Mitigating BIPA Suit Risk Under Alternative Liability Theories
Over the course of the last year, a number of court opinions have brought certainty to several hotly contested issues arising under the Illinois Biometric Information Privacy Act.
While some of these opinions have increased the scope of liability exposure for companies that use biometrics, others have articulated the contours for several robust defenses to allegations of purported violations of Illinois' biometric privacy law.
With that said, some major BIPA issues and defenses remain unsettled at this time. One primary issue that remains uncertain is the scope of BIPA liability exposure faced by companies that do not directly collect biometric data from employees or consumers.
The fact that this major issue remains unsettled means that companies considering entering into relationships with other entities that do use biometric data in their business activities must be especially cognizant of the risks of doing so and, in turn, take actionable steps to mitigate their potential BIPA liability exposure.
District Court Denial of Parent Company's Motion to Dismiss BIPA Action
The U.S. District Court for the Northern District of Illinois recently issued one of the first opinions to directly address alternative liability theories in the context of BIPA litigation in Wordlaw v. Enterprise Leasing Co. of Chicago LLC.[1]
In that case, Dawn Wordlaw sued both her employer, Enterprise Leasing Co. of Chicago LLC, as well as Enterprise Chicago's parent company, Enterprise Holdings Inc., for alleged violations of Illinois' biometric privacy law stemming from her employer's use of her fingerprints to clock in and out of each shift.
In its opinion denying the defendants' motion to dismiss, the court noted that if it was later determined that the plaintiff's direct theory of liability could not be established against Enterprise Holdings, recovery would still be possible under a direct participant or joint employer theory of liability.
With respect to direct participant liability, the court noted that Wordlaw would be able to rely on evidence specifically showing that Enterprise Holdings authorized or directed the timekeeping policy to establish liability under this alternative liability theory.
And with respect to joint employer liability, Wordlaw would be able to establish her BIPA claim under this theory if she was able to prove her allegations that Enterprise Holdings specifically controlled her work environment in several important respects with factual, admissible evidence.
Practical Tips and Best Practices
As more BIPA cases are litigated and the relevant case law continues to become more developed, corporate defendants will inevitably be faced with novel arguments by plaintiffs in their attempt to establish liability over a broader range of entities for purported violations of Illinois' biometric privacy law.
Accordingly, companies that do not directly incorporate biometric data into their operations — but possess a relationship with other entities that do engage in such activities — must be cognizant of the risk that exists under Illinois' biometric privacy law in connection with alternative theories of liability and take proactive measures to mitigate this potential liability exposure.
Parent Companies: Direct Participant and Joint Employer Liability
As the Wordlaw opinion demonstrates, parent companies must ensure they take proper action to minimize the risk of being held liable for BIPA violations under direct participant or joint employer theories of liability.
Illinois courts recognize the theory of direct participant liability as an exception to the general rule that a parent is not liable for the actions of its subsidiary.[2] Under this theory, a plaintiff must show a parent company's specific direction or authorization of the manner in which an activity is undertaken and that the injury that resulted was foreseeable.[3]
To avoid potential liability under a direct participant liability theory, companies must ensure they do not exert any direction, control or authority over the manner in which their subsidiaries collect and use biometric data. Here, as noted by the U.S. Supreme Court in the 1998 U.S. v. Bestfoods decision,[4] the critical question that courts will focus on is whether the actions directed at a subsidiary by an agent of the parent are abnormal enough in degree and detail that they go beyond the accepted norms of parental oversight of a subsidiary.
Thus, parent companies should ensure that any control they exert relating to the collection and use of biometric data does not cross the threshold beyond what would be considered a normal incident of ownership of the subsidiary and that their subsidiaries remain free to use their own expertise.
To determine whether a parent can be held liable under a joint employer theory, Illinois courts consider whether, as stated by the Supreme Court of Illinois in the 1997 Village of Winfield v. Illinois State Labor Relations Board decision, "two or more employers exert significant control over the same employees — where from the evidence it can be shown that they share or co-determine those matters governing essential terms and conditions of employment."[5]
To mitigate the risk of potential joint employer liability, parent companies should ensure that — from a general perspective — they do not exert significant control over the employees of their subsidiaries. Rather, subsidiaries should retain control and sole decision-making authority for determining the essential conditions of employment for their employees.
More specifically, parent companies should steer clear of exercising any authority or control over the following matters: hiring and firing; promotions and demotions; setting wages, work hours, and other terms and conditions of employment; disciplinary matters; and actual day-to-day supervision and direction of the subsidiary's employees while they are on the job.
Temporary Employees: Borrowed Employee Liability
In addition to parent companies, employers that work with staffing agencies to fulfill their workforce needs must also be on guard as it relates to potential indirect BIPA liability.
Today, many staffing agencies use their own biometric time clocks to record their temporary staffers' time and attendance while working at a client's office or facility. Under these circumstances, plaintiffs may attempt to establish liability against the employer under a borrowed employee theory.
Under Illinois law, an employee in the general employment of one employer may be loaned to another for the performance of work and, while performing that work, become the employee of the employer to whom he or she has been loaned.[6] In such a case, the second employer, not the first, is liable for tortious conduct involving the employee.[7]
A worker is considered to be a borrowed or loaned employee only if he or she is, as stated by the Northern District of Illinois in the 2010 Garrelts v. Symons Corp. decision, "wholly subject to the control and direction of the second employer and free, during the temporary period, from the control of the original master."[8]
Employers can best mitigate the potential of being held liable under a borrowed employee theory by ensuring the right provisions are contained in their agreements with staffing firms to effectively transfer risk.
Most importantly, employers should ensure that their agreements position the staffing agency as the primary employer for all temporary staff. In particular, agreements should specify that the staffing agency possesses all employer responsibilities as it relates to their temporary workers, including the manner of hiring, mode of payment and termination.
Employers can further transfer risk through the inclusion of an indemnification provision requiring the staffing agency to indemnify the employer against all claims, damages, losses and expenses arising from the negligence or other improper actions — such as violations of Illinois' biometric privacy law — of the staffing firm or its temporary workers.
During the contract negotiation process, employers should review all proposed agreements to ensure those contracts fully mitigate the risk of borrowed employee liability relating to the use of biometrics.
Conclusion
As biometric technology continues to advance rapidly in terms of its applicability and sophistication, the use of biometric data by all types of entities will become increasingly more common as organizations look to leverage the benefits of biometrics.
At the same time, this increased use will also raise the likelihood that companies that do not themselves use biometrics — but that enter into relationships with other entities that do — may find themselves the target of a bet-the-company BIPA class action.
As such, companies and their in-house counsel must regularly monitor for developing trends as it relates to the theories of alternative liability that are being pursued by plaintiffs attorneys in BIPA class actions so that these new wrinkles can be effectively addressed and defeated in the event litigation arises.
“Mitigating BIPA Suit Risk Under Alternative Liability Theories,” by David J. Oberly was published in Law360 on February 25, 2021.
[1] Wordlaw v. Enterprise Leasing Co. of Chicago, LLC, 2020 WL 7490414 (N.D. Ill. Dec. 21, 2020).
[2] Forsythe v. Clark USA, Inc., 224 Ill.2d 274, 290 (2007).
[3] Id.
[4] United States v. Bestfoods, 524 U.S. 51, 61 (1998).
[5] Village of Winfield v. Ill. State Labor Relations Bd., 176 Ill.2d 54, 60 (1997) (quoting Orenic v. Ill. State Labor Relations Bd., 127 Ill.2d 453, 474 (1989)).
[6] Haight v. Aldridge Electric Co., 215 Ill.App.3d 353, 365 (1991).
[7] Garrelts v. Symons Corp., 2010 WL 1172525, at *2 (N.D. Ill. Mar. 23, 2010).
[8] Id. (citing Merlo v. Public Serv. of N. Ill., 381 Ill. 300, 45 N.E.2d 665, 676 (1943)).