A wave of class action lawsuits has been filed alleging violations of the Illinois Biometric Information Privacy Act (BIPA), a statute aimed at regulating how companies use information based on “biometric identifiers” such as fingerprints and retina scans. Violating BIPA can be costly, so employers operating within Illinois should review their business practices to determine whether they are using “biometric information” and plan accordingly.
Although many of the early lawsuits filed under BIPA targeted technology companies for their use of facial recognition software, recent litigation has focused on employers that use fingerprint-scanning technology to allow employees to clock in and clock out. BIPA regulates a private entity’s ability to collect, store and disclose biometric information. The statute defines biometric information as that based on individual identifiers such as fingerprints, retina scans or voiceprints. As the statute explains, these cannot be changed, unlike other unique identifiers such as Social Security numbers.
Citing the public’s concern with the use of biometrics for business transactions and the “heightened risk of identity theft” biometric information entails, the Illinois legislature sought to protect individual privacy and encourage private entities to bolster information security by passing BIPA in 2008. The statute flew under the radar until the first surge of class action lawsuits in 2015. These private actions picked up steam in the latter half of 2017, with dozens of new class action suits filed since July. And it’s easy to see why the plaintiffs’ bar has taken notice: The penalties associated with BIPA range from $1,000 to $5,000 per violation and include attorneys’ fees.
Fortunately for employers, compliance with BIPA is fairly straightforward. At minimum, entities that use biometric information must:
- Adopt a written policy with a retention schedule and guidelines for permanently destroying the information, and make this policy available to the public.
- Obtain informed, written consent from any employee whose biometric information is obtained.
- Make reasonable efforts to store, transmit and protect from disclosure all biometric information, including taking steps comparable to those taken for other confidential and sensitive information.
Additionally, employers are prohibited from disclosing biometric information unless an employee consents to the disclosure or the disclosure is required by law or by a valid subpoena or warrant. Employers are absolutely prohibited from selling, leasing, trading or profiting from any employee’s biometric information.
Other states have followed Illinois’ lead on biometric information privacy laws: Texas and Washington have laws on the books, and legislation is pending in several states.