Friday, October 20, 2017

Illinois Biometric Information Privacy Act: A New Problem for Illinois Employers

The Illinois Biometric Privacy Act (“BIPA”), 740 ILCS 14, was enacted in 2008.  The law requires that any business which collects biometric data must give written notice to those from whom it collects such data regarding the purpose of the data collection, its use and how long it will be stored.  Biometric information may not be collected, used or stored unless the business entity collecting the information obtains a written release from the person from whom the information is collected.   The business must also have a written schedule for retention and disposal of the biometric data.

Most laws such as this do not give a private right of action to individuals.  They are typically enforced by the States’ attorney’s general as consumer protection actions.  Not surprisingly, Illinois gives individuals a private right of action.  The law specifies penalties in the amount of $1000 or actual damages for negligent acts and $5000 or actual damages for reckless or intentional acts.  The law also provides for attorney’s fees and costs.  The attorney’s fee provisions of this act are the type of bait that attracts attorneys.

In recent months there has been an upsurge in the number of class action lawsuits against Illinois employers who use biometric time clocks to track employee time through fingerprint scans.  Fingerprint scans are covered by BIPA.  It is unlikely that many employees have suffered “actual” damages resulting from the disclosure of their fingerprints, but in class action lawsuits paying $1000 or $5000 per plaintiff this litigation could be very costly to businesses.  Truth be told, the real reason for the upsurge in these class action lawsuits under BIPA is likely that attorneys have now recognized this law as a business opportunity.  In most class action lawsuits, it is only the attorneys who truly benefit and not coincidentally most class action lawsuits involve attorney’s fee provisions.  So although these cases really aren’t so much about protecting the privacy of Illinois employees as they are about enriching attorneys, they are still a problem for Illinois businesses.

Businesses should take steps to protect themselves from this type of litigation immediately if they are using the ever more popular biometric time keeping devices.  Employers should have a written policy describing how they collect, use, store and dispose of biometric data such as fingerprint scans from biometric time clocks.  Employers must also have a written release from their employees who use biometric time keeping devices.  Taking these steps will likely alleviate the possibility of expensive future litigation.

While laws such as this are problematic for Illinois employers, steps can be taken to avoid liability.  An annual audit of employment practices helps to identify new or emerging concerns such as the one discussed in this article.  Employers simply never know when attorneys will discover a new avenue of attack, so vigilance in reviewing and updating employment policies is critical.