Companies are increasingly turning to now affordable biometric devices such as time clocks or access panels that read fingerprints, take retina scans, or use facial recognition software to identify employees. There are great benefits to this technology, for example, increased corporate security or decreased opportunity for abuse, such as timecard fraud. However, increasing regulation and the prospect of litigation make this a risky area for employers that do not properly protect employee rights. 

Background

Illinois has what many consider the most stringent law on the use of biometrics in the United States, the Biometric Information Privacy Act ("BIPA"). Illinois is currently the only state with a private right of action for violation of a biometric privacy act. The statute of limitations is ten years, and significant damages are available to a prevailing party. 

The BIPA was enacted in 2008 and sets forth a comprehensive list of rules and notice requirements for companies that collect biometric data of Illinois employees. Although the law has been on the books for nearly a decade, the use of biometric data in employment is only now becoming commonplace. Many companies using biometric data are unaware of the BIPA's requirements and should immediately determine if action is necessary to come into compliance. 

What is a "Biometric Identifier" in Illinois?

The law defines "biometric identifier" as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color or certain other items. The law defines "biometric information" as any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. It does not include information derived from items or procedures excluded under the definition of biometric identifiers.

What is an Employer Required to Do?

Any private entity that possesses biometric identifiers or information is required to develop a written policy, made publically available, detailing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting the information has been satisfied or within three years of the individual's last interaction with the private entity (whichever occurs first). 

Prior to collecting, capturing, or obtaining an individual's biometric identifier or information, the private entity must first inform the individual in writing that such information is being collected or stored; the specific purpose and length of time for which the information is being collected, stored, and used; and obtain a written release executed by the individual.

There are also Disclosure and Storage Requirements

Private entities are prohibited from selling, leasing, trading, or otherwise profiting from an individual's biometric identifier or information and from disclosing such information unless the individual consents to the disclosure; the disclosure completes a financial transaction requested or authorized by the individual; the disclosure is required by state, federal, or local law; or the disclosure is required pursuant to a valid warrant or subpoena.

Private entities that possess an individual's biometric identifier or information must use the reasonable standard of care in the industry to store, transmit, and protect the information from disclosure, and store, transmit, and protect such information in the same as or more protective manner than that used to store, transmit, and protect other confidential and sensitive information.

Increasing Class Litigation and Substantial Potential Damages

Since September 2017, over 30 class actions asserting BIPA violations for the collection, use, or storage of biometric data have been filed in Illinois. A prevailing plaintiff may recover, for each violation:

  • liquidated damages of $1,000 or actual damages, whichever is greater, for negligent violations of the law;
  • liquidated damages of $5,000 or actual damages, whichever is greater, for intentional or reckless violation of the law;
  • reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses; and
  • other relief, including an injunction, as the state or federal court deems appropriate.

Case law interpreting the BIPA remains sparse. Due to the dearth of case law, the plaintiff's bar has advocated that "each violation" could be liberally interpreted, for example, each individual punch of a time clock using a fingerprint. Especially in the context of a class action, damages could multiply rapidly. 

Recommended Next Steps

Companies using the biometric data of employees should take the following action if they have not already done so:

  1. Create and distribute a compliant policy notifying employees that their biometric identifiers and information are being collected and stored, detailing the purposes and length of time the information will be kept, and obtaining their written release;
  2. Review storage, transmission, and access practices for employees' biometric data and ensure reasonable care is being taken to protect it; and
  3. Develop a written policy to establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such has been satisfied or within three years of an employee's last interaction with the company, whichever occurs first.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.