The usage of biometrics has merged into our everyday lives and the collection of biometric data is on the rise. Biometric data refers to unique, measurable human biological or behavioral characteristics that can be used for identification. Biometric identifiers include fingerprints, voiceprint, retina or iris scans, and scans of hand or face geometry.
Companies are gradually incorporating biometric identifiers into their everyday practices with their employees and consumer transactions. This has the potential to make authentication dramatically faster, easier and more secure than traditional passwords, but companies need to be careful about the biometric data they collect.
In many states, biometric data is considered protected information, just like your name or social security number. Biometric data, like a retinal scan or a fingerprint, is also considered protected information under certain data protection statutes.
In 2008, Illinois became the first state to regulate the collection of biometric data passing the Biometric Information Privacy Act, or BIPA. The Illinois Legislature implemented this act to protect individual privacy after public concerns of heightened risks of identity theft became associated with biometric information. BIPA stands as the strongest biometric privacy law in the U.S.
There are several requirements adopted by the BIPA requiring companies in Illinois to comply with when it comes to biometrics. Employers must obtain written consent from individuals if there are any intentions to collect or disclose any employees’ personal biometric identifiers, they must destroy biometric identifiers in a timely manner and they must securely store biometric identifiers. Additionally, employers may not disclose biometric information except in limited circumstances. Employers may not sell, lease, trade or otherwise profit from any individual’s biometric information.
This statute flew under the radar until recently when Facebook agreed to a $550 million settlement of a class-action lawsuit. Facebook was accused of violating the rights of millions of Illinois users by accumulating their biometric data without permission. Many more class-action lawsuits have surfaced, taking aim at smaller employers in Illinois. Understandably so when the penalties associated with BIPA range from $1000 to $5000 per violation. It should be noted that the BIPA is also the only law that allows for private individuals to file a lawsuit stemming from a biometric violation.
As biometric technology advances, so do the lawsuits. According to the Cook County Record, the parent companies of Mariano’s supermarkets and the Intercontinental Hotel Group have both been hit with class action lawsuits in IL regarding employee’s biometric data. They’re not alone though. Several lawsuits have surfaced in state court involving NorthShore University Health System & L.A. Tan Enterprises, Inc. Additionally, federal courts have seen similar lawsuits against Facebook, Shutterfly, Google, and Six Flags.
Biometric privacy issues are likely to continue growing as more and more companies begin to implement biometric technology.
As this is a newer law, firms that can claim real experience with these cases are few and far between. We know which lawyers have had success with these cases. If you would like a recommendation or just have questions, please call us at 312-346-5320.