To avoid what is becoming a common lawsuit, businesses need to be aware of the Illinois Biometric Information Privacy Act (BIPA) requirements. Two class action lawsuits were recently filed in Cook County Circuit Court by employees alleging violations of the BIPA by their respective employers. Using biometric data is beneficial for businesses, and specifically for employers, but it is important that these businesses understand what is required of them under the existing law to protect their employees and customers, and to avoid costly litigation.
On July 30, 2018, lead plaintiff, Fallon White, filed a complaint (Case No. 18-CH-09599), against her employer, Hagewisch Development Corp., alleging violations of the BIPA. Specifically, the lawsuit claims that defendants did not inform class members in writing of the purpose and length of time that their fingerprints were collected, stored, disseminated and used, or inform them of a schedule for permanent destruction of the data. The lawsuit further claims that defendants shared the data with third parties, and did not obtain written authorization from employees before collecting the data. On August 6, 2018, a similar lawsuit (Case No. 18-CH-09968) was filed by lead plaintiff, Latham Cacy, against her employer, AGCO Corp. The lawsuit alleged similar violations of the BIPA as were alleged in the Fallon White class action.
REQUIREMENTS OF THE ILLINOIS BIPA
The BIPA requlates the collection, use, safeguarding, handling, storage, retention, and destruction of biometrical identifiers and biometric information (biometric data), such as a retina or iris scan, fingerprint scan, voiceprint or scan of hand or face geometry. The BIPA applies to all entities except state or local government agencies, and courts or clerks of court. Once applicability is established, the BIPA imposes five requirements on private entities.
1) Written Policy
A private entity in possession of biometric data must develop a written policy establishing a retention schedule along with guidelines for permanently destroying that data when the initial purpose of collecting that data has been satisfied, or within three years of the individuals last interaction with the entity. This policy must be available to the public.
2) Informed Consent
A private entity may not obtain a person’s biometric data unless it informs the subject in writing that biometric data is being collected, informs the subject in writing the length of time that biometric data is being collected, stored or used, and receives a written release from the subject.
3) Prohibition on Profit
No private entity in possession of biometric data may sell, lease, trade, or otherwise profit from a person’s biometric data.
4) Prohibition on Disclosuret
No private entity in possession of biometric data may disclose, redisclose, or otherwise disseminate a person’s biometric data unless the subject consents to disclosure, the disclosure completes a financial transaction authorized by the subject, the disclosure is required by law, or the disclosure is required pursuant to a valid warrant or subpoena.
5) Protection of Data
A private entity in possession of biometric data must store, transmit, and protect from disclosure all biometric data using a reasonable standard of care, and in a manner that is the same or more protective than the manner in which the entity stores, transmits, and protects other confidential and sensitive data.
As we have already seen the BIPA provides a private right of action for violations of the statute. An entity found in violation of the statute may be liable for actual damages or liquidated damages of either $1,000 or $5,000, along with attorneys’ fees and costs.
BIPA is Fertile Ground for Litigation
The BIPA is currently a fertile ground for litigation. As the ability to collect and retain biometric data becomes more available, and is more regularly used by businesses to collect and retain biometric data about their customers and employees, it is probable that the amount of litigation in this area will increase. Despite this risk of litigation, businesses should not hesitate to collect and retain biometric data, but should simply work to understand and comply with the requirements of the BIPA.
You may like to read our previous blog on other BIPA related cases and court decisions in Illinois.
If you have questions regarding litigation or compliance under Illinois’ Biometric Information Privacy Act, or questions regarding privacy and data security generally, contact Tim Hayes at McKenna Storer.