Just released: How to raise venture capital in 2023


Use of Biometric Information as a business tool: employers beware.

Jeff Hirsch
Jeff Hirsch

Head of Claims

The Illinois Biometric Information Privacy Act (BIPA) was enacted in 2008 and regulates how biometric information can be used, what companies that use or collect biometric information must do in order to legally use it, and restrictions on use. BIPA provides remedies to individuals whose biometric information has been misused. And, where there’s a remedy, lawsuits soon follow. 

Dormant for about 6 years, starting in 2015 a series of 5 class-action test cases were filed against businesses alleging wrongful collection and use of biometric data. Facebook was a defendant in 4 of the 5 class action suits. The first wave of lawsuits resulted in 7-figure settlements/verdicts (they involved large companies). But, employers, labor unions and commercial and residential property managers have been the targets of newer lawsuits as well. BIPA applies to employers, and smaller employers are also at greater risk as biometric information is put to wider use as time passes. 

In the employment context (and elsewhere), liability exists when an employer does not provide “informed consent” before it collects BI. The intended use has to satisfy a legitimate business purpose, and the use has to be as narrow as possible and only in furtherance of the legitimate business purpose (such as to track time records, for security ie access to premises, or in connection with other safety purposes). Of course, data collected from biometric information has commercial value, and individuals have the right to control how their data is used. 

The employer cannot “profit” from biometric data (can’t sell the data) – sometimes even when consent is obtained, and the act requires a compliance program. BIPA creates a private right of action with statutory damages of $1,000 per negligent violation; $5,000 for “willful” violations, plus plaintiffs’ attorneys’ fees.

What if your client says “but I’m not a large employer and I’m not in Illinois – do I need to be concerned?” Well, yes. 

(1) other states have passed similar laws (including Texas and Washington); 

(2) there’s proposed legislation in Arizona, Florida and Massachusetts; and 

(3) BIPA itself applies even if you’re not in Illinois if you collect BI from anyone who resides there. 

So, if a California company interviews people from Illinois for CA jobs, and part of the hiring process includes checking Facebook pages, it’s possible that you’re crossing the BIPA lines.  And, if your employer-sponsored health insurance includes collection of BI, a potential BIPA claim may be lurking…

California’s recent Consumer Privacy Act (CCPA) does not specifically apply to employers (it’s a consumer protection law) and the private right of action available to consumers under the CCPA does not (yet) extend to use of biometric information, but some form of biometric privacy law is expected.  The New York Biometric Privacy Act (which mirrors BIPA) has been introduced by its legislative sponsors three times, but has not been acted upon (yet).

What are “Best Practices” regarding biometric information for employers? Review contracts with service providers and, where any of them may be collecting BI of your employees, make sure your contract includes “indemnity and hold-harmless” provisions in your favor; only use biometric information for a legitimate purpose; store any BI you collect locally; set up an incident response in connection with employment and privacy counsel; review your employee handbook regarding use of confidential information.  

We can provide other resources for best practices (and this post should not be considered to be legal advice). We are looking out for similar laws in other states. But, just because you are not in Illinois does not mean that you are necessarily immune from claims involving mis-use of biometric information.

Additional reading …

More US States Propose Biometric Legislation 

The Coming Storm of Biometric Privacy Laws: What to Expect 

Illinois Biometric Information Privacy Act

Related Articles

What Is a BOR Letter
July 27 • Risk Management

What Is a BOR Letter or Broker of Record Letter?

What is a BOR letter? Can it help you manage your specialized insurance solutions? We have the answers — and they may surprise you!

Risk Management for Regulation Technology
July 20 • Risk Management

RegTech Insurance: Risk Management for Regulation Technology

Regtech insurance is specifically designed for regulation technology companies — but what risks do regtech companies face? Let’s discuss some prominent challenges and solutions for this sector.

How Uplisting Stocks Works
June 13 • Risk Management

How Uplisting Stocks Works: From OTC to Nasdaq or NYSE

Uplisting from OTC to Nasdaq or NYSE is a significant step for late-stage companies – but how does it all unfold? Let’s discuss uplisting in detail.

debt financing for startups
May 16 • Risk Management

Accessing Capital: Debt Financing for Startups

Debt financing for startups is often misunderstood, yet it can fund major milestones, like hiring sprees, equipment purchases, or facility upgrades. Let’s clear the air once and for all.

Manufacturing insurance
April 11 • Risk Management

Insurance Guide for Manufacturers

Manufacturing companies are vital to the global ecosystem, and yet they face unique risks. Here’s how to protect your business and stay in the supply chain long term.

Commercial Insurance Claims Trends
March 28 • Risk Management

Commercial Insurance Claims Trends

Commercial insurance claims trends frequently make news headlines. Many times, these breaking stories provide a sneak peek into the insurance industry and insight into your own risks.