The Illinois Biometric Information Privacy Act (BIPA)
What Workers Must be Told and Do, Before Their Fingerprints or Faces Are Used.
The Illinois Biometric Information Privacy Act (BIPA) protects workers who are required to use devices such as biometric time clocks to punch-in / punch-out and record their time worked. While the law does not prohibit employers in Illinois from using such devices, it does require them to follow certain rules and procedures aimed at protecting employees’ sensitive information – including providing information to workers and obtaining a written release from them, before their fingerprints or other biometric data are used.
A number of employers that require employees to scan their fingerprints into biometric time clocks have already been sued for violations of this new Illinois privacy law. As the massive data breaches at Equifax, CapitalOne, Marriott and Yahoo, to name a few, have shown…bad guys are out to get your most sensitive and important information, so every time it is collected, recorded and/or transferred there is an increased risk. Increasingly aware of this risk, concerned employees are asking “can my employer use fingerprint, eye or face scanner time clocks?”
KEY POINTS THAT WORKERS NEED TO KNOW ABOUT THE ILLINOIS BIOMETRIC INFORMATION PRIVACY LAW:
- Almost all employees of private companies are protected.
- Private employers in Illinois must comply with BIPA.
- Governmental employers are not covered by BIPA. Contractors, subcontractors or agents are also not covered while doing work on behalf of state or local governmental units
- All types of scans or data captures are covered by the law, including, but not limited to
- Fingerprint scanners
- Hand or face scanners
- Eye (retina / iris) scanners
- Before obtaining or transferring biometric identifiers or biometric information on employees, employers must inform workers in writing
- That their information is being collected and stored
- How long and for what purpose their information is being collected, stored and used
- Employers must get a written release and consent from each employee before obtaining or transferring biometric information
- Employees can recover damages of $1,000 – $5,000 (or actual damages if more) per violation, plus attorneys’ fees and costs to bring a claim.
By enacting the Biometric Information Privacy Act, the Illinois legislature recognized that biologically unique identifiers, like fingerprints, can never be changed when they are stolen and end up in the hands of bad actors, subjecting a victim of identity theft to an even greater risk. As a result, Illinois restricted private employers from collecting, storing, using, or transferring a person’s biometric identifiers and information without adhering to strict informed-consent procedures established by the Biometric Information Privacy Act.
WHAT ARE THE REQUIREMENTS OF THE BIOMETRIC INFORMATION PRIVACY ACT?
Lawmakers in Illinois recognized that the ramifications of biometric technology are not yet fully known and passed the Biometric Information Privacy Act in order to place “regulations on the collection, use, safeguarding, handling, storage retention, and description of biometric identifiers and information.”
The BIPA prohibits a private employer from capturing or collecting biometric identifiers or information from an individual unless it first obtains the individual’s written consent or employment-related release authorizing the capture or collection of an individual’s biometric identifiers and/or biometric information.
The Privacy Act also prohibits capturing or collecting biometric identifiers or information from an individual unless they have first been informed, in writing, of the following:
1) That the private entity is collecting or storing biometric identifiers or information,
2) The purpose of such collection, and
3) The length of time the private entity will retain the biometric identifiers or information.
In addition, the Biometric Information Privacy Act prohibits a private entity from possessing biometric identifiers or information unless it first creates a written policy, made available to the public, establishing a retention schedule and destruction guidelines for its possession of biometric identifiers and information.
Finally, Illinois Biometric Privacy Act prohibits a private entity from disclosing or otherwise disseminating biometric identifiers or information without first obtaining an individual’s consent for that disclosure or dissemination, unless the disclosure or dissemination was (a) in furtherance of an authorized financial transaction, (b) authorized by law, or (c) pursuant to a valid warrant or subpoena.
WHAT CAN EMPLOYEES DO IF THEIR PRIVACY RIGHTS ARE VIOLATED?
If an employer in Illinois fails to comply with BIPA, employees (individually or as a class action) have the right to hire a lawyer to sue to enforce their privacy rights. Lawyers who handle Illinois privacy act claims commonly do so on a contingent fee basis because the act provides for the recovery of attorneys’ fees. If the employer negligently violated BIPA, the employee can recover liquidated damages of $1,000 for each violation or actual damages, whichever is greater. If the violation is reckless or intentional, an employee can obtain liquidated damages of $5,000 for each violation or actual damages, whichever is greater. In addition, the employer can be required to pay the attorneys’ fees, costs, and other litigation expenses incurred by the workers.
It is important to note that the Illinois Supreme Court unanimously ruled that employees are not required to prove actual harm or injury in order to pursue a claim under BIPA – if they can show that their privacy rights were violated, they can collect the statutory penalties provided by the law.
BIOMETRIC PRIVACY RIGHTS ARE NOT LIMITED TO EMPLOYEES
The privacy protections provided under Illinois law extend to individuals and their interactions with private companies that collect and store customers’ biometric data. Consumers whose rights are violated can recover $1,000 – $5,000 for each violation or actual damages, whichever is greater, plus attorney’s fees and costs.
The largest such case to date was filed as a class action against Facebook by users who alleged the company violated the BIPA when it collected and stored their biometric data, without prior notice or consent, as part of the “Tag Suggestions” function, which identifies users through scanning uploaded photographs. The class action case was recently settled for $550 million, however it is still subject to approval by the federal court judge overseeing the case.
Update on the Facebook biometric data lawsuit settlement. The judge overseeing the case refused to approve the settlement as originally presented. As of August 2020, the parties submitted an enhanced settlement that is $100 million more than Facebook had offered previously and did receive preliminary approval for the now $650 million proposed settlement.
THE REASONS BEHIND THE ILLINOIS BIOMETRIC INFORMATION PRIVACY ACT
The following are the findings of the General Assembly and its intent in passing this law:
(a) The use of biometrics is growing in the business and security screening sectors and appears to promise streamlined financial transactions and security screenings.
(b) Major national corporations have selected the City of Chicago and other locations in this State as pilot testing sites for new applications of biometric-facilitated financial transactions, including finger-scan technologies at grocery stores, gas stations, and school cafeterias.
(c) Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.
(d) An overwhelming majority of members of the public are weary of the use of biometrics when such information is tied to finances and other personal information.
(e) Despite limited State law regulating the collection, use, safeguarding, and storage of biometrics, many members of the public are deterred from partaking in biometric identifier-facilitated transactions.
(f) The full ramifications of biometric technology are not fully known.
(g) The public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.
What Do I Do If My Privacy Rights under Illinois BIPA Have Been Violated?
If you have been required to use a finger-scan or other similar biometric scanner, in the state of Illinois, without first being informed and giving your written consent, contact us for more information about your rights and a free and confidential review of your specific situation by lawyers who handle privacy act violation under Illinois law.