Biometric Data and Privacy
Most people don’t know, but Illinois was the first state to address a business’s collection of biometric data. The Biometric Information Privacy Act (“BIPA”) was enacted in 2008 and sets forth certain requirements that must be followed in collecting this type of data.
First, what is “biometric data?” Basically, it involves the measurement of a person’s unique characteristics like fingerprints, palmprints, voiceprints, or facial, retinal or iris measurements. Thes markers are then used as unique identifiers.
BIPA specifies that “biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
The Act provides: "No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:
(1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
(2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.”
BIPA provides for potential damages of $1,000 or actual damages if an entity negligently violates the Act, $5,000 or actual damages if an entity intentionally violates the Act, attorneys' fees and costs, and other relief deemed appropriate by the court.
The Act didn’t gather much attention until a class action was filed against Facebook based on the Act. Plaintiffs claimed that Facebook violated the Act by using its face-matching software to suggest names to be "tagged" in a picture. Facebook settled the lawsuit for $650 million. Illinois Facebook users who joined the suit received around $340. US District Judge James Donato said, according to the Chicago Tribune. "This is real money that Facebook is paying to compensate them for the tangible privacy harms that they suffered."
Since then, there has been a flood of additional litigation. Of particular significance are two recent Illinois Supreme Court decisions. The first held that BIPA is subject to a five-year statute of limitations. This means that violations as long as five years ago are fair game for plaintiffs.
The second case held that each time an entity scans or transmits an individual’s biometric identifier a separate cause of action accrues. So, if your employer scans you multiple times a day, the numbers really add up. In this case, White Castle required its employees to scan their fingerprints to access their pay stubs and computers. To authorize each employee's access, a third-party vendor would verify each scan. In doing so, however, White Castle never gained its required employees' consent under BIPA. In this 4-3 decision, the majority noted that damages could exceed $17 billion dollars – which caught the attention of many employers.
The Supreme Court did throw businesses a bone by holding that courts do have discretion in awarding damages and do not automatically have to award the statutory maximum. In fact, the majority opinion stated that while there is "no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business", it is up to the Legislature to "review these policy concerns about potentially excessive damage awards" and "make clear its intent."
Unless and until the legislature takes up the Supreme Court’s invitation, any entity that uses biometric data should adopt some “best practices.” Those practices would include:
1. Reviewing all technology to determine if biometric data is being captured;
2. Reviewing insurance policies to determine if there is coverage for a violation;
3. Updating employee handbooks;
4. Implementing a process for obtaining consent every time biometric data is collected; and
5. Making sure that consent is documented and saved.
Regarding those consents, BIPA requires that they be in writing and that they state "(1) the fact that a biometric identifier or biometric information is being collected or stored, and (2) the specific purpose and length of term for which it is being collected, stored, and used." Retention is permitted until "the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first." Finally, the retention schedule must be publicly posted.
Given that recent settlements in a handful of Illinois cases have ranged from $34 million to $100 million, anyone using biometric data (or that has a third party collect such data for them) would be wise to undergo a thorough review of those practices.