Many employers concerned about facility security or employees clocking in and out for each other have begun to utilize finger scan technology. Although that may have solved one problem, it may have created a much more serious problem for Illinois employers. Dozens of class actions have recently been filed alleging that employers did not comply with the Illinois Biometric Information Privacy Act (BIPA). That law was enacted in 2008 in response to the concern about the possible release of fingerprint data caused by a bankruptcy court sale of the assets of Pay By Touch, which was Illinois’ largest fingerprint scanning system.
Biometric information “means any information, regardless of how it is captured, converted, stored or shared, based on an individual’s biometric identifier [which includes “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”] used to identify an individual.” 740 ILCS 14/10. Employers may only collect biometric information if the following three documentation requirements are met: (1) employees are notified in writing of the “specific purpose and length of term . . .biometric information is being collected, stored and used”; (2) employees consent in writing to the use of the biometric information; and (3) employer establishes a written policy regarding the retention and guidelines for destruction of biometric information. In addition to actual damages, an employer may be liable for statutory damages in the amount of $1,000 per negligent violation and $5,000 per willful or reckless violation, plus attorneys’ fees and injunctive relief.
The increased use of finger scan technology by employers, BIPA attorneys’ fees provision, and a recent $1.5 million settlement by L.A. Tan (in the consumer context) has probably caused the recent proliferation of class action litigation. In addition to suing the providers of finger scan technology, many employers, especially in the healthcare and hospitality industries, have been sued.
Employers may minimize the risk of being sued if they comply with the three BIPA documentation requirements: (1) notice to employees; (2) employee’s consent; and (3) retention and destruction policy. If an employer were sued, it should notify its insurance carrier immediately and explore all policies for potential coverage. In addition, there are several possible defenses that can be asserted: (a) whether the finger scan is BIPA “biometric information” because it is not a complete scan of all fingerprint features; (b) whether the retained digitized information can be utilized to recreate the employee’s fingerprint and, therefore, whether it constitutes biometric information; (c) whether the plaintiff is an aggrieved person under BIPA; and (d) whether a plaintiff must demonstrate actual harm (not just a technical BIPA violation) as required by the 2016 United States Supreme Court decision in Spokeo, Inc. v. Robins and analogous state case law. These and other possible defenses may be asserted because there are very few court decisions interpreting BIPA. Another issue still unresolved by the courts is what constitutes a willful or reckless violation.
The best advice for employers considering the use of a finger scan system is to: (1) comply with the above three documentation requirements of BIPA (notice; consent; policy); (2) ensure that the agreement with the provider contains a representation of compliance with the law, retention and destruction policy, and an indemnification provision; (3) determine whether there may be insurance coverage and (4) consider having employees sign arbitration agreements that contain class action waivers.
Texas and Washington have laws similar to BIPA, but those laws do not include a private cause of action and are only enforceable by the attorney general of the respective state. The potential liability under the Texas statute, however, is significant, with civil penalties up to $25,000 for each violation.