Employers who collect fingerprints, face scans, or other biometric information such as retina or iris scans from employees or customers would be well-advised to ask permission and explain their purpose for collecting this data. If they don’t, they could be legally liable.
That’s in the wake of a relatively liberal interpretation of the Illinois Biometric Information Privacy Act (BIPA), which regulates the handling of biometric data, from the Illinois Supreme Court. The result of the ruling is that state-level lawsuits have greater latitude than those filed in federal court—but even suits dismissed at the federal level can sometimes be refiled in state court. The law remains in flux when it comes to what, exactly, constitutes biometric data. Photographs are not considered biometric identifiers, for example, but a software application that collects facial scans could be—and even federal courts have allowed for relatively broad interpretations on this front, mindful of the galloping pace of technological advances.
The Illinois Supreme Court in January defined an aggrieved person as anyone whose information is collected without their consent or knowledge, even if they were not harmed in the process, in the case Rosenbach v. Six Flags Entertainment Corp. (2019 IL 123186), issued on January 25 of this year and previously detailed on this blog. This means employers are liable for $1,000 in damages for each negligent violations and $5,000 for each intentional violations. For example, if an employer fingerprints employees each day as they check in and out of the office, and does not notify employees of the collection and storage of these fingerprints, the business could be fined $2,000 per day per employee. Perhaps not surprisingly, at least 90 class-action lawsuits alleging violations of BIPA have been filed since January in Illinois state courts.
Plaintiffs have not fared as well in federal courts because at least some have required that employees prove an “injury-in-fact” under Article III of the U.S. Constitution. But others have ruled that a concrete injury can be established simply based on the employee unknowingly providing biometric data, or where the employer shared this information with a third party. But cases can be filed again in state courts, even when their federal counterparts determine that a plaintiff does not have standing, if they remand or dismiss without prejudice.
With all this in mind, employers would be well advised to have a number of policies and procedures in place to ensure compliance with BIPA:
- Systematically protect employee data, ensuring you know how and when biometric data is collected, stored, utilized and destroyed. The BIPA language talks about a “reasonable standard of care” and “in a manner that is the same as or more protective than” other confidential or sensitive information. To parse what this means, exactly, and whether they’re currently in compliance, employers will need help from both an attorney and an IT professional.
- Make sure employees understand what biometric data is being collected and why, how it’s being used and where it’s being stored; this should be detailed in your employee handbook or an equivalent document.
- Establish policies on how long you will keep biometric data, when you will destroy it, and when you will feel its purpose has been achieved, keeping in mind that BIPA requires data to be junked within three years of an employee’s last contact with an employer.
- Obtain written consent from your employee for the collection, storage and use of their data. It’s best to do this at the outset, as a condition of employment.
Business owners should beware of the potential liabilities associated with using biometric data. Taking these precautions should allow your business to gain the security-related and other benefits of biometric data without becoming a defendant in the next class-action lawsuit.