Illinois’ groundbreaking Biometric Information Privacy Act, called BIPA, just got a lot tougher thanks to the Illinois Supreme Court. While the court’s specific decision involves a teen entering an amusement park, it has widespread implications for every company in the state collecting, storing and using biometric data about employees and contractors.
The 2008 BIPA law governs the collection and use of fingerprints and hand scans, eye or face scans, and voice print data. Any business collecting this data has to inform the individual that they’re collecting it, indicate why it is being collected, how it will be used and stored, whether it will be shared, and when the information will be destroyed. A company also must develop a written, publicly available retention schedule, and obtain written releases from individuals prior to collecting or sharing biometric information.
BIPA allows individuals to file a lawsuit if they’ve been “aggrieved” by a BIPA violation although the statute is vague on defining what constitutes “aggrieved.” Legislators opted to let courts decide what is meant by the term. Defendants have argued that a plaintiff must suffer an actual loss such as having their information leaked or stolen, and that technical violations of the law don’t entitle somebody to file an action.
This was the issue considered by the state’s high court. Its unanimous decision that even a technical violation of BIPA constitutes harm is rippling through Illinois.
Over the past decade, a growing number of companies have been employing biometric data for everything from allowing access to offices and plants and doing police background checks on prospective employees to timekeeping.
While an office or factory worker may know that their hand print is being used so they can get into the building, relatively few businesses have bothered to do more than say “It’s so you can come to work and get paid” when recording the handprint.
Until just recently, this was considered a “technical violation” according to lower court decisions. But since the state Supreme Court ruled that there is no such thing as a technical violation, businesses need to bring their policies in line with the interpretation.
“Technology permits the wholesale collection and storage of an individual’s unique biometric identifiers that cannot be changed if compromised or misused” the decision reads. A lawsuit is the only enforcement action spelled out in the statute so, the court says, lawmakers in Springfield intended for suits filed by individuals to have substantial force.
As a result, any business operating in Illinois that collects biometric information from employees or contractors need to reexamine their practices, especially how such data is collected, used and shared, and bring their policy in line with the law.
As a data security and privacy attorney, it strikes me that at a practical level, complying with BIPA should not be that difficult.
To mitigate the risk of being hit with a BIPA complaint, companies need to ensure to meet its requirements including those about telling employees what the company is doing, and why. Employees should be required sign a simple consent form that explains in everyday English how and why the data is being collected, how it will be stored and for how long.
In any future lawsuits involving BIPA, courts are likely to look closely at the idea of informed consent and whether the employer – or any other entity collecting this sort of information – was proactive in complying with the law’s provisions.
A viable defense may be that the proper consent was obtained from somebody before their biometric data was collected. This is especially crucial for employers using biometric information from employees and contractors for timekeeping and payroll purposes.
But a cautionary note: BIPA does not include an express statute of limitations. Even if a company moves quickly now to comply with the law, it may still be liable for its non-compliance in the past.
If you have any questions about BIPA, the recent state Supreme Court ruling, and what your business needs to do to ensure it is complying, feel free to call me.