Class Action Privacy Litigation
Nearly 30 class action lawsuits based on the Illinois Biometric Information Privacy Act (BIPA) have been filed by employees against employers in Illinois state courts during 2017. Many employers use high-tech biometric equipment like fingerprint authentication for employee time keeping. Use of that equipment subjects an employer to compliance with BIPA, even if the employer is unaware that BIPA exists. Similarly, many employees that provide their biometric data to their employer may not realize that safeguards such as BIPA are place to protect their data.
While we hope that you find the information contained in this article informative, the below merely contains information about a relatively unknown privacy statute and should not be construed as legal advice. If you are an employee concerned about the use of your biometric data, or an employer seeking to comply with BIPA, please contact us.
What is Biometric Data?
Biometric data generally refers to an individual’s measurable biological and physical characteristics. Biometric data in the employee-employer context often relates to fingerprint authentication, such as when employers require employees to use a fingerprint operated time clock for time keeping purposes. However, there are several types of biometric identification schemes you should be aware of:
- Face: Analysis of facial characteristics.
- Hand Geometry: Analysis of an individual’s hand shape and finger length.
- Eyes: Analysis of an individual’s retina and/or iris.
- Signature: Analysis of how an individual signs their name.
- Vein: Analysis of the pattern of veins in the back of the hand and the wrist.
- Voice: Analysis of tone, pitch, cadence, and frequency of a person’s voice.
- Fingerprint: The analysis of an individual’s unique fingerprints.
How do businesses use Biometric Data?
Businesses of all sizes and kinds are adopting the use of biometric data in a variety of different contexts:
- Time Keeping: Businesses are increasingly requiring employees to sign in and out of work using their fingerprints, as opposed to identification cards or pin codes that can become lost or stolen.
- Safety and Health Plans: Biometric data permits businesses to create and maintain profiles for each employee to track training, certifications, risk profiles, and use of company information.
- Security Access: Many individuals use their fingerprint to open their car door or sign onto their smart phone. Businesses are also adopting this technology for secure areas, as fingerprint authentication can prevent someone without security clearance from accessing an unauthorized area.
How does BIPA regulate Biometric Data?
BIPA regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric data. The entire statute is important, though there are five key features to remain aware of:
- Written Consent Required: Businesses may not collect, capture, purchase, receive through trade, or otherwise obtain biometric data without first (1) informing the person in writing that their biometric data is being collected, stored, and used; (2) informing the person in writing of the specific purpose and length of term for which their biometric data is being collected, stored, and used; and (3) obtaining a written release from the individual whose biometric data is being collected, stored, and used.
- Limited Right to Dissemination: Businesses are prohibited from selling, leasing, trading, or otherwise profiting from an individual’s biometric data, and may not disseminate or disclose biometric data unless at least one of four very narrow and rigid exceptions apply.
- Safe Keeping Guidelines: Businesses in possession of biometric data must store, transmit, and protect all biometric data using, at a bare minimum, the same protective features that businesses use for storing, transmitting, and protecting other confidential and sensitive information. This essentially requires that biometric data be considered analogous to an individual’s social security number for safe keeping purposes.
- Retention and Destruction Guidelines: Businesses must develop and uniformly adhere to a written policy, made available to the public, that establishes a retention schedule and guidelines for destroying biometric data when the initial purpose for collecting or obtaining the biometric data has been satisfied or within three years of the individual’s last interaction with the business, whichever was first.
- Private Right of Action for Harmed Individuals: An individual may bring their own claim against a business that violates the Illinois Biometric Privacy Act, though the largest harm to businesses can come when many individual claims are consolidated into a class action lawsuit.
Navigating the Illinois Biometric Privacy Act
Biometric data and compliance with the Illinois Biometric Privacy Act will be a hot topic for many businesses in the coming months. Much of the litigation brought under this statute is still in its infancy, meaning the Courts have not established bright-line rules for compliance. Absent those strict rules that we all yearn for, we hope you found this information informative.
If you are an individual that believes your biometric data is being misused or your employer is collecting your biometric data without your written consent, our class action lawyers are here to help. Likewise, we are able to help local businesses navigate this confusing and ever evolving area of the law. Please contact us to schedule a free consultation.