CBA Record July-August 2019

Y O U N G L A W Y E R S J O U R N A L

her data. BIPA is just one example of the multitude of different statutes that place a legal obligation on companies when collecting personal data. The collection of biometric data can create benefits, such as enhancing the customer experience and workplace productivity. Yet employers need to know about their data processes and disclose them to the collected party if they are going to take advantage of these benefits. With the collection of biometric data, employers should ask for permis- sion first, not forgiveness, because BIPA forgiveness comes with a hefty price tag. Neil Johnson practices as an employ- ment and commercial litigator at Golan Christie Taglia. His practice has focused on litigation with an increased emphasis on technology and data privacy.

ing under Article III of the Constitution. Under Article III, a plaintiff must establish injury-in-fact, meaning an injury that is concrete and particularized and that is actual and imminent. The federal district courts have held that even if a plaintiff meets the statutory standing requirement under BIPA, the plaintiff still needs to allege an injury-in-fact as required for Arti- cle III standing. McGinnis v. United States Cold Storage, Inc. , No. 17-C-08054, 2019 WL 95154 (N.D. Ill. Jan. 3, 2019); Aguilar v. Rexnord, No. 17-CV-9019, 2018 WL 3239175, (N.D. Ill. July 3, 2018); Howe v. Speedway, LLC , No. 17-CV-07303, 2018 WL 2445541 (N.D. Ill. May 31, 2018); and McCollough v. Smarte Carte, Inc. , No. 16-C-03777, 2016WL 4077108 (N.D. Ill. Aug. 1, 2016). Regarding other terms, technical viola- tions of BIPA, such as failure to disclose the collection of biometric data, can create an “aggrieved” person but cannot alone constitute injury-in-fact. Yet other federal courts have found that an employee can establish concrete injury under Article III where an employee does not knowingly and voluntarily provide biometric data or where the employer shared the biometric data with a third party. Miller v. South- west Airlines, Co. , No. 18-C-86, 2018 WL4030590 (N.D. Ill. Aug. 23, 2018); Dixon v. Washington and Jane Smith Community-Beverly , No. 17-C-8033, 2018 WL 2445292 (N.D. Ill. May 31, 2018). Even if plaintiff lacks federal standing, the federal courts can simply remand or dismiss without prejudice, allowing a case to be refiled in state court. The employer would then be exposed to the broad liabil- ity created by Rosenbach . BIPA Compliance Tips for Employers To avoid this grim reality, employers should follow these practices and policies: Data Protection Policy. Map out and understand the flow of biometric data from collection to storage, use, and destruc- tion. BIPA requires an employer to store, transmit, and protect this data (1) in a “reasonable standard of care” within the

employer’s industry, and (2) “in a manner that is the same as or more protective than” its “confidential/sensitive informa- tion.” Both of these requirements are quite generic, so an employer should seek the aid of an attorney and an IT professional to determine the effectiveness and compliance of the employer’s security measures. Disclosure Policy. Inform the employee whose biometric data is collected, in writ- ing, of the following: (1) what is being collected; (2) why the data is being col- lected; (3) how the data is being used; and (4) where the data is being stored. In the employment context, the employment handbook or other applicable policies should provide such information. Retention Policy. Create a retention policy outlining when the biometric data is destroyed and specifying when the purpose for the data’s collection has been achieved. If no destruction policy is speci- fied, BIPA requires destruction three years from the employee’s last interaction with the employer. Written Consent. Before the collection or use of the biometric data, the employer must receive written consent for the col- lection, storage, and use of an employee’s biometric data. In the employment con- text, BIPA refers to a release executed by an employee as a condition of employment. Conclusion In the wake of scandals like Cambridge Analytica, legislators are more concerned about an individual’s control over his or

Nielsen Career Consulting

Career Counseling For Attorneys

Strategies and support for your career in or out of the law • 30 Years of Experience • Over 3500 Clients

PRACTICE AREA UPDATES The CBA is pleased to partner with CBA Newsstand by Lexol- ogy, a daily email that provides valuable and free practical know how.Learn more at www.chica- gobar.org/newsstand.

Sheila Nielsen, MSW, JD

The Park Monroe 65 E. Monroe St., Ste. 4301 Chicago, IL 60603 (312) 340-4433 www.nielsencareerconsulting.com

36 July/August 2019

Made with FlippingBook Annual report