The growing ubiquity of technology has not only led to important efficiencies in law enforcement but is now also an integral part of business security systems. These security systems rely, in part, on biometric technology to authenticate authorized users, or employees, before granting them access to company facilities, computer networks and protected business information. If you have ever found yourself asking Apple’s Siri for driving directions, using your fingerprint to unlock your smart phone, or adding a Snapchat filter to a photo, then you have interfaced with biometric technology. Biometric technology captures, records, and stores the private physiological information of its users, such as finger and voice prints, and facial patterns.
The increased use of biometric data in the workplace has not only raised significant privacy concerns for employers, but has also sparked a flurry of class action litigation across Illinois.
The Illinois Biometric Information Privacy Act.
In 2008, the Illinois General Assembly passed the Biometric Information Privacy Act (“BIPA”). The statute is codified at 740 ILCS 14/1, and a copy can be found here.
BIPA prohibits private entities from collecting and storing “biometric identifiers” without prior notification and written consent. BIPA defines “biometric identifiers” as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. The Act’s provisions apply to any biometric information regardless of how it is captured, converted, stored or shared.
Within the employment context, preconditions to an employer’s collection of biometric information include: (1) making the employer’s biometric data retention policy publicly available; (2) notifying job applicants, employees and independent contractors, in writing, as to what biometric information will be collected, how the information will be stored and for how long, how the employer intends to use the biometric information, and how the information will be destroyed; (3) refraining from selling biometric information to third parties; and (4) handling the collected biometric information with reasonable care.
BIPA provides independent contractors, job applicants and employees with a private cause of action against any employer that violates its provisions. The Act provides for penalty of $1,000 or actual cost (whichever is greater) per “negligent” violation of the Act, and the greater of $5000 or actual damages for “intentional” or “reckless” misuse of biometric data. In addition, a prevailing plaintiff is entitled to reasonable attorney’s fees and costs.
Illinois is one of the few states in the country to enact legislation specifically targeting biometric information and this legislation has proved to be a hurdle to the operations of business juggernauts such as Facebook, Inc., Hyatt Corporation and Bob Evans. Facebook’s lawsuit involves the company’s use of facial recognition technology to analyze photos uploaded by users and measure facial patterns represented in the photos. The application uses this analysis to recognize unique facial biometric identifiers in newly uploaded pictures to recommend photo tags. In seeking statutory damages, the plaintiffs in this lawsuit claim that Facebook violated BIPA by analyzing, collecting and storing facial pattern information without first obtaining the plaintiffs’ written consent.
Hyatt Corporation’s and Bob Evan’s class action lawsuits involve the collection and storage of employee fingerprint data. The class of plaintiffs in each of these lawsuits claim that the companies failed to obtain written consent prior to collecting fingerprint data and failed to disclose how such information would be stored, used and destroyed.
These cases demonstrate the caution employers must use in collecting and using biometric data in the workplace.
Tips for Employers.
Recent BIPA litigation has focused primarily on companies’ failure to: (1) obtain the consent from employees and/or users prior to collecting biometric information, (2) provide a written policy or disclosure detailing how collected biometric data will be stored and used, and (3) identify the biometric data disposal process to be used at the conclusion of the employer-employee or technology user relationship. Accordingly, below are three key precautions employers should take to prevent potential litigation:
- Ensure compliance with the BIPA by reviewing and updating all employer policies, notifications and disclosures regarding the collection, use, storage and disposal of the biometric information of job applicants, independent contractors and employees.
- Obtain a signed release from all job applicants, independent contractors and employees, prior to hiring them, notifying them of the employer’s collection, storage, use and disposal of biometric identifiers, the reason for such use, and the duration of use.
- Ensure independent contractors, such as security firms and staffing agencies, comply with BIPA regulations in their collection, access, storage and disposal of biometric information on behalf of the employer. Obtain written assurances from these contractors acknowledging that they will employ the minimum required safeguards to collect, access, retain and dispose of biometric information and that they maintain an effective and up-to-date response plan for potential data breaches.
- Establish a company-wide plan for collecting, accessing and storing biometric information.
- Establish limits on who can access biometric information and maintain an up-to-date data breach contingency plan.
- Retain biometric information only so long as needed.
Laura Platt is a member of the Daley Mohan Groble Labor and Employment Practice Group. Daley Mohan Groble helps businesses navigate the increasingly complex workplace regulations that impact employer/employee relationships. DMG is proud to represent clients in defense of employment related claims under employment legislation such as Title VII, ADA, ADEA, FMLA, FLSA and FRSA, the defense of Whistleblower claims, employment and executive compensation agreements, and internal investigations into workplace harassment, discrimination, and retaliation.
©2017 Daley Mohan Groble, P.C. This Update is provided for informational purposes only. It is not intended as legal advice nor does it create an attorney/client relationship between Daley Mohan Groble and any readers or recipients. Readers should consult counsel of their own choosing to discuss how these matters relate to their individual circumstances.