Violations of the Illinois Biometric Information Privacy Act (BIPA), results in lawsuits

Chicago IL Jan 12 2018 A wave of class action lawsuits has been filed alleging violations of the Illinois Biometric Information Privacy Act (BIPA), a statute aimed at regulating how companies use information based on “biometric identifiers” such as fingerprints and retina scans. Violating BIPA can be costly, so employers operating within Illinois should review their business practices to determine whether they are using “biometric information” and plan accordingly.

Although many of the early lawsuits filed under BIPA targeted technology companies for their use of facial recognition software, recent litigation has focused on employers that use fingerprint-scanning technology to allow employees to clock in and clock out. BIPA regulates a private entity’s ability to collect, store and disclose biometric information. The statute defines biometric information as that based on individual identifiers such as fingerprints, retina scans or voiceprints. As the statute explains, these cannot be changed, unlike other unique identifiers such as Social Security numbers.

Citing the public’s concern with the use of biometrics for business transactions and the “heightened risk of identity theft” biometric information entails, the Illinois legislature sought to protect individual privacy and encourage private entities to bolster information security by passing BIPA in 2008. The statute flew under the radar until the first surge of class action lawsuits in 2015. These private actions picked up steam in the latter half of 2017, with dozens of new class action suits filed since July. And it’s easy to see why the plaintiffs’ bar has taken notice: The penalties associated with BIPA range from $1,000 to $5,000 per violation and include attorneys’ fees.

Fortunately for employers, compliance with BIPA is fairly straightforward. At minimum, entities that use biometric information must:

Adopt a written policy with a retention schedule and guidelines for permanently destroying the information, and make this policy available to the public.

Obtain informed, written consent from any employee whose biometric information is obtained.

Read More