The Illinois Biometric Information Privacy Act (BIPA) was enacted in 2008 and regulates how biometric information can be used, what companies that use or collect biometric information must do in order to legally use it, and restrictions on use. BIPA provides remedies to individuals whose biometric information has been misused. And, where there’s a remedy, lawsuits soon follow.
Dormant for about 6 years, starting in 2015 a series of 5 class-action test cases were filed against businesses alleging wrongful collection and use of biometric data. Facebook was a defendant in 4 of the 5 class action suits. The first wave of lawsuits resulted in 7-figure settlements/verdicts (they involved large companies). But, employers, labor unions and commercial and residential property managers have been the targets of newer lawsuits as well. BIPA applies to employers, and smaller employers are also at greater risk as biometric information is put to wider use as time passes.
In the employment context (and elsewhere), liability exists when an employer does not provide “informed consent” before it collects BI. The intended use has to satisfy a legitimate business purpose, and the use has to be as narrow as possible and only in furtherance of the legitimate business purpose (such as to track time records, for security ie access to premises, or in connection with other safety purposes). Of course, data collected from biometric information has commercial value, and individuals have the right to control how their data is used.
The employer cannot “profit” from biometric data (can’t sell the data) – sometimes even when consent is obtained, and the act requires a compliance program. BIPA creates a private right of action with statutory damages of $1,000 per negligent violation; $5,000 for “willful” violations, plus plaintiffs’ attorneys’ fees.
What if your client says “but I’m not a large employer and I’m not in Illinois – do I need to be concerned?” Well, yes.
(1) other states have passed similar laws (including Texas and Washington);
(2) there’s proposed legislation in Arizona, Florida and Massachusetts; and
(3) BIPA itself applies even if you’re not in Illinois if you collect BI from anyone who resides there.
So, if a California company interviews people from Illinois for CA jobs, and part of the hiring process includes checking Facebook pages, it’s possible that you’re crossing the BIPA lines. And, if your employer-sponsored health insurance includes collection of BI, a potential BIPA claim may be lurking…
California’s recent Consumer Privacy Act (CCPA) does not specifically apply to employers (it’s a consumer protection law) and the private right of action available to consumers under the CCPA does not (yet) extend to use of biometric information, but some form of biometric privacy law is expected. The New York Biometric Privacy Act (which mirrors BIPA) has been introduced by its legislative sponsors three times, but has not been acted upon (yet).
What are “Best Practices” regarding biometric information for employers? Review contracts with service providers and, where any of them may be collecting BI of your employees, make sure your contract includes “indemnity and hold-harmless” provisions in your favor; only use biometric information for a legitimate purpose; store any BI you collect locally; set up an incident response in connection with employment and privacy counsel; review your employee handbook regarding use of confidential information.
We can provide other resources for best practices (and this post should not be considered to be legal advice). We are looking out for similar laws in other states. But, just because you are not in Illinois does not mean that you are necessarily immune from claims involving mis-use of biometric information.
Additional reading …