Privacy has become a hot topic in recent years as technological advances have created new methods for collecting and storing personal information for identification purposes. While fingerprints, face, and voice recognition are convenient biometric methods to increase security, companies must insure that consumer and employee information is kept safe and that their privacy is not violated.
On October 3, 2008 the Illinois General Assembly became the first state to pass The Biometric Information Privacy Act (BIPA) to guard against uninhibited collection and storing of biometric data such as retinal scans, fingerprints, facial imaging, and voice recognition. Biometric data is completely unique to each individual and is often used by employers for security access, safety purposes, health and wellness plans, and for time management in place of traditional time cards or pin codes for their employees. Companies like Facebook, Apple, and PayPal often use fingerprint data for log-in recognition for consumers, as well.
While it may seem like the use of biometric identification is harmless, the actual risk of identity theft and fraud is high. Consider this: If your credit card is stolen, you can get a new credit card number, or if your email is hacked, you can switch your password. With biometrics, you can’t change your fingerprints, retinas, face, or voice, so where would that leave you in the event of a security breach? This is why BIPA is so important.
The Biometric Information Privacy Act (BIPA)
The Illinois Biometric Information Privacy Act was created to protect consumer and employee biometric data. According to BIPA, it is unlawful for a private Illinois business to “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifiers or biometric information, unless it first:
- Informs the subject in writing that a biometric identifier or biometric information is being collected or stored;
- Informs the subject in writing of the specific purpose and the length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
- Receives a written release executed by the subject of the biometric identifier or biometric information.”
BIPA also establishes standards on how a business may handle the biometric information or biometric identifiers in their possession. For example, a business is prohibited from disclosing biometric information without first obtaining consent for this disclosure.
Private companies and businesses in Illinois are forbidden from selling, leasing, trading, or profiting from a person’s biometric information and are also required to develop and comply with a written policy regarding the retention and destruction of biometric identifiers and biometric information once the initial purpose for collecting such information has been satisfied or within three years of an employee or customer last interacting with this business, whichever comes first. This policy must also be made available to the public.
It is important to note that BIPA applies only to private businesses. Governmental employees, including contractors, subcontractors, or agents of State agencies or local governmental units are excluded from the rules of BIPA while they are performing work on behalf of governmental units.
BIPA Right of Action
Section 740 ILCS 14/20 of BIPA details the right of action that consumers and employees have if their biometric information or biometric markers have been misused in some manner. According to BIPA, the injured party may be entitled to the following:
- $1000 liquidated damages or actual damages, whichever is greater, for each violation against the party who acted negligently by violating a provision of BIPA;
- $5000 liquidated damages or actual damages, whichever is greater, for each violation against the party who intentionally or recklessly violated a provision of BIPA;
- Reasonable lawyers’ fees and costs, including expert witness fees and litigation expenses;
- Other damages, including an injunction, that the courts deem appropriate.
In the workplace, a single violation could include each time an employee is required to use their fingerprint or retinal scan to clock in or out of work, potentially putting employers who use biometric data for security systems and time clocks in violation of the rights of hundreds of employees.
Recent Supreme Court Ruling
In early 2019, the Illinois Supreme Court dismissed a case that set out to challenge and limit part of BIPA. In Rosenbach v. Six Flags Entertainment Corporation et al., parents of a 14-year old boy alleged he was fingerprinted by Six Flags park without parental consent, a violation of BIPA. Six Flags, however, contested the case, claiming that they could not be held liable unless the plaintiff could demonstrate a tangible injury from the unauthorized biometric identifier collection.
The Supreme Court ruled, however, that “a person need not have sustained actual damage beyond violation of his or her rights under the Act”. The ruling also states that, “whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded”.
Rosenbach v. Six Flags Entertainment Corporation et al. is not the only case involving biometric violations. Since January of 2019 there have been numerous lawsuits filed alleging violation of BIPA, and this is likely to continue as private businesses and employers continue to violate the laws protecting biometric information, biometric markers, and personal privacy.
