A once little-known law, the Illinois Biometric Information Privacy Act (“BIPA”), is now the subject of class actions by employees alleging that employers have misused their biometric information. This client update should help employers avoid unknowing violations of the BIPA and the significant risk of an employee class action lawsuit.
The BIPA sets restrictions on employers’ use of biometric information, such as scans of the iris or retina, fingerprints, handprints, and face or voice recognition. Because this information is sensitive and unique to the employee, the BIPA requires employers to store, transmit, and protect it securely.
The BIPA specifies that any employer in possession of biometric information must develop a written policy made available to the public. Your policy must establish:
- A retention schedule for storing biometric information.
- Guidelines for permanently destroying biometric information when the initial purpose for collecting it has been satisfied, or within 3 years of the employee’s last interaction with the company.
When collecting or otherwise receiving an employee’s biometric information, you must:
- Inform the employee in writing that the information is being collected, the purpose for collection, and the length of storage.
- Obtain a written release from the employee.
- Store and transmit all biometric information with the same or better security than used for confidential company information.
- Not sell, lease, trade, or otherwise profit from biometric information, or disclose it unless the employee consents or disclosure is required by law.
Penalties for violating the BIPA are harsh. If you are found to have negligently violated a provision, employees may recover a minimum of $1,000 for each violation, plus attorneys’ fees. If you are found to have intentionally or recklessly violated a provision, employees may recover a minimum of $5,000 for each violation, plus attorneys’ fees.
Importantly, although this client update focuses specifically on employee biometric information collected by employers, BIPA protections apply to anyone whose biometric information you collect, including your customers.
If you have any questions about whether your biometric information policy complies with the law or you would like a policy and employee release drafted in accordance with the Biometric Information Privacy Act and other applicable laws, please contact Marcus & Boxerman at (312) 216-2720 or firstname.lastname@example.org.