This case study examines the implementation and use of Biometric Technology and its impact on the rights of its citizens and their economic environment following a sweeping class-action lawsuit.
Situation
The state of Illinois along with other U.S. federal and state legislatures (New York) introduced legislation such as the Illinois Biometric Privacy Act (“BIPA”) related to the implementation and use of Biometric Technology and its impact on the rights of its citizens and their economic environment. The legislation resulted in various costly controversies and litigation requiring adjudication.
One of the most costly recent rulings involved members of a sweeping class actions lawsuit versus American Data Processing (“ADP”).
The lawsuit accused ADP of specifically violating Illinois’ BIPA by providing equipment and support to employers who required their employees to scan their fingerprints when punching in and out of work shifts. The case arose in Chicago’s Cook County, a notoriously labor-friendly jurisdiction.
Learning Objectives
After participating in this case study, readers will be able to:
- Define Biometric Technology (BT)
- Understand the development, use, and impact of biometric technology (“BT”) on many corporate entities.
- Describe how new Federal and State government and regulatory agencies, will significantly impact enforcement of BT.
- Understand the critical usage and protective requirements embedded in the Act.
- Explain the consequences of improper usage of BT.
Key Terms
Biometric Technology, Illinois Biometric Privacy Act (BIPA), Mediation/Arbitration, Class Action, Settlement
Current State
Competing creatively in the current technology-driven environment is difficult. Individuals, sole proprietors, limited partnerships, and corporations (both public and private) face numerous challenges, including (i) the speed and growth of technology, (ii) the appropriate productive usage of such technology, along with the costs of implementation and maintenance, and (iii) the equally consequential impact of federal, state and regulatory agency Rules and Regulation that inevitably follow on the heels of new development.
Future State
Government regulators frequently take a slow and deliberate approach, allowing individuals and businesses in a newly developing area just enough rope to hang themselves. To be fair, they’ll typically start giving out warnings of a sort and initially begin with relatively minor penalties (as opposed to more onerous ones later on). Uncertainty in the landscape affords regulators the kind of ripe playing field and tremendous leverage they enjoy wielding in the marketplace, to set examples. For those reasons, it is vital to have a compliance program in place from the very start.
People demonstrating and documenting a clear intent to act within the law can expect to be treated much differently than those who rambled forward throwing caution to the wind.
Technology marches forward, providing great opportunities, especially to innovators. They must, however, move forward wisely or risk losing the advantages originally posed by the opportunity.
Background
ADP is a comprehensive global provider of cloud-based human capital management (HCM) solutions that unite HR, payroll, talent, time, tax and benefits administration, and a leader in business outsourcing services, analytics and compliance expertise, in business for over 70 years. ADP employs roughly 58,000 people and generates revenue of almost $15 billion. FORTUNE magazine recognized ADP as one of the “World’s Most Admired Companies” for 14 consecutive years. ADP’s insights and advanced technology notably transformed human resources from a mere back-office administrative function to a strategic business advantage.
The advance of technology propelled them toward providing biometric technology services to customers who desired cutting-edge employee management operations.
Biometric technology is not without its pitfalls. In fact, an Illinois judge recently approved class-action status for a 2017 case initially brought by a single attorney. The key allegations in the suit primarily focused on ADP’s failure to obtain written authorization before those employers required their workers to scan their fingerprints on so-called biometric time clocks (BTCs) using ADP technology. The lawsuits further alleged that ADP failed to provide notices to those employees of ADP customers (the employers) concerning how ADP would store, share and ultimately destroy scanned prints.
The initial case (filed in 2017 and expanded in 2018) underwent considerable litigation as two additional law firms joined the suit, leading to battles as to who would control the litigation, and receive the lion’s share of the fees. The judge resolved the issue by appointing all three firms as co-lead counsel in 2019. Soon after, the class action was moved to “mediation” where the parties agreed to a settlement of $25 million. Attorneys received up to 36% of that amount in fees for their work on the case.
The class member claimants: those employees working for employers in Illinois, using ADP systems from June 2013-November 2020, would receive approximately $250 dollars each, subject to filing a claim as prescribed in the settlement agreement; they might also be eligible for further distributions depending on the number of claimants. The resolution prohibited class members from filing further suits against ADP. They could, however, choose to file additional suits against their employers under the BIPA law for the same alleged violations.
Analysis
New technology frequently creates fear and uncertainty, especially in an area such as BT. State legislative action is understandable under the circumstances, in order to better protect the public. Laws, unfortunately, rarely clarify things as neatly as intended by legislators. There’s also little-to-no case law on the subject. This creates huge gaps of guidance for companies seeking to operate in a developing field.
Considering the circumstances, it would have been prudent for ADP to do more to protect itself through use of internal compliance. Compliance forces companies to exercise mindfulness in their corporate duties and better consider their responsibilities and potential liability with respect to product development, customer impact and most importantly, federal, state and municipal legislation and regulatory requirements. Failure to do so, exposes companies to unnecessary large fines, potential criminal consequences and, as in this case, class action lawsuits. Senior executives, not the least of which were their Chief Compliance Officer (CCO) and legal team, must bear the primary burden of such awareness.
The impact of “personal privacy protections,” has generated a significant amount of controversy and litigation for decades. It should come as no surprise that the expansion of technology deeply impacts concerns regarding privacy rights and their extensions into everyday commerce and social activities. It remains incumbent upon all people and entities that choose to compete in a fast-evolving arena, to employ both human and financial capital to protect themselves and their clients. ADP failures in this case not only impacted the company but also left their targeted employer customers vulnerable. Since both were determined subject to the protection embodied in the BIPA regulations.
Recommendations
All business and commercial activities require intelligent and informed investment, complemented by constant awareness of the environments in which they operate and compete. The economic landscape has been and always will be subject to change and evolution prompted by technology. It requires a dedicated commitment to educate all key members of an organization; not the least of which requires a company-wide commitment to support the compliance team’s efforts.
Business enterprises, moreover, cannot just assume that the efforts of its vendors and external stakeholders will provide protection. Each business utilizing ADP’s technology did so under the assumed umbrella of protection that ADP, as a large and trusted company, has superior knowledge in the area of compliance. The court’s ruling, however, demonstrates that companies cannot farm out that responsibility to others. Each company must think and choose for itself, emphasizing the critical importance of compliance for all companies, and will be held responsible in the absence of doing so.
Sources:
- www.biometriccentral.com/what-is-biometric-technology/
- www.freeprivacypolicy.com/blog/bipa
- http://cookcountyrecord.com/stories/568418623-adp-agrees-to-pay-25m-to-settle-worker-fingerprint-scan-class-actions-lawyers-could-get-36
- https://www.law.com/legaltechnews/2020/06/26/recent-decisions-clarify-scopoe-of-illinois-biometric-privacy-law/?sl return=20210011202855
- www.classaction.com