If you are an employer that uses biometric data, including eye scans, fingerprint, voiceprint, or scan of hand or face geometry, you may need to update your policies and procedures to comply with the Biometric Information Privacy Act, 740 ILCS 14/1, et. seq. (“BIPA Illinois”). While other states like Washington and Texas have followed, Illinois was the first state to pass the Biometric Information Privacy Act, 740 ILCS 14/1, e. seq. (“BIPA”) in 2008. Illinois is still the only state that allows a private cause of action for violation of BIPA, which is why there has been a multitude of new class action BIPA cases filed in Illinois by rather voracious Plaintiff’s firms. While the original intent of BIPA was to address entities that did security screening and financial transactions, it has since expanded to other areas such as social media use (both Google and Facebook have been sued in Illinois for their face recognition or ‘tagging’ technology) and a more recent target – employers that have biometric data of their employees.
If you are an employer in Illinois and do not have the policies and procedures in effect that comply with the BIPA, as set forth below, violations of BIPA can be significant. The penalty $1,000 or actual damages (whichever is more) per violation (i.e. per fingerprint) or $5,000 or actual (again, whichever is more) per violation if the violation is intentional or reckless conduct, plus attorneys’ costs and fees, which is why the Plaintiffs bar is eager to file these class actions.
Illinois employers that collect biometric data must do the following:
- Create a written policy. The policy needs to establish a retention schedule and guidelines for permanently destroying the biometric data. The data should be destroyed when the initial purpose for collecting the data has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first. As a best practice for employers, you should include this policy in your Employee Handbook.
- Get an Acknowledgment and Release. BIPA requires the entity collecting the data to inform the person in writing that their biometric identifier or biometric information is being collected or stored and advise of the specific purpose and length of term for which the data is being collected, stored, and used. This should also contain an acknowledgement to release this information to the private entity. As a best practice, have the employee sign off on a separate acknowledgment and release at the time the data is collected and keep a copy in the employee file. Make sure there is a procedure in place to destroy the information as stated in the policy.
- Refrain from selling, leasing, trading, or otherwise profiting from the data. Once you have the data, you cannot sell, lease, trade, or otherwise profit from a person’s biometric information. You also cannot disclose, redisclose, or otherwise disseminate the information unless the employee consents to the disclosure, a financial transaction is requested or authorized by the person (for those involved in financial institutions), or it is required by state, federal or municipal law.
- Store the data like you would other confidential information. Finally, the storage of such information must be in a manner that is a reasonable standard of care within the industry and stored and transmitted the same way as other confidential sensitive information. As a best practice, employers should store the data like you would confidential information such as employee social security numbers.
With the increased interest of BIPA class actions with the Plaintiff’s bar, including an apparent uptick this summer, Illinois employers who use employee biometric information, or who are considering implementing procedures that require collecting and using biometric information, should review their policies and practices and ensure that they have an appropriate written policy in place.
Contact an O’Hagan Meyer attorney if you have any questions about these policies and procedures or would like help drafting these policies.
By Jamie Filipovic