There is a growing trend to use biometric data for business purposes. For employers, this often includes using fingerprints or facial recognition software for employees to clock-in and out. Using an employee’s unique biometric data in this way helps reduce common problems, like one employee clocking-in for another. However, it is not a panacea, as many states have begun to place restrictions on the use of biometric information. Illinois is one of those states, and its Supreme Court just issued an opinion that should make all employers sit up and take notice.
The Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., places restrictions on the collection of “biometric identifiers,” which includes retina or iris scans, fingerprints, voiceprints, scans o hand or face geometry, or biometric information. These restrictions extend to employers, and require specific compliance steps, including:
Notice and Consent. BIPA prohibits any private entity, including employers, from collecting, capturing, purchasing, or otherwise obtaining a person’s biometric identifiers or information without (i) informing the person in writing of the collection or storage (including the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used); and (ii) obtaining a written release from the person to do so. 740 ILCS 14/15(b).
Written Retention & Destruction Policy. A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines. 740 ILCS 14/15(a).
Prohibition on Disclosure or Redisclosure. BIPA prohibits any private entity in possession of biometric identifiers or information from disclosing, redisclosing or otherwise disseminating such information unless (i) the person consents to the disclosure or redisclosure; (ii) the disclosure or redisclosure completes a financial transaction requested or authorized by the person; (iii) the disclosure is required by state or federal law or municipal ordinance; or (iv) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction. 740 ILCS 14/15(d).
Safeguarding. BIPA requires any private entity in possession of biometric identifiers or information to “store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry,” which must be at least “the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.” 740 ILCS 14/15(e).
The failure to comply with BIPA creates a private right of action for the “aggrieved” party that, if successful, can result in monetary damages, attorneys’ fees and costs, and injunctive relief. In evaluating what it meant to be “aggrieved” under BIPA in Rosenbach v. Six Flags Entertainment Corp., the Illinois Appellate Court held that while the “injury or adverse effect need not be pecuniary…it must be more than a technical violation of the Act.” The Illinois Supreme Court disagreed.
In Rosenbach, the plaintiff was required to submit a thumbprint in order to utilize a season pass and alleged that Six Flags collected and used that thumbprint without complying with BIPA’s requirements. While there was no evidence that the plaintiff’s thumbprint had been improperly used or disclosed, the Illinois Supreme Court nevertheless held that the plaintiff qualified as an aggrieved party under the statute because his legal right was “invaded by the act complained of.”
In other words, a technical violation of BIPA entitles to the remedies available under the statute, including the lesser of liquidated or actual damages. BIPA provides for liquidated damages of $1,000 for negligent violations and $5,000 for intentional or reckless damages. Given that violations of BIPA are likely to by systemic, claims under the statute lend themselves to class actions. Consequently, any employer with Illinois employees using biometric data should audit its procedures to ensure BIPA compliance.