July 11, 2020

Volume X, Number 193

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

Biometric Information Litigation Update

Despite repeated warnings, companies continue to be hammered with class action lawsuits for violation of the Illinois Biometric Information Privacy Act (BIPA) [view related posts].

BIPA requires that any company that is collecting, using and disclosing biometric information (such as facial recognition, iris scans, fingerprints, DNA testing, to name a few) must basically obtain consent before collecting the information; tell the individual why they are collecting it and what they are doing with it; protect the information while it is in the company’s possession; and destroy it when it no longer has a business purpose to keep it. That is the crib version of the statute.

Companies continue to collect fingerprints of employees for time accounting (instead of the old method of punching in and out), but if they don’t get consent, tell the employees why they are collecting the prints, what they are doing with them, and whether they will or will not destroy them, they often find themselves being sued.

The companies that have recently been hit with class action suits for violation of BIPA include: Caterpillar, Keurig, Pepsi, WeWork and Juul. Of course, Facebook and Shutterfly were the early victims. (We used to write about each such lawsuit, but now they are popping up so frequently that we are aggregating them in one post.)

A particularly interesting recent case is one against Octapharma Plasma, Inc. (OPI). In the Complaint, the plaintiff alleges that OPI “operates a chain of blood plasma donation centers throughout the State of Illinois…” and that “when consumers donate plasma…they are required to scan their fingerprints and enroll in Octapharma’s customer membership database.”

The case points out that when people come in to donate plasma, they must scan their fingerprints; more conventional methods are to use a registration card for identification. Registration cards can be replaced if they are lost or stolen, but fingerprints cannot be replaced, and if the database were to be compromised, this loss would cause risk to those whose fingerprints are contained in the database.

The suit states that OPI is in violation of BIPA because it failed “to adequately inform its customers of the complete purposes for which it collects their sensitive biometric data or to whom the data is disclosed, if at all…” and “failed to provide customers with a written, publicly available policy identifying the retention schedule, and guidelines for permanently destroying their fingerprints.”

This and other cases illustrate how easy it is to get caught in the web of BIPA-related class action litigation. If you are collecting biometric information, be aware of BIPA (and other state laws) that require transparency and consent, and address these requirements in your compliance program.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume IX, Number 339


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...