Businesses in Illinois at Greater Risk for Failing to Follow Procedures for Collecting and Storing Biometric Information
Looking back into 2019, but with yearlong (and beyond) ramifications, on January 25, 2019, the Illinois Supreme Court ruled the Illinois Biometric Information Privacy Act (BIPA) does not require individuals to show they suffered harm in order to bring suit. BIPA permits private individuals to file a lawsuit for damages stemming from a violation in the handling of biometric information, which includes fingerprints, retina or iris scans, scans of hand geometry, scans of facial geometry, and voiceprints, as prescribed by the Act. In other words, individuals have rights of privacy and control over their biometric data, regardless of whether anyone is directly harmed in the process. As a result, throughout 2019, a number of lawsuits were filed against businesses in Illinois alleging violations of BIPA.
The Act sets a fine of $1,000 per violation, and $5,000 per violation if intentional or reckless. Many businesses use biometrics, often fingerprints, for employees to access time clocks and cash registers. Now think of every swipe throughout the average workday and the financial implications of the lawsuits become apparent.
The BIPA requires companies doing business in Illinois to comply with a number of requirements related to the collection and storage of such biometric information for business purposes. These requirements include the following:
- Obtain consent from individuals if the company intends to collect biometric information or to disclose personal biometric identifiers. In addition, if the scope of the original purpose is too narrow at the outset for a later use, the business must obtain additional consent prior to undertaking the new use.
- Businesses are prohibited from sharing biometric information with a third party without the individual’s prior consent, including with vendors and service providers, unless disclosure is required by law.
- Destroy biometric identifiers in a timely manner. Businesses may retain information for the lesser of: 1) fulfillment of the purpose; or 2) three years after last contact with individual, whichever comes first.
- Securely store biometric identifiers.