Last year, we warned our readers that the Illinois Biometric Privacy Information Act (BIPA) could be a source of major liability for companies, and Facebook recently learned this the hard way. In late January, the company paid $550 million to settle a class action lawsuit alleging that it violated BIPA.
BIPA(740 ILCS 14/1), enacted in 2008, requires employers to take the following measures when collecting employee biometric data:
- Receive the employee’s written consent prior to collecting biometric data;
- Inform employees that their biometric data is being collected;
- Include the purpose of the collection of the biometric data (like for use to keep track of coming in and out of work);
- Disclose the length of time the employee’s biometric data will be retained;
- Not profit from biometric data-biometric data cannot be sold, trades, leased, or used for profit in any manner;
- Not release biometric data to a third party without the employee’s consent or a subpoena, warrant, or some other legal reason;
- Keep biometric data secure. Employers can be sued if biometric data is stolen and they have not taken proper measures to prevent this theft.
Biometric data is the measurement and statistical analysis of an individual’s physical and behavioral characteristics. Fingerprint scanners, facial recognition software, iris recognition scanners, and other devices that use a person’s physical characteristics are examples of devices that use biometric data.
The lawsuit against Facebook alleged that it collected facial recognition data on images of users in Illinois without those users’ consent. Facebook attempted to argue that its facial recognition software was not biometric data and that BIPA did not apply to it, to no avail.
Illinois employers need to keep BIPA in mind when installing things like security systems or employee time tracking. You may not even be aware of the fact that, for example, your security cameras contain facial recognition software. Using such systems to monitor your workplace could inadvertently violate BIPA. The same is true for time tracking software that uses an employee’s fingerprints.