A recent surge of class action lawsuits is challenging employers' use of fingerprint timekeeping systems. In the past two months, at least 32 class action lawsuits have been filed in Illinois alleging noncompliance with the Illinois Biometric Information Privacy Act (BIPA). The suits target many industries, including restaurants, hospitality, logistics and building management companies.

The use of biometric data and related information has become increasingly prevalent among employers trying to solidify pay practices and maximize inventory control or facility security. BIPA regulates biometric information and creates a private right of action for violations. BIPA defines a "biometric identifier" as "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." BIPA excludes writing samples, written signatures, photographs, demographic data and physical descriptions. 740 ILCS 14/10. Biometric information includes "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual." Id. BIPA also sets forth requirements for gathering, storing and destroying biometric information. Resale or retransmission to third parties without individual consent or compelled legal process is prohibited.

Most important, BIPA places specific requirements on employers, many of whom are just learning that BIPA may apply to their timekeeping practices. In practical terms, what does this mean? Illinois private employers may not collect, capture, purchase or obtain biometric data without first providing notice and obtaining an individualized, written release. Employers must disclose the specific purpose and length of time for which the biometric information or identifier is being collected, stored and used.

The surge in BIPA litigation likely results from employers' increased use of fingerprint scan technology, and the fact that BIPA is the only existing biometric privacy statute that creates a private right of action against employers for damages and attorneys' fees. Under BIPA, any person "aggrieved" by a violation may seek liquidated damages of $1,000 or actual damages for each negligent violation; liquidated damages of $5,000 or actual damages for each intentional or reckless violation; reasonable attorneys' fees and costs; and injunctive relief. 740 ILCS 14/20. BIPA claims can be brought in state court or as supplemental claims in federal court. However, the law is untested and in flux, and whether "liquidated damages" are available for alleged procedural violations of BIPA remains a hotly contested issue.

Illinois is not the only state to regulate biometric information in the consumer or employment context. Texas and Washington have also enacted consumer-facing legislation concerning biometric identifiers, but these statutes do not create a private right of action. The Texas statute does reference collection of biometrics "for security purposes" by an employer.[1] Other states currently have biometric-related legislation pending, with Alaska, Idaho and New Hampshire proposing private rights of action similar to Illinois law.[2] Moreover, state laws can be nuanced; New York's Labor Code (Sec. 201-a) prohibits companies from requiring employees to be fingerprinted as a condition of securing or continuing employment.

Employers should also consider potential accommodation requirements. The Equal Employment Opportunity Commission recently prevailed in litigation against an employer that implemented a biometric hand-scanner system to better monitor the attendance and work hours of its employees. In EEOC v. Consol. Energy, Inc., 860 F.3d 131 (4th Cir. 2017), an employee raised religious objections to the use of the hand-scanner, and the employer denied an alternative keypad procedure. The court upheld a damages award and injunction against the employer for failing to accommodate the worker's religious beliefs. Likewise, reasonable accommodation requests may surface due to alleged injuries or disabilities.

The Bottom Line

  • Identify any collection, use, retention, disclosure and destruction of biometric identifiers or information in your business. If biometric compliance obligations are not currently implicated, consider the pros and cons of such obligations on the front end before utilizing biometric identifiers.
  • As applicable, develop and implement policies and procedures on how to handle the collection, use, retention, disclosure and destruction of biometric data that comply with all laws. Review vendor and third-party agreements as well. Policies and procedures should address the following:
    • Notice and consent to collect, retain and use biometric information.
    • How such biometric data will be returned and/or destroyed.
    • The administrative, physical and technical safeguards protecting the biometric information from unauthorized use or dissemination.
    • What privacy concerns are impacted and what obligations are triggered by a data breach involving such information.
  • Stay up to date on developments in the field so you can be confident in your compliance under the current state of the law.

Footnotes

[1] Tex. Bus. & Com. Code Ann. §503.001; Washington House Bill 1493.

[2] See, e.g., Alaska, H.B. 72, 30th Leg., Reg. Sess. (Alaska 2017); Idaho, H.B. 511, 62nd Leg., 2nd Reg. Sess. (Idaho 2014); New Hampshire, H.B. 523, 2017 N.H. H.R., Reg. Session (N.H. 2017).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.