October 31, 2017Client Alert

Biometric Privacy Act Spawns Litigation

In the good old days, biometric security was the stuff of movie fantasy. Sean Connery used a fake fingerprint to foil a scanner in Diamonds Are Forever. Tom Cruise got an eye transplant and gruesomely carried his old eyeballs in a plastic bag to trick a retinal scanner in Minority Report. Ewan McGregor is a clone who uses facial recognition to pass for the person he doubles in The Island

But today, biometric security is not so fantastic. In fact, it has made its way into the workplace in fairly ordinary applications. More employers are using biometric technology to clock workers in and out and improve payroll accuracy, or restrict access to sensitive work spaces. Biometrics aren’t just for Hollywood any more.

The Illinois Biometric Information Privacy Act

With the increased use of biometric security comes increased privacy concerns, and increased state regulation. Many states have adopted laws requiring notification when personal identifying information, defined to include biometric data, is disclosed to third parties. Illinois has gone a step further with the Biometric Information Privacy Act (“BIPA”).

Passed in 2008, BIPA has been described as the most stringent regulation of the collection, use and storage of biometric identifiers and information.  Prompted by the increased use of biometrics in financial and retail transactions, the Illinois legislature expressed concern regarding potential permanency when biometric data is breached. “Social security numbers, when compromised, can be changed. Biometrics, however are... unique to the individual; therefore once compromised, the individual has no recourse, is at increased risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” 740 ILCS 14/5 (c). Although prompted by concerns over market transactions using this data, BIPA’s reach has extended into the labor market as more employers use this technology in their daily business.

The Act governs the “collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.” 740 ILCS 14/5(g). “Biometric identifiers” are defined to include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” but exclude “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions.” 740 ILCS 14/10. “Biometric information” includes “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.” Id. 

BIPA requires any private party that collects or obtains biometric identifiers or information to:

  1. inform the subject in writing that the identifier or information is being collected or stored,
  2. inform the subject in writing specifically why and for how long it is being collected, stored or used, and
  3. obtain the subject’s  written  consent. 

740 ILCS 14/15(b). 

The Act also prohibits any private entity from:

(1) selling, leasing, trading “or otherwise profit[ing] from a person’s or a customer’s[1] biometric identifiers or information,” or

(2) disclosing or disseminating biometrics without the subject’s consent, unless required by law or pursuant to a valid warrant or subpoena. 

740 ILCS 14/15(c)-(d).

BIPA sets a standard for the handling of biometric identifiers or information. It requires any private entity in possession of biometric identifiers or information to use reasonable care to “store, transmit and protect [them] from disclosure.” The standard for safeguarding this data is that used “within the private entity’s industry” and the security methods must be “the same or more protective than the manner in which the private entity stores, transmits and protects other confidential and sensitive information.[2]”  740 ILCS 14/15(e). Private entities that possess biometric identifiers or information must adopt a written policy that creates a retention schedule and guidelines for permanently destroying the data once the original purpose for collecting them has been satisfied or within three years of the subject’s last interaction with the entity, whichever comes first. 740 ILCS 14/15(a).  The entity must comply with this retention schedule unless a valid subpoena or warrant requires the data’s preservation.  Id.

BIPA’s Private Action

Of particular significance to financial institutions, retail merchants, employers and others who use biometric information, BIPA provides for a private right of action that allows “any person aggrieved by a violation of this Act” to recover $1,000 for each negligent violation and $5,000 for each reckless violation, or their actual damages, whichever is greater. 740 ILCS 14/20. The Act also allows the prevailing party to recover attorney’s fees and costs, including expert fees and other litigation expenses. Id.

This provision has accounted for a recent uptick in litigation as plaintiff’s counsel have filed class actions against various tech companies and employers. Recent defendants have included Google, L.A. Tan, Shutterfly, Facebook and others. In the third quarter of 2017 alone employers Speedway LLC, Superior Air-Ground Ambulance Service, ABRA Auto Body & Glass and over twenty others have been sued in class actions filed in Illinois state courts for BIPA violations. 

While these class actions are a relatively new phenomenon and it is difficult to predict how the law will develop, BIPA’s liquidated damages provisions apply per violation, and therefore can quickly aggregate into significant liabilities when multiplied across an employer’s workforce or company's customer base. As a result, both employers and market participants who employ this technology in their businesses have every incentive to ensure compliance with BIPA’s directives.  That compliance should start with adoption of an adequate and written data retention policy. Employers should develop human resources forms and procedures that ensure they are providing the required written notifications before or at the time the biometric information is collected or used. They also must take steps to ensure that they are, at a minimum, using the technology and procedures others in their market employ to protect the confidentiality of this data. Indeed, employers would be well served by attempting to be a market leader in this area. If the technology is worth using in your business, it is worth the extra time to ensure it is being employed safely and in compliance with the law. With a bit of planning, companies using biometric technology in Illinois can look to the silver screen for their suspense and intrigue, and not the court system.

[1] The author is unsure how a customer with biometric identifiers or information would be anything other than a person, so perhaps this qualifier was unnecessary.

[2] "’Confidential and sensitive information’ means personal information that can be used to uniquely identify an individual or an individual's account or property. Examples of confidential and sensitive information include, but are not limited to, a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a PIN number, a pass code, a driver’s license number or a social security number.”  740 ILCS 14/10.

back to top