By William J. Tarnow and Sonya Rosenberg
Neal, Gerber & Eisenberg, LLP
Citing the fact that “major national corporations have selected the City of Chicago and other locations in the state as pilot testing sites for new applications of biometric-facilitated financial transactions,” in 2008 the Illinois legislature passed the Illinois Biometric Information Privacy Act (BIPA) to implement stringent safeguards. This decision was based on the premise that “an overwhelming majority of members of the public are weary of the use of biometrics” and “the full ramification of biometrics technology are not known.” (740 ILCS 14/5). While barely noticed for years after its passage, BIPA recently has received increased local and national attention.
Locally, multiple class-action lawsuits have been filed alleging violations of BIPA. Recently, one of these lawsuits, Sukura, et al. v. L.A. Tan Enterprises (Circuit Court of Cook County, Case No. 2015-CH-16694) resulted in a $1.5 million settlement, in a case where a class of customers claimed the tanning salon failed to properly obtain their consent or provide statutorily-required information about the use of fingerprint scanning technology to identify the customers. At the national level, Texas and, most recently, Washington have enacted laws to regulate collection, use and retention of biometric information. A number of other states, including Connecticut, New Hampshire, Massachusetts and Alaska, currently have similar legislation in the works.
BIPA, like similar laws and pending legislation in other states, requires that businesses develop statutorily-compliant policies and practices relating to the collection, retention and destruction of protected biometric information, and obtain express consent from their employees and/or customers. Notably, Illinois’ BIPA is the first and most far-reaching statute relating to biometrics. BIPA not only covers biometric “identifiers,” i.e., raw biometric data such as a retina scan or a fingerprint, but also biometric “information,” such as encrypted mathematical representations of the identifiers.
Many employers incorrectly assume they are not subject to BIPA because their technology encrypts and thus protects raw biometric identifiers; for example, via sophisticated biometric time clock technology that scans fingerprints of employees clocking in and out of shifts. That simply is not the case in Illinois. And the penalties can be severe for employers who get it wrong. BIPA provides for a private right of action, and allows for the recovery of liquidated damages or actual damages, as well as attorneys’ fees and costs, for each and every violation. One can easily see how in a class action context damages quickly can mount to a bet-the-company scenario.
Fortunately, compliance and best practices with respect to BIPA are relatively easy to implement and to maintain. A proper written policy and acknowledgment of consent may be crafted to fit on a single page, while containing the necessary elements of notice of collection and of its purpose; confirmation of appropriate storage, limited, permitted use and compliant destruction protocol; and the individuals’ express acknowledgment and consent. Employers who collect or use any biometric identifiers or information – and those who do not know if they do – should promptly check with their employment counsel to ensure compliance.
This month’s Legal Update is sponsored by Neal, Gerber & Eisenberg LLP, a Chicago-based law firm providing legal business solutions in connection with domestic and global corporate transactions and litigation.