In a prior blog post, we advised employers about a once little-known Illinois law, the Biometric Information Privacy Act (BIPA). The BIPA imposes numerous restrictions on how private entities collect, retain, disclose, and destroy biometric identifiers such as fingerprints, voiceprints, retina or iris scans, and scans of hand or face geometry. Businesses most often collect this information from employees, but advances in technology have caused a recent increase in the collection of consumers’ biometric information.
Following years of litigation, on January 25, 2019, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corporation, ruled that an individual can bring a lawsuit for a violation of the BIPA without showing actual harm resulted from the violation. In other words, a business may be held liable for violation of the BIPA for simply collecting biometric information if it does not strictly follow the BIPA guidelines, regardless as to whether a person was actually damaged.
As a result of this ruling, expect a dramatic increase in the number of lawsuits under the BIPA. In fact less than a week after the Supreme Court’s decision in Rosenbach, class action lawsuits alleging violations of the BIPA were filed on behalf of current and former employees of Little Caesars Pizza, ABT Electronics, Choice Hotels and Warehouse Services Inc. It is now more important than ever to proactively limit your liability when collecting biometric information. In order to avoid liability for collecting biometric information, you must either (1) not collect such information or (2) develop a publicly available written policy in compliance with the BIPA.
Under the BIPA, your policy must establish:
- A retention schedule for storing biometric information; and
- Guidelines for permanently destroying biometric information when the initial purpose for collecting it has been satisfied, or within 3 years of the individual’s last interaction with the company.
- Inform the individual in writing that the information is being collected, the purpose for collection, and the length of storage;
- Obtain a written release from the individual for the collection and storage of the information;
- Store and transmit all biometric information with the same or better security than used for confidential company information; and
- Not disclose, sell, lease, trade, or otherwise profit from biometric information unless the individual consents or disclosure is required by law.