Employees are suing their employers for using their biometric data (e.g. handprint, fingerprint, voiceprint and/or facial recognition) for common and routine business operations. Meijer employees recently filed a class action against the grocery chain operator. The employees allege: (a) Meijer improperly forced them to scan their fingerprints into a company database in order to track their hours worked, i.e. using fingerprints in place of timecards; (b) Meijer failed to keep their biometric data safe and secure; and (c) Meijer’s storage and use of the data exposed them to serious and irreversible privacy risks. The employees seek damages into the tens of millions of dollars. Meijer is not alone. There are at least 25 similar class action lawsuits pending in Illinois.
Illinois has one of the most stringent statutes regulating the use of biometric data, the Biometric Information Privacy Act (“BIPA”). BIPA’s intended purpose is to protect against identity theft. It places restrictions on the collection, storage and use of biometric information. If successful, plaintiffs can recover liquidated damages of $1,000 per violation or actual damages, whichever is greater, along with attorneys’ fees, expert witness fees and other litigation expenses. The liquidated damages amount increases to $5,000 per violation if the violation is intentional or reckless.
Under BIPA, before a business may “collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data, it must:
- inform the individual or the individual’s legally authorized representative in writing: (a) that biometric identifier or biometric information is being collected or stored; and (b) of the specific purpose and length of term for which such identifier or information is being collected, stored, and used; and
- receive a written release executed by such individual or representative.
BIPA defines “written release” to mean “informed consent or, in the context of employment, a release executed by an employee as a condition of employment.” The meaning of “condition of employment,” which is not defined in BIPA, is currently being litigated.
BIPA also requires businesses to enact policies and guidelines regarding the receipt, storage and use of biometric data before it is obtained. Businesses must protect and store biometric data to at least the same extent they protect their other confidential and sensitive business information. Businesses must permanently destroy the biometric data when the purpose for collecting or obtaining the data has been satisfied, or within three years of the respective person’s last interaction with the entity collecting it, whichever comes first.
Best practices for a business utilizing biometric data include:
- confirming why and to what extent the business will use biometric data, and then making sure it only collects that data and nothing else;
- establishing and adhering to a comprehensive plan for seeking permission to obtain biometric data, accessing it, storing it and protecting it; and
- creating an action plan in the event biometric data is compromised, stolen or hacked. For example, Illinois law requires notification to the proper authorities in the event of a breach of “personal information,” including biometric data.
Information contained in this news alert is not and should not be construed as legal advice or opinion. The attorneys at Gozdecki, Del Giudice, Americus, Farkas & Brocato LLP are prepared to assist you with any questions you might have regarding BIPA, and to assist you in reviewing and/or modifying your company’s policies affected by BIPA.