My youngest has developed an affinity for action movies, particularly those that involve spies and other secret operatives. That’s fine with me because it’s given me adequate cover to rewatch the 007 and Mission: Impossible movies.
Viewing them again recently and in relatively short succession, I realized there was a trend of removing eyeballs to get past some level of security that required retinal scans. Fingerprints were often needed, as well, and Ryan or Bond or Hunt or one of those guys seems to have thankfully figured out that you don’t need to actually cut off someone’s finger to get those.
Outside of Hollywood, employers have used biometrics to limit access to sensitive information and secure areas for a number of years. As costs of implementing the technology decreased and the technology became more accessible, companies began using biometrics for day-to-day purposes such as point-of-sale credit card verification and timekeeping.
It’s easy to understand the attraction: A consumer who chose to connect his or her credit card to a thumbprint could feel assured that someone else couldn’t use the card if were lost or stolen. An employer could prevent time theft due to coworkers’ clocking in for friends running late for work. Devices outfitted with facial recognition technology could be rendered unusable by someone who doesn’t look like the owner. The uniqueness of a fingerprint, a retinal scan, or a voice print made it almost impossible to assail as a security measure (unless, of course, you had Q or Benji Dunn on your team).
This was exactly the concern of the Illinois Legislature when it enacted the Illinois Biometric Information Privacy Act (BIPA). Shortly before the bill that would become the BIPA was introduced, the entity that owned and administered the state’s largest fingerprint scan system commenced bankruptcy proceedings, and the BIPA was a reaction to the prospect of the company’s (or similar entities’) selling its databases containing fingerprint scans and other biometric information. Indeed, the legislative findings included in the BIPA’s text note that “[b]iometrics … are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft.”
Illinois lawmakers weren’t messing around, and to make certain that entities collecting citizens’ biometric data place adequate emphasis on protecting biometrics, the BIPA:
- Mandates that any private entity that collects or possesses biometric data (including, for example, fingerprint scans or numeric codes created based on the scans) to develop and maintain a publicly available policy that addresses retention and destruction of the data;
- Places limitations on entities’ transmission, disclosure, and dissemination of biometrics;
- Requires such entities to obtain informed consent, in writing, from any individual whose biometrics it collects or possesses; and
- Imposes liquidated damages in the amount of $1000 for each negligent violation, and $5000 for each reckless or intentional violation.
If you have been laying low in your off-grid hideout for the past few years, you may not be aware of the action and plot twists in the BIPA tale, but between mid-2017 and the end of 2021, close to 1,000 lawsuits were filed in Illinois claiming violations of the BIPA. Parties to many of those lawsuits are currently awaiting cliffhanger-like decisions from the Illinois Supreme Court regarding the scope of BIPA claims. And while Illinois’s BIPA currently reigns as the most stringent biometric protection law in the United States, as of this writing, 10 other states have laws in place that provide some or all of the same protections for personal data, including biometric data, as the BIPA.
In addition to current laws, 24 states and the federal government are considering legislation that provides some level of protection for personal data. While some of the pending bills seem to have stalled, it appears that before long, evading coverage under laws protecting biometric data collected by an employer may become an impossible mission. It’s a nail-biter, to be sure, that has many employers on the edge of their seats.
If your organization collects biometric data from your workforce for timekeeping or other purposes and you have employees in Illinois, you’re likely well aware of the BIPA’s requirements and the perils associated with noncompliance. Even those whose operations do not currently touch Illinois should monitor the status of any pending legislation in states where they collect biometric data from employees, independent contractors, or others.
And as the law continues to develop, all employers should consider talking with counsel about updating policies and procedures to address the collection, handling, and retention of biometric data and ensure employees are aware of those policies.
Good luck. This message will self-destruct in 5 … 4 … 3 … 2 …
Becky L. Kalas is a Partner at FordHarrison.