Illinois’ stringent Biometric Information Privacy Act (BIPA) has spawned a slew of recent single-plaintiff and class actions with large potential damages. Increasingly, employers use biometric data for timekeeping, security, safety and benefits purposes. As a result, state and local legislatures nationwide are contemplating following Illinois’ lead and enacting biometric privacy laws of their own.
In 2008, Illinois enacted the most stringent biometrics privacy law in the nation. The BIPA requires private entities to follow certain consent, notice and disclosure procedures when collecting, storing or using individuals’ biometric data. With biometric technology becoming more commonplace in commerce and the workplace, the plaintiff’s bar has begun exploring the BIPA as a potentially lucrative new litigation mechanism.
Under the BIPA, biometric data includes a retina or iris scan, fingerprint, voiceprint, scan of hand or face, or any information generated from, or based on, these identifiers. Collectors of biometric data must satisfy several preconditions, including the following:
- Informing the subject in writing that the biometric data is being collected or stored
- Informing the subject in writing of the purpose and length of time the data is being collected for
- Obtaining a written release signed by the subject of the data being collected
- Developing a publicly available written policy regarding how long the data will be kept and how and when it will be permanently destroyed
Additionally, the BIPA requires private entities to follow specific requirements when storing and destroying biometric data. For example, biometric data must be stored in the same manner that other confidential information is kept, may be disclosed only with the subject’s consent or if otherwise required by law, cannot provide an avenue for profit and can be kept only for three years or until the original collection purpose is satisfied, whichever is shorter.
The damages available under the BIPA make it an attractive litigation platform for both single-plaintiff and class actions. Each negligent violation allows plaintiffs to recover actual damages or $1,000, whichever is greater. Each reckless or intentional violation allows plaintiffs to recover actual damages or $5,000, whichever is greater. Prevailing plaintiffs also are entitled to reasonable attorney's fees, costs and other relief, including an injunction.
The BIPA’s stringent requirements and generous damages provisions recently landed several employers in Illinois’ state and federal courts. In particular, a regional supermarket chain has been accused of violating a class of employees’ rights under the BIPA by collecting employee fingerprints for timekeeping purposes without first obtaining their written consent and explaining how their data would be stored and when it would be destroyed. Similar class action lawsuits recently were filed on behalf of employees against a major gas and convenience store chain and a luxury downtown hotel, as well as their timekeeping provider and data center operator, respectively.
Illinois consumers have also launched class actions against major tech companies, retailers, daycare centers and other businesses related to their facial or fingerprint identification software. While some of these suits were dismissed on the pleadings, others are ongoing or have settled for as much as $1.5 million.
The Evolving Biometrics Landscape
Judicial interpretations of the BIPA during these lawsuits will restrain or embolden further BIPA litigation in Illinois. Regardless, the growth of biometric technologies in the workplace is inevitable. Biometric timekeeping devices, for example, are readily available, relatively inexpensive and keep more accurate, easily stored records. The BIPA, and associated litigation, are likely to correspondingly evolve. Additionally, several states including Alaska, Connecticut, Montana, New Hampshire, Texas and Washington either have or are considering laws similar to Illinois’ BIPA.
Implications and Recommendations for Employers
Given the evolving and fragmented legal landscape, some employers have opted to absorb the cost of technology that allows biometrics to be used for timekeeping and security purposes without storing the data. However, so long as employers keep abreast of developments in state and local biometric privacy laws before implementing collection practices, increased technology and litigation costs can be avoided.
Before collecting, receiving or storing biometric data in Illinois, employers should:
- Inform employees in writing of the following:
- that their biometric data is being collected or stored
- the purpose of collecting their biometric data
- the length of time their biometric data will be collected, stored and used for
- Obtain written releases from employees whose biometric data is being collected
- Make publicly available a written policy regarding how employees’ biometric data will be permanently destroyed and whether it will be destroyed within the shorter of three years or when the original collection purpose is satisfied.
Once employers collect biometric data they must also:
- Store, transmit and protect the data from dissemination in the same manner that other confidential and sensitive information is kept and with reasonable care
- Disclose or disseminate the data only if the employee consents to the disclosure, the employee requests the disclosure in order to complete a financial transaction, or if the disclosure is otherwise required by law
- Not sell, lease, trade or otherwise profit from the data
- Keep the data for the shorter of three years or until the original collection purpose is satisfied, as outlined in their publicly available retention and destruction policy
Employers should also adhere to general data collection principles. Limit what data is collected and the length of time it is collected for. Establish policies with safeguards for the handling, dissemination and accessibility of biometrics, both internally and with any external vendors. And, craft a plan for handling potential biometric data breaches.