Savvy observers have noticed the dozens of class action lawsuits filed under the Illinois Biometric Privacy Act in the past few months. Even though the law has been on the books since 2008, the plaintiffs' bar has recently taken notice that employers adopting new technologies for employee identification and time keeping may unwittingly be in violation of the Act's protection of biometric data, such as fingerprints, face scans, voice scans, and retina scans. With a statutory damage scheme that awards liquidated damages for every individual violation, the consequences for employers in violation of the Act can be crippling.
What is the Illinois Biometric Information Privacy Act?
Passed in 2008 as the first law of its kind in the United States, Illinois’ Biometric Information Privacy Act, or “BIPA,” makes it unlawful for private entities to collect, store, or use biometric information, such as eye scans, face scans, voice scans or finger prints, without obtaining individual consent and taking specific precautions to protect the information. 740 ILCS §14/. The law is generally applicable and protects consumers the same as it does employees, but has found a recent foothold in the employment context with the advent of new technologies that allow employers to use fingerprints, voice scans, facial recognition and retinal scans for employee identification, access to restricted areas, and time keeping.
What does the law require?
Under BIPA, any employer collecting, storing, or using the biometric information of its employees - no matter how it is collected, stored or used - must:
- Provide each employee with written notice that his/her biometric information will be collected and stored, including an explanation of the purpose for collecting the information as well as the length of time it will be stored and/or used.
- Obtain the subject’s express written authorization to collect and store his/her biometric information.
- Develop and make available to the public a written policy establishing a retention schedule and guidelines for destroying the biometric information, which shall include destruction of the information when the reason for collection has been satisfied or three years after the employer's last interaction with the employee, whichever occurs first.
740 ILCS § 14/15(a) - (b).
Additionally, an employer may not disclose biometric information it has collected to a third party unless (1) the employee or his/her legally authorized representative gives consent; (2) the disclosure completes a financial transaction requested or authorized by the employee or his/her legally authorized representative; (3) the disclosure is required by local, state, or federal law; or (4) the disclosure is required pursuant to a valid warrant or subpoena. 740 ILCS § 14/15(d).
The law also compels an employer to use “the reasonable standard of care” within its industry for storing, transmitting, and protecting biometric information, and to act “in a manner that is the same as or more protective than the manner in which the [employer] stores, transmits and protects other confidential and sensitive information.” 740 ILCS § 14/15 (e).
What happens if I fail to comply?
Under the law, plaintiffs may recover statutory damages of $1,000 for each negligent violation and $5,000 per intentional or reckless violation, plus attorneys’ fees and other relief deemed appropriate by the court. Further, if actual damages exceed liquidated damages, then a plaintiff is entitled under the Act to pursue actual damages in lieu of liquidated damages.
Most problematic for employers in violation of the Act is the fact that the $1,000 or $5,000 liquidated damage penalty is awarded on an individual basis. This can lead to a verdict in excess of $500,000 for an employer with as few as 100 employees and $50 million for an employer with 10,000 employees. Add in the ability to recover attorneys' fees and it is easy to see why this new cause of action is so popular with the plaintiff's bar.
In order to avoid becoming the next target, employers should take the following steps:
- As an initial matter, determine whether your company is collecting, storing or using individual biometric data for any purpose.
- If the answer is yes, make sure your company has issued the required notice and received signed releases/consents from all affected individuals. Also make sure that you have in place a publically available written policy to cover the collection, storage, use and destruction of the data.
- Ensure any collected data is not being sold or disclosed to third parties, outside of the limited exceptions permitted by the Act.
- Evaluate your data privacy protocols and processes for protecting individual biometric data. If a vendor has access to the individual biometric data, make sure the vendor has sufficient data privacy protocols and processes in place.
- Make sure your data breach policies recognize that individual biometric data is considered personal information under Illinois laws addressing data breach notification requirements.