Alleging that mandatory daily biometric fingerprint scans violate employees’ privacy rights under the Illinois Biometric Information Privacy Act (BIPA), employees of Paramount of Oak Park Rehabilitation & Nursing Center, LLC, have filed a putative class action against the nursing home.
The BIPA requires companies that collect and use biometric information to obtain a written release prior to collecting such data. Under the BIPA, individuals may sue for violations and, if successful, can recover liquidated damages ranging from $1,000 (or actual damages, whichever is greater) for each violation for negligent violations to $5,000 for each violation for intentional or reckless violations — plus attorneys’ fees and costs. Our FAQs provide basic information on the BIPA and include recommendations and best practices for companies that collect or use biometric information.
Martin Ragsdale, on behalf of the class, claims that Oak Park requires a minimum of two fingerprint scans from employees each day — for clocking in and clocking out. Ragsdale argues that the nursing home’s practice is “invasive” and “exposes the workers to serious and irreversible privacy risks — risks that BIPA was designed to avoid — including the ever-present risk of a data breach.”
Ragsdale, on behalf of the class, requests that the Illinois circuit court:
- Grant an injunction barring Oak Park from further collecting fingerprints,
- Require Oak Park to destroy fingerprints it has collected to date, and
- Award the class an unspecified amount in damages and legal fees.
New Trend of Employee Biometric Class Actions
From July 2017 to October 2017, at least 26 employment class actions based on the BIPA have been filed in Illinois state court. Similar to the suit against Oak Park, the class actions allege employer misuse of timekeeping systems that collect fingerprint scans. They claim the employer failed to provide proper notification and obtain written consent or neglected to institute a valid use policy.
Although some consider Illinois the leader in biometric data protection, other states have enacted laws similar to the BIPA, and still others are considering such legislation.
Questions to Consider
Companies that want to implement technology that uses employee or customer biometric information (for timekeeping, physical security, validating transactions, or other purposes) should consider the following:
- Whether the company actually captures biometric information as defined under applicable law;
- Whether the company provides proper notification and obtains written consent/release;
- How long biometric information is retained;
- How biometric information is accessed, stored, and safeguarded; and
- Whether the company has a data breach response plan that covers biometric data.
Many see the use of biometric technologies as a way to help secure other confidential information against data breaches that continue to cripple governments, businesses, and other organizations. Of course, biometric information is itself sensitive, personal information that requires protection, as demonstrated by the growing number of new laws.