Use of Biometric Information as a business tool: employers beware.

Generic placeholder image
Jeff Hirsch

Head of Claims

The Illinois Biometric Information Privacy Act (BIPA) was enacted in 2008 and regulates how biometric information can be used, what companies that use or collect biometric information must do in order to legally use it, and restrictions on use. BIPA provides remedies to individuals whose biometric information has been misused. And, where there’s a remedy, lawsuits soon follow. 

Dormant for about 6 years, starting in 2015 a series of 5 class-action test cases were filed against businesses alleging wrongful collection and use of biometric data. Facebook was a defendant in 4 of the 5 class action suits. The first wave of lawsuits resulted in 7-figure settlements/verdicts (they involved large companies). But, employers, labor unions and commercial and residential property managers have been the targets of newer lawsuits as well. BIPA applies to employers, and smaller employers are also at greater risk as biometric information is put to wider use as time passes. 

In the employment context (and elsewhere), liability exists when an employer does not provide “informed consent” before it collects BI. The intended use has to satisfy a legitimate business purpose, and the use has to be as narrow as possible and only in furtherance of the legitimate business purpose (such as to track time records, for security ie access to premises, or in connection with other safety purposes). Of course, data collected from biometric information has commercial value, and individuals have the right to control how their data is used. 

The employer cannot “profit” from biometric data (can’t sell the data) – sometimes even when consent is obtained, and the act requires a compliance program. BIPA creates a private right of action with statutory damages of $1,000 per negligent violation; $5,000 for “willful” violations, plus plaintiffs’ attorneys’ fees.

What if your client says “but I’m not a large employer and I’m not in Illinois – do I need to be concerned?” Well, yes. 

(1) other states have passed similar laws (including Texas and Washington); 

(2) there’s proposed legislation in Arizona, Florida and Massachusetts; and 

(3) BIPA itself applies even if you’re not in Illinois if you collect BI from anyone who resides there. 

So, if a California company interviews people from Illinois for CA jobs, and part of the hiring process includes checking Facebook pages, it’s possible that you’re crossing the BIPA lines.  And, if your employer-sponsored health insurance includes collection of BI, a potential BIPA claim may be lurking…

California’s recent Consumer Privacy Act (CCPA) does not specifically apply to employers (it’s a consumer protection law) and the private right of action available to consumers under the CCPA does not (yet) extend to use of biometric information, but some form of biometric privacy law is expected.  The New York Biometric Privacy Act (which mirrors BIPA) has been introduced by its legislative sponsors three times, but has not been acted upon (yet).

What are “Best Practices” regarding biometric information for employers? Review contracts with service providers and, where any of them may be collecting BI of your employees, make sure your contract includes “indemnity and hold-harmless” provisions in your favor; only use biometric information for a legitimate purpose; store any BI you collect locally; set up an incident response in connection with employment and privacy counsel; review your employee handbook regarding use of confidential information.  

We can provide other resources for best practices (and this post should not be considered to be legal advice). We are looking out for similar laws in other states. But, just because you are not in Illinois does not mean that you are necessarily immune from claims involving mis-use of biometric information.

Additional reading …

More US States Propose Biometric Legislation 

The Coming Storm of Biometric Privacy Laws: What to Expect 

Illinois Biometric Information Privacy Act

Related Articles

August 2 • Insurance Pro TipsMedia Liability

Why Personal Insurance Isn’t Enough for Content Creators

Content creators often team with brands for powerful influencer marketing strategies — but who protects the creators? We have the answers you need.

October 26 • Directors & OfficersInsurance Pro Tips

What’s the Role of a Commercial Insurance Broker?

A commercial insurance broker plays a vital role in finding the best coverage for your company—but what exactly is that role? Let’s discuss.

July 21 • Insurance Pro Tips

How to Build a Team Made for Rapid Growth

Late-stage companies must build a team for rapid growth — but how? Let’s review some of the benefits and requirements to rally a team.

insurance broker RFP
June 22 • Insurance Pro Tips

Insurance Broker RFP Guide: Questions To Ask & Mistakes to Avoid

Is it time for a new broker? How does an insurance broker RFP work? What are the pitfalls? Here are the answers late-stage companies need to make this work.

accomplished unicorns success tips
May 4 • Insurance Pro Tips

7 Success Tips From Accomplished Unicorns

Accomplished unicorns have secrets of success, but they’re likely not what you think. Consider these tips from high-growth companies.

leave your peo
April 27 • Employee Health & BenefitsInsurance Pro Tips

Time to Leave Your PEO? How to Transition Smoothly

Mid-market and late-stage companies often outgrow their PEOs. If you’ve thought about saying goodbye to yours, here are a few factors to consider first.