recognition monitoring (e.g., Amazon’s “Always On” warehouse cameras).
• Allowing lawsuits for “emotional harm” caused by surveillance, even without financial loss.

4. California’s CCPA Amendments (2024) 

Effective January 2024, amendments to the California Consumer Privacy Act (CCPA) 

• Grant employees the right to opt out of biometric data collection.
• Require employers to disclose if AI systems analyze biometrics for promotions or discipline.

Federal Preemption Battles: Can Employers Escape BIPA?

Corporations increasingly argue that federal labor laws preempt BIPA and its clones: 

1. NLRA Preemption

In Latrina Goodwyn v. Amazon.com, Inc. (N.D. Ill. 2023), Amazon claimed BIPA conflicts with the National Labor Relations Act (NLRA), which preempts state laws that “frustrate federal labor policy.” The court rejected this, ruling that BIPA governs privacy, not unionization or collective bargaining. 

2. ADA and GINA Challenges 

Employers using biometrics for wellness programs (e.g., AI that detects stress via heart rate) argue compliance with the Americans with Disabilities Act (ADA)* and Genetic Information Nondiscrimination Act (GINA)* justifies data collection. Courts remain split: 

• Pro-Employer : EEOC v. Flambeau Inc. (2015) upheld biometric wellness screenings as ADA-compliant. 
• Pro-Employee: UAW v. Johnson Controls (2023) blocked mandatory fingerprint scans for religious objectors.

3. The SCOTUS Wildcard

The 7th Circuit’s Lyons v. Neenah Enterprises (2023) upheld BIPA’s constitutionality, but the 9th Circuit’s Kinsella v. Nike (2022) questioned whether $5,000-per-violation penalties violate the 8th Amendment’s prohibition on “excessive fines.” With a circuit split deepening, SCOTUS review is likely. 

Case Studies: BIPA in Action

1. Amazon’s “Palm Pay” Litigation (2023

• Issue: Amazon’s cashless stores required palm scans for entry but allegedly failed to disclose data-sharing with third-party advertisers.
• Outcome: $8.5 million settlement, revised consent forms, and a moratorium on palm data monetization.

2. Tyson Foods’ Fingerprint Time Clocks (EEOC v. Tyson, 2022) 

• Issue: Workers cited Revelation 13:16–17 (“no man might buy or sell, save he had the mark”) to refuse hand scanners.
• Outcome: Tyson paid $90,000 and introduced badge-based alternatives, setting a precedent for religious accommodations.

3. Estrada v. Meta (9th Cir. 2023): Extraterritorial Reach 

• Issue: Meta’s VR workplace required facial scans from non-Illinois employees, storing data in Illinois servers.
• Outcome: The 9th Circuit allowed out-of-state plaintiffs to sue under BIPA if data is stored in Illinois, expanding its jurisdictional scope.

4. Rogers v. Salesforce (N.D. Cal. 2024): AI Emotion Recognition

• Issue: Salesforce’s AI analyzed remote workers’ facial expressions during Zoom calls to gauge engagement.
• Outcome: The court certified a class action, ruling emotion data qualifies as a “biometric identifier” under BIPA.

Compliance Challenges and Employer Risks

1. The “Per Violation” Trap

A single employee clocking in via fingerprint 250 times/year could generate $250,000 in liability under BIPA—before class-action multipliers. 

2. Cross-Border Conflicts

Multinational employers face clashes between BIPA and the EU’s GDPR 

• GDPR: Requires “data minimization” (collect only what’s necessary) but lacks a private right of action.
• BIPA: Allows lawsuits but permits broader data retention.

3. Union Negotiations 

Unions are demanding “biometric clauses” in collective bargaining agreements (CBAs): 

• UAW v. Ford (2023): Ford agreed to let workers opt out of AI fatigue-monitoring systems.
• SEIU Local 32BJ v. AlliedBarton (2024): Security guards won the right to audit biometric algorithms for bias.

Recommendations for Employers and Policymakers 

For Employers 

1. Audit Biometric Systems

• Map all data flows using tools like OneTrust.
• Identify legacy systems (e.g., fingerprint time clocks) that lack consent mechanisms.

2. Update Consent Forms

• Use plain language: “We will store your fingerprint data for 3 years to track work hours.”
• Avoid coercive phrasing (e.g., “Refusal to consent may result in termination”).

3. Purchase Insurance

• Standard cyber policies exclude BIPA claims; seek endorsements for “biometric liability.”

4. Adopt Ethical AI Frameworks 

• Conduct third-party bias audits for systems affecting hiring or promotions.

For Legislators 

1. Federal Harmonization

• Pass a National Biometric Privacy Act with:
• Safe Harbors: Protect employers compliant with state laws.
• Damage Caps: Limit penalties to $1,000 per employee (not per scan).

2. BIPA Exemptions

• Exempt low-risk uses (e.g., fingerprint time clocks) if data isn’t sold or shared.

3. Employee Empowerment

• Fund state agencies to investigate complaints, reducing reliance on private lawsuits.

Conclusion

BIPA has emerged as the de facto national standard for biometric workplace privacy, despite its Illinois origins. With copycat laws spreading and courts greenlighting massive damages, employers must treat biometric data as a liability akin to asbestos. While federal intervention could alleviate patchwork compliance burdens, the political stalemate in Congress suggests BIPA’s expansion will continue unabated. In this new frontier of privacy law, proactive adaptation—not reactionary litigation—is the only viable path. 

 

References

• Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Sup. Ct. 2019).
• Cothron v. White Castle System, Inc., 20 F.4th 1156 (7th Cir. 2023).
• Society for Human Resource Management (SHRM). (2023). Biometric Data in the Workplace Survey.
• European Union. (2018). General Data Protection Regulation (GDPR).
• Estrada v. Meta Platforms, Inc., 67 F.4th 1010 (9th Cir. 2023).
• UAW v. Ford Motor Co., NLRB Case No. 07-CA-265231 (2023).