Biometric Information Privacy Act Update

In an attempt to increase productivity and efficiency, businesses are increasingly using biometric data to identify employees, customers and other individuals.  One common example of the use of biometric data is by employers to identify their employees and track work hours for purposes of compensation.   Biometric information includes fingerprints, retina scans, facial scans, hand scans, or other identifiers that are biologically unique to a particular person.   While convenient, and seemingly more secure, such biometric identification methods raise serious privacy concerns.  The Illinois Biometric Information Privacy Act, 740 ILCS 14, et seq. (“BIPA”), imposes many requirements concerning the collection, use, storage and destruction of biometric information with which businesses, including employers, must comply, or risk potential liability.

Under BIPA, before an Illinois business collects, stores, or uses biometric identifiers, it must develop a written policy and make the policy available to the public.  The policy must include a retention schedule describing how long such data will be stored, and provide guidelines for destruction of the same when the reason for the original collection of such data no longer exists, such as when an employee leaves or terminates employment.  Additionally, businesses must describe and adhere to a destruction schedule for biometric information that it is no longer using.  If no schedule is provided, then BIPA requires that a business destroy such information within three years of the individual’s last interaction with the business.

In addition to the required written policy, Illinois businesses must obtain consent and a written release from an individual prior to collecting biometric information.  Illinois is currently the strictest of any state law regarding the collection, retention, storage, and use of biometric information.  Before biometric information from an individual may be collected, all Illinois private entities and larger entities that do business in Illinois must (1) inform the individual in writing that a biometric identifier is being collected or stored, (2) inform the individual in writing of the specific purpose and length of time for which the biometric identifier is being collected, stored, and used, and (3) receive a written release executed by the individual assenting to the collection, storage, and use of a biometric identifier.  Absent a court order or law enforcement directive, such businesses may not share biometric information without express consent from the individual.

Illinois businesses that utilize biometric identifiers but do not comply with BIPA may face harsh penalties and civil litigation. BIPA provides that individuals may bring an action against a business that negligently or intentionally violates a provision of BIPA.  If the claim is negligence, the business may be liable for damages up to $1,000 per violation and if the claim is an intentional violation of BIPA, the business may be liable for damages up to $5,000 per violation.  Damages in either category may be higher if actual damages exceed these amounts.  An aggrieved party may also receive attorneys’ fees and costs, an injunction, and other relief.

Recently, privacy-related claims are on the rise as a result of BIPA.  Since mid-2017, over 100 cases have been filed in Illinois alleging violations of BIPA.  Typically, such cases are class action lawsuits by employees claiming violations of BIPA as it relates to employee time clock technology that uses an employee’s fingerprint as a means of identification.   Such cases often allege that the employer did not abide by the notice and consent requirements.  However, recently the Northern District of Illinois dismissed a case against Google because while the notice and consent parameters of BIPA technically were not followed, Plaintiffs were not able to establish any concrete evidence of harm, absent feeling that their privacy rights were violated.   Rivera, et al. v. Google, Inc., No. 16-02714 (N.D. Ill. Dec. 29, 2018).  In the Google case, Plaintiffs alleged that Google unlawfully collected, stored and exploited their face-geometry scans via Google Photos, its cloud-based service that utilizes such technology to group photos together and provide the user a means of storing photos by person.  The Court dismissed the case on Summary Judgement, stating that there was no evidence of harm because there was no evidence that Google provided the photos or face-geometry scans to anyone besides the Google Photos user.  The court discussed whether Plaintiffs suffered an identifiable injury because Google created their face templates without their knowledge or permission.  Users did not know that Google would scan the faces of those persons in photos they uploaded to Google Photos.  As such, Plaintiff’s argued that their privacy rights were violated by being deprived of the choice to not have the photos scanned, categorized and automatically uploaded to Google Photos.

After distinguishing many of the prior cases involving biometric data as different because the data was then commercially exploited, the Court dismissed the case for lack of standing, stating that it was insufficient that the record only demonstrated future, potential use of Google’s facial recognition technology.  Absent any evidence that Google currently employs such practices, or would do so in the future, and taking in to account that the user elected to use the Google Photos app knowing that his photos would be uploaded, the Court determined that the evidence of harm was too tenuous to allow Plaintiff’s claims to move forward.

While the recent Google decision highlights the potential for a successful defense in privacy and cybersecurity cases, businesses must continue to mitigate the risks of using biometric data collected from fingerprints, retinal scans and facial recognition.

If you have any questions regarding employment issues, please contact any of our lawyers in our employment law practice at Levin Ginsburg at 312-368-0100.