advertisement

Biometrics now a high-risk proposition in Illinois

Imagine running an online business that allows customers to try on eyeglasses virtually, and then getting hit with a class-action lawsuit alleging your company unlawfully used customers' facial data during the virtual try-on process.

This recently happened to a California company, and it didn't matter that the customers themselves initiated the try-on process.

While this lawsuit was dismissed, many similar lawsuits are making their way through Illinois' courts right now under the Biometric Information Privacy Act (BIPA), which regulates the collection and storage of biometric data in Illinois.

Under the law, "biometric" data includes fingerprints, voiceprints, retinal scans, or scans of facial geometry (often referred to as "facial recognition" software), such as that used by the eyeglass company.

Last year, the Illinois Supreme Court enhanced the protections afforded to employees and customers in Illinois who provide biometric information, whether or not the company accessing the data is based in Illinois or elsewhere. The court eliminated the need to demonstrate that employees or customers were harmed by the use of their biometric information, such as through identity theft, in order to bring a claim under BIPA. They merely must show that their biometric information was scanned or collected without written permission.

The penalties for violations are stiff, which is why BIPA cases are growing in frequency. Today, businesses can be fined up to $5,000 per violation. For a company that uses fingerprint technology to have employees clock in and out, plaintiffs argue that each finger print scan is considered a violation.

Because damages increase over time and with the number of affected employees, and because the Illinois courts have not yet determined the applicable statute of limitations for BIPA claims, it is not uncommon for plaintiffs' attorneys to demand millions of dollars in a single lawsuit.

The impact of this risk on businesses cannot be overstated. Biometrics now are a key method for tracking the whereabouts of employees, from time clocks that rely on fingerprint scans, to secure entrances that open only through retinal imaging. Thousands of websites also use facial recognition software to depict consumers wearing or using products from hats and jewelry to prescription eyewear. Most of these cases are settled because defending BIPA litigation is so expensive.

Thankfully, the remedy is simple. Prior to collecting or capturing any biometric information from any individual, a private entity must take the following steps:

1. Inform the subject in writing that biometric information is being collected or stored;

2. Inform the subject in writing of the purpose and length of time for which biometric information will be retained; and

3. Obtain a written release from the subject authorizing the collection. Companies must also identify any third parties to whom biometric information will be disseminated or disclosed.

Although the BIPA statute was initially applauded as the first attempt by any state to prohibit the unlawful acquisition and retention of biometric information, the past decade saw relatively little enforcement of the penalties available under BIPA. Debates raged over the degree of injury that was necessary for an individual to be considered aggrieved, and thus entitled to recovery under the statute. These requirements went away with the recent Illinois Supreme Court ruling that provides enhanced protections to employees and customers in Illinois who provide biometric information.

Today, companies that require fingerprints for clocking in and out of work are a target. They are considered low hanging fruit by plaintiffs' attorneys. Any Illinois businesses that collect biometrics in any form should assess their compliance with this little-known statute before they too become a target.

Brian Weinthal is a partner at Burke, Warren, MacKay & Serritella Contact him at BWeinthal@BurkeLaw.com

Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the "flag" link in the lower-right corner of the comment box. To find our more, read our FAQ.