Does your Company Obtain Fingerprints of Employees or Customers?
In 2008, Illinois passed the Biometric Information Privacy Act, arguably the most stringent law of its type in the United States. The Act governs private entities’ use of “biometric identifiers,” which include a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Although the Act has been in place for several years, it has recently garnered new attention after several class action lawsuits were filed earlier this year alleging violations of the Act.
The Act’s Requirements
Under the Act, it is illegal for a private entity to obtain a person’s biometric information unless the entity: (1) informs the person in writing that such information is being collected or stored; (2) discloses the purpose and length of term for which the information is being collected, used, and stored; and (3) receives a written release from the person to collect, use or store the information.
Once a private entity is in possession of an individual’s biometric information, it must comply with the Act’s requirements regarding the disclosure of such information. First, the entity may not sell or profit from a person’s biometric information. Second, the entity may not disclose an individual’s biometric information unless: (1) the individual consents to the disclosure; (2) the individual has authorized a financial transaction, the completion of which requires the disclosure; or (3) the disclosure is required by law or pursuant to a valid warrant or subpoena.
The Act also requires entities in possession of biometric information to develop a written policy setting forth a retention schedule and guidelines for destroying biometric information, which may be stored for no longer than 3 years. During the retention period, the entity must protect the biometric information in the same manner it would protect other forms of confidential information.
Litigation Related to Biometric Information
The Illinois Act is considered the strongest in the nation because it allows private parties to bring a lawsuit and provides generous damages for any person harmed by a violation of the Act — $1,000 or actual damages for negligent violations and $5,000 or actual damages for intentional or reckless violations. In both cases, individuals may also recover their attorneys’ fees and costs.
In 2017 alone, more than 30 putative class action lawsuits have been filed in Illinois against a wide variety of companies, including airlines, hotels, healthcare companies, and restaurants, alleging violations of the Act. The most common allegation in these lawsuits is that an employer has used its employees’ fingerprints for timekeeping purposes without complying with the Act’s requirements.
Businesses and employers should be cognizant of whether they are using or storing data which would be considered a “biometric identifier” under the Act. If they are, they should closely follow the steps above with respect to obtaining biometric information, disclosing such information, and developing and implementing a written policy related to biometric information. For more information on how to bring your company into compliance with the Biometric Information Privacy Act, please contact Elizabeth Pall at 312/840-7099 or email@example.com or Victoria Collado at 312/840-7048 or firstname.lastname@example.org.