Attention employers using biometric identification technology, such as retina scans, fingerprint identification and facial recognition technology:
A number of corporations in Illinois, including internet and video game companies, food product manufacturers, gas stations, and restaurant chains, have been sued in the past few months for alleged BIPA violations.
Here’s what you need to know
The Illinois Biometric Information Privacy Act
- Regulates the collection and storage of biometric identifiers and information
- Defines “biometric identifiers,” as a retina/iris scan, fingerprints, voiceprints, and the scan of hand or face geometry
- Requires notice and consent before collection or use of biometric data
Substantial Cost of Non-Compliance
- BIPA creates a private right of action for collecting and using biometric data without notice and consent
- For negligent violations, private entities are liable for at least $1,000 per violation in liquidated damages
- For intentional or reckless violations, the minimal liquidated damages are increased to $5,000 per violation or actual damages
- Violators also liable for reasonable attorneys’ fees, costs, experts’ fee, and injunctive relief in addition to liquidated damages
Many employers use timekeeping systems that use biometric identifiers, especially fingerprints, in lieu of timecards or ID badges. Corporations in the service industry are also increasingly using customer’s biometric identifiers, such as face scans, to conduct transactions.
How to Be Compliant
Before collecting, storing, or using biometric identifiers and information
1. Prepare a written policy that is made available to employees or the public. The policy must include a retention guideline and guidelines for permanently destroying unneeded BIPA protected data.
2. Provide written notice to all affected individuals that biometric identifiers or information is being collected and stored as well as the specific purpose and time period during which the identifiers or information will be collected, stored and used.
3. Obtain written consent or a release, including a signature from all employees or customers whose biometric identifiers or information will be collected, stored, and used.
After collecting, storing, or using biometric identifiers and information
1. Adopt procedural safeguards to prevent the disclosure, sale, lease, trade of or profit from biometric identifiers and information
2. Use the industry’s reasonable standard of care when storing or transmitting this information
3. Protect the biometric identifier or information in at least the same manner as other confidential and sensitive information, including driver’s license numbers or social security numbers
4. Ensure biometric identifiers and information are indeed destroyed per the written policy
For more, read our Alert HERE. If you have any questions, please contact your Baker McKenzie attorney.