Cybersecurity and Privacy Law Trending Now: Businesses with Illinois Employees and/or Customers Face Wave of Class Action Lawsuits Resulting from Collection of Biometric Information

09.14.21

Using employee and/or customer biometric information can have severe consequences if not done correctly. If your business is collecting or using employee or customer fingerprints, iris scans, voiceprints, facial recognition markers (e.g., hand or face geometry) or other biometric information, there are strict legal requirements that must be followed. Recently, businesses with Illinois employees and/or customers have encountered a tsunami of class action lawsuits based on this collection of biometric data, which is a trend not likely to slow down in the near future.

Common Uses of Biometrics
Biometric information has found its way into a number of different uses for business, such as payroll timekeeping, company provided electronics (i.e., cell phones and computers), and as a method of providing physical access (e.g., fingerprint-controlled locks or facial recognition software). While we are seeing this arise often in the employment context, this is not only an issue for employers. Any non-governmental entity collecting or using biometric information in Illinois must comply with the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et. seq. (“BIPA”).

What the Act Requires
BIPA sets forth the specific requirements for collecting and storing biometric information. Before collecting this information, businesses are required to develop a plan for the storage of biometric information that includes provisions governing the duration of storage and deletion policies. Businesses are also required to provide a copy of the policy and obtain written consent prior to obtaining biometric information. BIPA provides further requirements regarding the collection, storage and use of biometric information.

Why It Matters
Failure to comply with BIPA carries substantial liability beginning at $1,000 per violation ($5,000 for intentional or reckless violations), plus injunctive relief. The liability accrues each time an individual uses the biometric interface (e.g., the fingerprint timeclock). This has resulted in employee class action lawsuits seeking hundreds of thousands (or even millions) of dollars against even small employers.

What Businesses Need to Do

• Develop a plan and written policy for the collection, use and disposal of biometric information.

• Obtain informed written consent from each person whose biometric information is collected.

• Review any agreements you have with suppliers of any devices, or vendors, using biometric data.

• Contact the company’s insurance broker to determine if there is coverage for these types of claims, which are often excluded from standard policies.

• If your business is subject to BIPA and is unable to comply with the act’s requirements, the company must stop collecting and using protected biometric information immediately.

If you would like assistance in understanding the requirements for using biometric information in your business, the privacy/cybersecurity training programs available to you or assistance in providing training to your business and/or workforce on privacy/cybersecurity, please contact the authors listed below or the Aronberg Goldgehn attorney with whom you work.

The above material is intended for general information and promotional purposes, and should not be relied on or construed as professional advice. Under the Illinois Rules of Professional Conduct, the above information may be considered advertising material. The transmission of this information is not intended to create, and receipt of it does not create, a lawyer-client relationship.