Rise in Litigation from Corporate Use of Biometric Information
January 8, 2018
Recently, Illinois has seen a rise in class-action lawsuits from customers and employees of companies that use biometric information. In fact, since July of 2017, there have been more than 25 such cases filed in Illinois state and federal courts.
In 2008, Illinois became the first state to enact legislation to address privacy concerns arising from the use of biometric information. The Illinois Biometric Information Privacy Act (BIPA) governs the collection and storage of biometric identification technology, such as retina scans, fingerprint and voiceprint identification, and face and hand recognition. (740 ILCS 14/1).
The recent drastic increase in this type of litigation is due to the diverse use of biometric data. For example, consider a company that has purchased timekeeping systems which use facial recognition or fingerprint identification technology rather than old-fashioned timecards or ID badges. Likewise, companies now give customers access to their accounts and sensitive financial information by utilizing biometric technology for security purposes.
In a case against Shutterfly, Inc., plaintiffs alleged that the company violated BIPA by gathering and storing “face geometry” scans without consent. In another case involving the restaurant chain Bao Wow, plaintiffs alleged that the company failed to notify customers and obtain consent when utilizing facial scans via self-order kiosks. Likewise, in a class action against the well-known gas station Speedway, plaintiffs alleged that the company collected employees’ fingerprints without written consent and subsequently shared the data with a third-party vendor.
While these and similar cases continue to be litigated, Illinois companies should strive to avoid and minimize liability. BIPA outlines the steps which collectors of biometric information should take to protect consumers and employees alike:
- Develop a written policy that is made available to the employees or the public. This policy must include a retention guideline and guidelines for permanently destroying unneeded BIPA protected data. Under BIPA, a private entity must destroy biometric identifiers and information once the purpose for which they were collected has been fulfilled or within 3 years of the individual’s “last interaction” with the employer or entity;
- Provide written notice to all affected individuals that biometric identifiers or information is being collected and stored as well as the specific purpose and time period during which the identifiers or information will be collected, stored and used;
- Obtain written consent or a release, including a signature from all employees or customers whose biometric identifiers or information will be collected, stored, and used.
After collecting this biometric information, collectors must also take the following steps:
- Adopt procedural safeguards to prevent the disclosure, sale, lease, trade of or profit from biometric identifiers and information;
- Use the industry’s reasonable standard of care when storing or transmitting this information;
- Protect the biometric identifier or information in at least the same manner as other confidential and sensitive information, including genetic testing information, driver’s license numbers, or social security numbers; and
- Ensure biometric identifiers and information are indeed destroyed per the written policy.
Damages for BIPA violations may be significant, and can include attorney’s fees, injunctive relief, and liquidated damages, the greater of $1,000 or actual damages for each violation negligently committed, and the greater of $5,000 or actual damages for each violation recklessly or intentionally committed.
To protect itself, every business should develop written policies, notices, consents, releases and internal operating procedures that are described above. Assistance of a law firm is advisable. If you have any questions about biometric data or BIPA compliance, please contact the attorneys in the Employment & Labor Practice Group at Heyl Royster.