Avoiding a Biometric Information Privacy Act Class Action

The Illinois Biometric Information Privacy Act (BIPA) was enacted in 2008 and more than a decade later remains a leading statute for biometric litigation. The BIPA regulates the collection, capture, safeguarding, handling, storage, retention, and destruction of “biometric identifiers,” such as fingerprints, voiceprints, retina and/or iris scans, and scans of hand or face geometry. The BIPA is generally considered the most stringent of all state laws of its type.

The purpose of the BIPA is to give individuals control over a business’s use of their biometric information by requiring notice and prior consent. The BIPA imposes five distinct obligations on employers or any private business that engages in any of the regulated activities:

(1) Informed consent prior to collection: a company may not “collect, capture, purchase, receive through trade, or otherwise obtain” biometric data from an individual unless it first informs the individual that the data is being collected or stored and the purpose of such activities and obtains a “written release” for such collection or storage.

(2) Restricted disclosure: a company that possesses biometric data may not “disclose, redisclose, or otherwise disseminate” it without consent or unless such disclosure is required by law, to complete a financial transaction, or pursuant to a valid warrant or subpoena.

(3) Retention and destruction policy: a company that possesses biometric data must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric data.

(4) Security requirements: a company that possesses biometric data must use the reasonable standard of care applicable to that company’s industry and in a manner at least as protective the company stores its own confidential and private information.

(5) Profiting prohibited (even with consent): a company that possesses biometric data may not under any circumstances sell, lease, trade or otherwise profit from biometric data.

The BIPA is by no means toothless. It carries a private right of action for harmed individuals and includes statutory damages of $1,000 per negligent violation and $5,000 per intentional violation or actual damages, whichever is greater. Additionally, successful plaintiffs may receive an award of attorney’s fees and costs and injunctive relief.

Despite being enacted in 2008, the first class action alleging a violation of the BIPA was not filed until 2015. That trend has only increased exponentially in subsequent years. Given the significant uptick in the frequency of BIPA class action, employers and companies that collect or store biometric data must be prepared to defend against a high-stakes class action lawsuit, where potential statutory damages can easily climb into the millions or even billions. Fortunately, there are several actions a company can take to mitigate or eliminate exposure and avoid or defeat such lawsuits. The surest way of accomplishing these objectives is for a company to take the time to ensure basic compliance now:

What biometric information are you collecting? The BIPA defines biometric information as information based on “biometric identifiers” used to identify a person. The statute defines biometric identifiers as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. As technology evolves and new systems are put in place, you must carefully consider what information your company may be collecting in order to determine whether any disclosures are needed.

What disclosures do you currently make? If you have determined that your company does collect biometric information, the BIPA requires that your company provide written notice that explains that biometric information will be collected and the purpose for doing so and the length of time such information with be retained. The collection and storage of employee biometric information has become a hot button issue across the country. Creating a clear company policy concerning the collection, use, retention, and security of biometric information will, if done properly and provided to employees, not only satisfy notice requirements but may also help ease some concern employees may have.

Do you obtain a “written release”? In addition to providing notice, your company must also obtain a “written release” prior to collecting and storing an individual’s biometric information. A written release in this context means informed consent. If your company collects employee biometric information, it should obtain express written authorization from employees to collect and store their biometric information during the onboarding process.

Do you have a written policy for retention and deletion? If you have determined that your company collects or stores biometric data, then it must have a written policy for handling such data. This written policy must include a retention schedule and guidelines for permanently destroying the data at the earlier of when the purpose for the collection or storage no longer exists or three years since the last interaction with the individual.

Are you stay up-to-date on recent developments or interpretations of the law? The BIPA has caused quite a stir within the past few years and has generated much litigation. It will continue to be challenged in and interpreted by courts and those developments can have a serious impact on your company. It is also important to be aware of any regulatory changes so that your business can remain in compliance. This is where retaining the services of a knowledgeable consumer protection and data rights attorney can be invaluable.

Super Lawyers named Chicago consumer rights dispute lawyers Peter Lubin a Super Lawyer and Patrick Austermuehle a Rising Star in the Categories of Class Action, Consumer Rights, and Business Litigation. Lubin Austermuehle’s Chicago consumer protection lawyers near Oak Brook and Naperville have over thirty years of experience litigating consumer rights, auto fraud, complex class action, breach of contract, franchise and dealer termination, copyright, partnership, and shareholder oppression suits, non-compete agreement, trademark and libel suits, and many different types of business and commercial litigation disputes. Our Highland Park and Deerfield area consumer fraud and auto fraud attorneys near Chicago litigate certified pre-owned fraud cases and rebuilt wreck and flood vehicle cases against used car dealers and automobile manufacturers. We also assist Chicago, Evanston and Oak Park area used car consumers who are victims of fraud and consumer fraud. You can contact one of our consumer rights attorneys near Chicago and Oak Brook by calling 630-333-0333. You can also contact us online here.