The burgeoning science of biometrics both excites and unnerves people, the subject of both a razzle-dazzle upgrade in the new iPhone X and a growing body of privacy-related litigation in Illinois stemming from the 2008 passage of the Biometric Information Privacy Act.
That law requires companies using biometric data—which includes facial scans, fingerprints, iris scans and any other identification data except for a person’s name and demographics—to obtain a consumer’s consent to use the data, explain how it will be used, and tell them how long it will be retained. The consumer must sign a written release acknowledging this.
Companies and other organizations that violate the terms of that release can be and have been sued under the law, which is designed to protect individuals against the risk of identity theft in financial transactions and security screenings. Biometrics are considered a better security risk than even a Social Security number, since that can be changed; but they’re also a greater risk for individuals since they’re biologically unique and once compromised leave a person permanently vulnerable.
Businesses that use biometric data include theme park entertainers like Six Flags and tech companies like Facebook, Google, Snapchat and Apple, which previously had used a simple thumbprint as a password security feature. While Apple has a strong privacy record, the iPhone’s many apps also will use Face ID, and Apple is said to be still working on methods to protect consumers’ personal data within those.
Small and medium-sized businesses use biometric data for purposes like timekeeping—to prevent “buddy punching,” in which one employee clocks in and out for a friend who has decided to play hooky from work that day—and they are under the same obligations as other companies that use this data for whatever purpose. Employees must sign off on the use of the data and be told how it will be used and how long it will be retained.
A growing class of employers has been subject to class actions that allege violations of the Illinois statute. In fact, five such lawsuits were filed against Illinois employers in August alone, in industries like healthcare, senior living, commercial banking, meat processing and security. Others have been filed in the past against day care operators, tanning salons, video game makers and hotel companies. The Biometric Information Privacy Act entitles them to $1,000 for each negligent violation of privacy and $5,000 for each intentional or reckless violation, as well as injunctive relief and recovery of attorneys’ fees and costs.
Although the Illinois General Assembly passed the privacy act to reassure the public when it comes to financial transactions and other personal information, lawsuits are targeting other types of entities such as social media and photo sharing sites. Also worth noting is that when plaintiffs simple allege a technical violation of the statute but cannot show any actual harm done, some courts have dismissed their claims but others have not.
Other unresolved issues related to the Biometric Information Privacy Act include the precise scope of what does and does not qualify as biometric information, what sort of connection might be required between such information and other personal identification, whether businesses can be held liable by the collection of such information by a third-party contractor on their behalf, what relief is available if no injury can be shown, and how, precisely, businesses must disclose such information and obtain consent.
Bottom line: Given that the damages from class-action lawsuits could be crippling to a small business, they should ask counsel to thoroughly evaluate their compliance and potential exposure, and take appropriate steps to protect their businesses from potential liability issues.