Biometrics are physical or behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices, or data. Biometric information can come in an array of technologies including facial or fingerprint recognition, voice scans, and more. Employers have used fingerprint technology recognition for employee shift check-in/out, access to facility spaces, and for other means to protect employer assets. At the onset of COVID-19, this same technology was introduced to a new use where facial recognition was implemented to track employee temperature checks – and the list of useful applications goes on.
When there are so many positive byproducts from the use of biometric technology, why would employers ever have reason to be concerned?
The Illinois Biometric Privacy Information Act (BIPA) passed in 2008 requires a corporation that obtains a person’s biometric information to: 1) obtain a “written release” from them prior to collection, 2) to provide them notice that their information is being collected and stored, and 3) to state the duration the information will be collected, stored, and used as well as its specific purpose. The law gives a private right of action to anyone “aggrieved” under the statute.
While this policy has been in place for quite some time, with the expanded biometric uses, it has left businesses more susceptible to litigation. For example, in January 2019, the Illinois Supreme Court ruled that Six Flags Great America in Gurnee, IL was liable for damages after parents sued the theme park after it collected a child’s fingerprints, charging a violation of the Illinois biometric privacy law. The fingerprint scan was part of a nationwide policy that Six Flags rolled out in 2014 as a security process for pass holders to enter and exit amusement parks. To get into the amusement park, pass holders had to present their physical pass in addition to scanning their fingerprint. A mother of a fourteen-year-old boy sued Six Flags Entertainment Corporation under the Illinois Biometric Privacy Act (BIPA). The plaintiff alleged that the theme park scanned her son’s fingerprint without obtaining written consent and without properly disclosing the company’s business practices relating to the collection, use, and retention of the fingerprint data. The theme park claimed that their biometric procedure did not show harm (“aggrieved”) but the Illinois Court held that plaintiffs need not show harm beyond a violation of the law.
Likewise, a former director of security and public safety at a hospital in the suburban Chicago area filed a class action suit against Illinois’ Northshore University Health System, claiming that it violated the state’s Biometric Information Privacy Act (BIPA) by requiring certain workers to have their retina or handprint scanned to access restricted areas. This employee was required to use biometrics to authorize access to the hospital’s nuclear medications and radio areas and alleged that the employee was never properly informed in writing of the purpose of the biometric data collection, or of details about the data’s use.
Again, in July 2020, Saint Anthony Hospital in Chicago was sued in a class action lawsuit alleging that it improperly collected, stored, and disclosed biometric data from employees’ time-tracking fingerprint scans. Former employees brought the suit, claiming that since 2006, the hospital required employees to scan their fingerprints at the beginning and end of each shift into two different time-tracking and payroll systems, but never obtained their informed consent.
Facebook is facing the $650 million class action lawsuit under Illinois’ BIPA because of a feature that utilizes facial recognition technology to suggest other users to tag in photos. It started with three different Illinois residents that filed suit against Facebook in 2015, and now includes nearly 1.6 million Illinois Facebook users that believe Facebook violated their rights under BIPA.
More rulings in favor of the plaintiff are resulting in more litigations and since the biometric technology uses are ever-expanding, it has become an urgent matter to revisit the 2006 BIPA policy to ensure that our businesses are being adequately protected. There are several BIPA reform bills filed in this session in Springfield. Two bills that seem to look promising are HB 559, 560. For the first time, a BIPA reform bill (HB 559) passed out of the House Judiciary Committee just last week. HB 559 contains several changes to the original bill language, including allowing companies to receive “consent” for biometric data use instead of the “written release” required in the original bill, and it allows for the consent to be given through “electronic means.”
It would also change the penalty structure for damages. For negligence violations, it would remove the $1,000 liquidated damages penalty, limiting claimants in that category to reimbursement of “actual damages,” which are quantifiable repercussions of the violation of the law.
These BIPA reform bills are on our radar and the NACC Business Works Committee is discussing how the NACC can support these and other bills to best protect our businesses against financially devasting law suits as they navigate the uses of ever-advancing biometric technologies.
Please reach out if you have questions or would like more information on this or other policies impacting your business or organization. I can be reached at (630) 544-3387 or email@example.com.