- Illinois employer avoids biometric data fine. The Illinois Supreme Court ruled in favor of an employer that had illegally collected biometric data because it didn’t fall under the court’s purview. However, the case highlights the potential for employers to suffer economic consequences if they run afoul of the state’s Biometric Information Privacy Act.
- Biometric law requirements. Illinois’ BIPA law requires companies to obtain permission before collecting fingerprints, retinal scans and other biometric data from workers and consumers. If they fail to do so, they could face penalties of up to $5,000 per violation, a potentially expensive proposition. Other states assess fines as well under their laws, but to a lesser degree.
- Employer steps for compliance. Employers must receive consent to collect biometric data, which includes a review of its publicly available written policies, retention schedules, third-party contracts and security protocol. Additionally, there must be some form of explicit consent that is documented.
- Onus on employers to protect privacy. It is incumbent upon organizations to ensure they are storing biometric data in a responsible manner to respect employee privacy, which starts with good IT practices.
With Illinois' top court recently deciding that U.S. labor law bars unionized workers from suing their employers for violations of the state's biometric privacy law, the case brought to the forefront how employers should focus on properly managing employees’ biometric data.
According to a Reuters report, in a unanimous decision the Illinois Supreme Court found that Roosevelt University campus security workers took their case to the wrong forum; to file claims that they did not consent to the school using their fingerprints for timekeeping they should have sought relief in union arbitration, not with the court.
Even though the employer prevailed for now, the case highlights the potential for employers to suffer serious economic damage if they run afoul of the state’s law, called the Biometric Information Privacy Act (BIPA).
Legally Collecting Biometric Data
Jason Stiehl, a partner in law firm Crowell & Moring’s Chicago office, said Illinois’ BIPA law requires companies to obtain permission before collecting fingerprints, retinal scans and other biometric data from workers and consumers. If they fail to do so, they could face penalties of up to $5,000 per violation, a potentially expensive proposition.
Stiehl explained that currently such penalties vary from state-to-state but range from $1,000 (under Illinois BIPA) to $25,000 (Texas Capture of Use of Biometric Information Act) per violation, or in the case of Washington, a maximum of $500,000 monetary fine, as well as actual damages.
“Notably, there are at least 10 states that have similar legislature pending, most of which allow for a private right of action,” he said, and the list includes Arizona ($1,000), Hawaii ($1,000), Maryland ($10,000), Minnesota ($1,000), New York ($1,000), Tennessee ($1,000), and Vermont ($1,000).
“Most of these statutes mirror the Illinois BIPA regarding what is considered biometric information and the measures necessary to comply with the statutory mechanism,” he said.
Stiehl cited voice recognition as a specific biometric area within these statutes that has taken on recent attention and a rise in litigation. That litigation is most frequently being brought against either employers using voice recognition software through call centers or through ordering systems. Finally, Stiehl noted that some existing state laws, like the California Invasion of Privacy Act, have been used to likewise bring litigation in this area.
Employer Steps to Ensure Compliance
As far as some steps employers need to take to ensure they are compliant with consent requirements, Stiehl said it’s important to first recognize that getting consent isn’t simply a single step, but likely the need to conduct a more fulsome review of a company’s entire interaction with individuals.
That includes review of its publicly available written policies, retention schedules, third-party contracts and security protocol. As it specifically relates to consent, he notes, even this step is not a simple flip of a switch.
“A company needs to identify its first point of contact with an individual who may have biometric information captured and then ensure that it is providing notice both that information is being collected and the purpose and length of term the information is being collected, stored and used,” Stiehl said.
Next, he adds, employers must customize the consent “written release” mechanism, depending on the medium of interaction. In some instances, this may require an explicit notice and confirmation (if online or through apps), or it may require a voice walk-through if occurring through oral communication.
“Finally, given the variety of statutes, it is important to understand where a company may be interacting with individuals and where data may be captured,” he said. “In short, there is no one-size-fits-all solution, and it is strongly recommended that a company meet with a trusted advisor to create a compliant program.”
Ensuring Privacy and Protection
Employers collect biometric data because it only gives access to authorized users, is difficult to steal and spoof, and does not allow scalable attacks, which reduces the risk of hacks and breaches through stole credentials, according to Michel Roig, president, head of payment access at Swedish biometrics firm Fingerprint Cards.
Organizations also utilize it to prevent “time theft” from hourly employees, as it eliminates the possibility for employees to clock in for one another.
However, it is incumbent upon organizations to ensure they are storing biometric data in a responsible manner to respect employee privacy.
“It begins with good IT practices,” Stiehl said. “That is, understanding what interfaces exist through which biometric data may be gathered, received, stored or transmitted.”
Stiehl’s firm has found that these paths can come through many different channels: human resources, salesforce or marketing, by way of example. It also often requires an audit of existing data; in many circumstances, organizations in states where biometric laws don’t currently exist may be storing data considered biometric under statutes that, if enacted, would create retroactive liability.
Stiehl said he expects that the continued collection of data that may fall within the biometric definition will only expand over the next few years, and companies often will receive such information without appreciating the sensitive nature of the data.
“Thus, ensuring the best practices are in place, coupled with the right technical tools and ongoing diligence,” he said, “is truly the only way to ensure a company is complying with storing biometric data.”
Editor's Note: Additional Content
For more information and resources related to this article see the pages below, which offer quick access to all WorldatWork content on these topics: