Is Your Business BIPA Compliant?
In order to increase productivity and efficiency, businesses are increasingly using biometric data to identify employees, customers and other individuals. For example, some employers use biometric data to identify their employees and track work hours for purposes of compensation. Biometric information includes fingerprints, retina scans, facial scans, hand scans, or other identifiers that are biologically unique to a particular person. While convenient, and seemingly secure, such biometric identification methods raise serious privacy concerns. The Illinois Biometric Information Privacy Act, 740 ILCS 14, et seq. (“BIPA”), imposes many requirements concerning the collection, use, storage, and destruction of biometric information with which businesses, including employers, must comply, or risk liability.
Under BIPA, before an Illinois business collects, stores, or uses biometric identifiers, it must develop a written policy and make the policy available to the public. The policy must include a retention schedule describing how long such data will be stored, and provide guidelines for its destruction when the reason for the original collection of the data no longer exists, such as when an employee resigns. Additionally, Illinois businesses must describe and adhere to a destruction schedule for biometric information that it is no longer using. If no schedule is provided, then BIPA requires that a business destroy such information within three years of the individual’s last interaction with the business.
In addition to the required written policy, Illinois businesses must obtain consent and a written release from an individual prior to collecting biometric information. BIPA is currently one of the strictest state statutes regarding the collection, retention, storage and use of biometric information. Before biometric information may be collected, all Illinois private entities must (1) inform the individual in writing that a biometric identifier is being collected or stored, (2) inform the individual in writing of the specific purpose and length of time for which the biometric identifier is being collected, stored and used, and (3) receive a written release executed by the individual assenting to the collection, storage and use of a biometric identifier. Absent a court order or law enforcement directive, businesses may not share biometric information without express consent from the individual.
Illinois businesses that utilize biometric identifiers but do not comply with BIPA may face severe consequences. BIPA provides that individuals may bring an action against a business that negligently or intentionally violates a provision of BIPA. If the claim is for negligence, the business may be liable for damages up to $1,000 per violation, and if the claim is for an intentional violation of BIPA, the business may be liable for damages up to $5,000 per violation. Damages in either category may be higher if actual damages exceed these numbers. An aggrieved party may also receive attorneys’ fees and costs, an injunction, and other relief.
Recently, privacy-related claims are on the rise as a result of BIPA. Since mid-2017, over 25 lawsuits have been filed in Illinois alleging violations of BIPA. The majority of the cases are class action lawsuits by employees claiming violations of BIPA relating to employee time clock technology that uses an employee’s fingerprint as a means of identification. Time will only tell whether employers will spend the additional resources necessary to comply with BIPA, or choose to avoid the use of biometric identifiers and information altogether.
For more information regarding BIPA compliance and other privacy issues, please contact Levin Ginsburg (312) 368-0100.