Employers who collect biometric information such as fingerprints, face scans, or retina or iris scans from employees—or even customers—need to ask permission and explain why the data is being collected, or they could well face legal liability.
The Illinois Biometric Information Privacy Act (BIPA), which regulates how employers must handle biometric data, received a relatively liberal interpretation from the Illinois Supreme Court, which means that state-level lawsuits have wider latitude than federal ones—but even suits dismissed at the federal level can sometimes be refiled in state court. The law remains in flux when it comes to what, exactly, constitutes biometric data. Photographs are not considered biometric identifiers, for example, but a software application that collects facial scans could be—and even federal courts have allowed for relatively broad interpretations on this front, mindful of the galloping pace of technological advances.
The Illinois Supreme Court in January defined an aggrieved person as anyone whose information is collected without their consent or knowledge, even if they were not harmed in the process, in the case Rosenbach v. Six Flags Entertainment Corp. (2019 IL 123186), issued on January 25 of this year and previously detailed on this blog. This means employers are liable for $1,000 in damages for each negligent violations and $5,000 for each intentional violations. For example, if an employer fingerprints employees each day as they check in and out of the office, and does not notify employees of the collection and storage of these fingerprints, the business could be fined $2,000 per day per employee. Perhaps not surprisingly, at least 90 class action lawsuits alleging violations of BIPA have been filed since January in Illinois state courts.