Just released: How to raise venture capital in 2023

Download

Use of Biometric Information as a business tool: employers beware.

TL:DR

Key Takeaways

Jeff Hirsch
Jeff Hirsch

Head of Claims

The Illinois Biometric Information Privacy Act (BIPA) was enacted in 2008 and regulates how biometric information can be used, what companies that use or collect biometric information must do in order to legally use it, and restrictions on use. BIPA provides remedies to individuals whose biometric information has been misused. And, where there’s a remedy, lawsuits soon follow. 

Dormant for about 6 years, starting in 2015 a series of 5 class-action test cases were filed against businesses alleging wrongful collection and use of biometric data. Facebook was a defendant in 4 of the 5 class action suits. The first wave of lawsuits resulted in 7-figure settlements/verdicts (they involved large companies). But, employers, labor unions and commercial and residential property managers have been the targets of newer lawsuits as well. BIPA applies to employers, and smaller employers are also at greater risk as biometric information is put to wider use as time passes. 

In the employment context (and elsewhere), liability exists when an employer does not provide “informed consent” before it collects BI. The intended use has to satisfy a legitimate business purpose, and the use has to be as narrow as possible and only in furtherance of the legitimate business purpose (such as to track time records, for security ie access to premises, or in connection with other safety purposes). Of course, data collected from biometric information has commercial value, and individuals have the right to control how their data is used. 

The employer cannot “profit” from biometric data (can’t sell the data) – sometimes even when consent is obtained, and the act requires a compliance program. BIPA creates a private right of action with statutory damages of $1,000 per negligent violation; $5,000 for “willful” violations, plus plaintiffs’ attorneys’ fees.

What if your client says “but I’m not a large employer and I’m not in Illinois – do I need to be concerned?” Well, yes. 

(1) other states have passed similar laws (including Texas and Washington); 

(2) there’s proposed legislation in Arizona, Florida and Massachusetts; and 

(3) BIPA itself applies even if you’re not in Illinois if you collect BI from anyone who resides there. 

So, if a California company interviews people from Illinois for CA jobs, and part of the hiring process includes checking Facebook pages, it’s possible that you’re crossing the BIPA lines.  And, if your employer-sponsored health insurance includes collection of BI, a potential BIPA claim may be lurking…

California’s recent Consumer Privacy Act (CCPA) does not specifically apply to employers (it’s a consumer protection law) and the private right of action available to consumers under the CCPA does not (yet) extend to use of biometric information, but some form of biometric privacy law is expected.  The New York Biometric Privacy Act (which mirrors BIPA) has been introduced by its legislative sponsors three times, but has not been acted upon (yet).

What are “Best Practices” regarding biometric information for employers? Review contracts with service providers and, where any of them may be collecting BI of your employees, make sure your contract includes “indemnity and hold-harmless” provisions in your favor; only use biometric information for a legitimate purpose; store any BI you collect locally; set up an incident response in connection with employment and privacy counsel; review your employee handbook regarding use of confidential information.  

We can provide other resources for best practices (and this post should not be considered to be legal advice). We are looking out for similar laws in other states. But, just because you are not in Illinois does not mean that you are necessarily immune from claims involving mis-use of biometric information.

Additional reading …

More US States Propose Biometric Legislation 

The Coming Storm of Biometric Privacy Laws: What to Expect 

Illinois Biometric Information Privacy Act

 

Related Articles

robot security manufacturing automation
September 10 • Risk Management

The Achilles’ Heel of Automation: Why Robot Security Can’t Be an Afterthought in Manufacturing

Ensuring robot security is paramount in manufacturing automation. Let’s explore the vulnerabilities, risks, and essential measures for safeguarding industrial robots from cyberattacks and operational disruptions.

crypto risk management
August 20 • Risk Management

The Crypto Odyssey: A Risk Management Roadmap for Navigating the Digital Asset Frontier

Crypto market overview, risks, and opportunities. Explore the volatile world of digital currencies, including blockchain technology, regulations, and investment strategies.

cloud outage
July 17 • Risk Management

Cloud Outage Roulette: Don’t Leave Your Startup’s Success to Chance

Cloud outages are a real threat, causing lost sales and frustrated customers. This post explores how cloud outage insurance can be a lifesaver for startups, offering financial protection and peace of mind.

insurance for generative ai
July 10 • Risk Management

Safeguard Your AI: Essential Insurance for Generative Businesses

Generative AI is on the rise, but so are the risks. Standard insurance won’t cut it. Get the scoop on specialized generative AI insurance to empower innovation without fear. We cover everything from copyright clashes to data breaches, so your business can stay protected.

digital health startup risk management
June 5 • Risk Management

How to Implement a Robust Risk Management Framework for Your Digital Health Startup

Shield your digital health startup! Discover a step-by-step guide to building a robust risk management framework. Minimize threats, ensure compliance, and empower growth.

fintech rules and regulations
April 11 • Risk Management

Fintech Rules: Regulations Finance Leaders Need to Know

Master the fintech rulebook! This post breaks down essential regulations finance leaders must understand to ensure their business operates compliantly in the ever-evolving fintech landscape.