Ask for Permission, Not Forgiveness: Employment Aspects of Illinois’ Biometric Information Privacy Act By Neil Johnson
F acebook’s mantra, “move fast, break things,” mirrors the current technol- ogy industry’s treatment of personal data: collect first and disclose later (if at all). Specifically, employers collect and use employees’ biometric data, such as fingerprints, to increase the efficiency and cost-effectiveness of activities that include time-entry and physical and digital security measures. But these employers often fail to seek permission before collection or fail to inform the individual about why the data is being collected. Without such permission or disclosure, the collection of biometric data could create significant legal liability for the employer. Illinois’ Biometric Information Privacy Act (BIPA) regulates an employer’s actions toward its employees’ biometric data and the disclosure of such actions to employees.
BIPA Basics BIPA applies to companies that collect and store biometric identifiers and biometric information. Biometric identifiers include retina or iris scans, fingerprints, voice- prints, or scans of hand or face geometry, while biometric information widens the definition to cover any information based on those identifiers. 735 ILCS 14/10. The classification of data as biometric largely depends on the technical collection and use process. For example, the defini- tion of biometric identifiers excludes pho- tographs, but litigation has already arisen over whether a software application at issue collected photographs or facial scans. Rivera v. Google, Inc. , 238 F.Supp.3d 1088 (N.D. Ill. 2017). The federal courts have interpreted biometric information broadly to allow for advances in technology.
This article discusses BIPA in the employ- ment context, but it is important to note that BIPA also affects any business that collects biometric data for purposes of quick identification of repeat customers or accurate monitoring of customer behavior. The Illinois Supreme Court recently clarified liability for BIPA violations, exposing more employers to large judg- ments and payment of attorneys’ fees. Even though the federal courts have taken a more restrictive approach as to who can bring BIPA lawsuits, lawsuits that have been dismissed at the federal level can sometimes be refiled in Illinois state courts. To avoid exposure, every employer collect- ing biometric data should immediately review its internal practices and policies to ensure compliance with BIPA.