Illinois companies have taken a hit these last couple of weeks over the biometric timekeeping systems they’ve been using with their employees.
We reported last October on the increase of complaints against employers for violating the Illinois Biometric Information Privacy Act. Although the Act was implemented back in 2008, there was an upsurge in class action lawsuits against Illinois employers who use biometric timekeeping within their businesses in 2017.
Under the Act, in order for biometric information (i.e., fingerprints) to be collected, used or stored, a business entity must obtain a written release from the person from which the information is collected. Additionally, the Act requires a business to have a written schedule for retention and disposal of any biometric data collected, used or stored.
Since September 24, 2018, four lawsuits have been filed against Illinois companies involving violations of the Biometric Information Privacy Act. Of these four lawsuits, three of them involve violations, by the employer, of the Act’s disclosure requirements.
These three lawsuits involving Illinois business include: U-Tec Group Inc., Loews Hotel, and Medline Industries. The common theme among the three separate lawsuits is that each company failed to inform their employees of the necessary disclosures in order to make an informed decision regarding the risks of using such biometrics in the workplace. Each complaint includes the claim that the employer must inform employees in writing of how they will collect and store such information, and for how long. And, each complaint also alleges that the companies individually failed to do just that. A specific concern raised in the complaints was that employees are not being told, and not giving consent, on how long this information will be stored for, creating a violation of the employees’ privacy.
The fourth lawsuit in this string of recent cases involves the Illinois-based lighting company Conservation Technology of Illinois, LLC, which does business as Con-Tech Lighting. The company, like the other three, is using fingerprint scans for time-tracking purposes. However, this complaint raises a different issue: the company failed to implement the proper policies regarding the collection and sharing of biometric information. The Act requires businesses to establish policies regarding the extent that they intend to store, share and get rid of any collected biometric information. Considering such information acts as a unique identifier associated with each employee, this issue raises serious and irreversible privacy risks if improperly shared.
It is worth noting that none of the plaintiffs in these recent cases are alleging inappropriate disclosure of biometric information; they only allege procedural violations. The Act allows for damages of $5,000 for each willful or reckless violation, as well as $1,000 for each negligent violation. With such significant penalties at risk, employers are wise to pay special attention to their processes when implementing biometric based programs in their workplaces.