Just released: How to raise venture capital in 2023


Use of Biometric Information as a business tool: employers beware.


Key Takeaways

Jeff Hirsch
Jeff Hirsch

Head of Claims

The Illinois Biometric Information Privacy Act (BIPA) was enacted in 2008 and regulates how biometric information can be used, what companies that use or collect biometric information must do in order to legally use it, and restrictions on use. BIPA provides remedies to individuals whose biometric information has been misused. And, where there’s a remedy, lawsuits soon follow. 

Dormant for about 6 years, starting in 2015 a series of 5 class-action test cases were filed against businesses alleging wrongful collection and use of biometric data. Facebook was a defendant in 4 of the 5 class action suits. The first wave of lawsuits resulted in 7-figure settlements/verdicts (they involved large companies). But, employers, labor unions and commercial and residential property managers have been the targets of newer lawsuits as well. BIPA applies to employers, and smaller employers are also at greater risk as biometric information is put to wider use as time passes. 

In the employment context (and elsewhere), liability exists when an employer does not provide “informed consent” before it collects BI. The intended use has to satisfy a legitimate business purpose, and the use has to be as narrow as possible and only in furtherance of the legitimate business purpose (such as to track time records, for security ie access to premises, or in connection with other safety purposes). Of course, data collected from biometric information has commercial value, and individuals have the right to control how their data is used. 

The employer cannot “profit” from biometric data (can’t sell the data) – sometimes even when consent is obtained, and the act requires a compliance program. BIPA creates a private right of action with statutory damages of $1,000 per negligent violation; $5,000 for “willful” violations, plus plaintiffs’ attorneys’ fees.

What if your client says “but I’m not a large employer and I’m not in Illinois – do I need to be concerned?” Well, yes. 

(1) other states have passed similar laws (including Texas and Washington); 

(2) there’s proposed legislation in Arizona, Florida and Massachusetts; and 

(3) BIPA itself applies even if you’re not in Illinois if you collect BI from anyone who resides there. 

So, if a California company interviews people from Illinois for CA jobs, and part of the hiring process includes checking Facebook pages, it’s possible that you’re crossing the BIPA lines.  And, if your employer-sponsored health insurance includes collection of BI, a potential BIPA claim may be lurking…

California’s recent Consumer Privacy Act (CCPA) does not specifically apply to employers (it’s a consumer protection law) and the private right of action available to consumers under the CCPA does not (yet) extend to use of biometric information, but some form of biometric privacy law is expected.  The New York Biometric Privacy Act (which mirrors BIPA) has been introduced by its legislative sponsors three times, but has not been acted upon (yet).

What are “Best Practices” regarding biometric information for employers? Review contracts with service providers and, where any of them may be collecting BI of your employees, make sure your contract includes “indemnity and hold-harmless” provisions in your favor; only use biometric information for a legitimate purpose; store any BI you collect locally; set up an incident response in connection with employment and privacy counsel; review your employee handbook regarding use of confidential information.  

We can provide other resources for best practices (and this post should not be considered to be legal advice). We are looking out for similar laws in other states. But, just because you are not in Illinois does not mean that you are necessarily immune from claims involving mis-use of biometric information.

Additional reading …

More US States Propose Biometric Legislation 

The Coming Storm of Biometric Privacy Laws: What to Expect 

Illinois Biometric Information Privacy Act

Related Articles

fintech rules and regulations
April 11 • Risk Management

Fintech Rules: Regulations Finance Leaders Need to Know

Master the fintech rulebook! This post breaks down essential regulations finance leaders must understand to ensure their business operates compliantly in the ever-evolving fintech landscape.

fintech legal risks
February 29 • Risk Management

7 Legal Issues Every Fintech Should Avoid (and How to Diffuse Them!)

With the emergence of new and disruptive technologies, it’s no surprise that fintech legal risks abound for this innovative industry. Let’s break down these threats and provide solutions that will keep pace with the market.

leverage business insurance
February 27 • Risk Management

How to Leverage Your Business Insurance — 5 Tips

When was the last time you considered how to leverage your business insurance? It’s more than a safety net. In fact, this approach can give you a unique edge. Here’s how.

saas cyberattacks
December 11 • Risk Management

How SaaS Companies Can Avoid New Cyberattacks in 2024

Avoiding SaaS cyberattacks means teaming innovative technologies (like AI) with traditional risk management (like education) to stay ahead of the curve. We can show you how.

Legal Risks for SaaS Companies
December 5 • Risk Management

Top 5 Legal Risks for SaaS Companies in 2024

SaaS companies are on the forefront of innovation but face legal risks that leaders must understand. Here are SaaS risks to watch in 2024.

What Is a BOR Letter
July 27 • Risk Management

What Is a BOR Letter or Broker of Record Letter?

What is a BOR letter? Can it help you manage your specialized insurance solutions? We have the answers — and they may surprise you!