My youngest developed an affinity for action movies, especially those involving spies and other secret agents. This is fine with me as it gives me adequate coverage to rewatch the 007 and Mission: Impossible movies. Watching them again recently and in relatively short succession, I realized that there was a tendency for some time to remove the eyeballs to pass a certain level of security that required retinal scans. Fingerprints were also often required, and Ryan or Bond or Hunt or one of those guys seems to have luckily figured out that you don’t have to cut off someone’s finger to get them.
Outside of Hollywood, employers have been using biometrics to limit access to sensitive information and secure areas for several years. As the costs of implementing the technology fell and the technology became more accessible, businesses began to use biometrics for everyday purposes such as point-of-sale credit card verification and timekeeping. It’s easy to see the appeal: a consumer who chose to link their credit card to a fingerprint could rest assured that someone else couldn’t use their card if it was lost or stolen. An employer could prevent time theft due to co-workers clocking in for friends who are late for work. Devices equipped with facial recognition technology could be rendered inoperable by someone who did not look like the owner. The uniqueness of a fingerprint, retinal scan, or voiceprint made them nearly impossible to attack as a security measure (unless, of course, you had Q or Benji Dunn on your team).
Which was exactly the concern of the Illinois Legislature when it enacted the Illinois Biometric Information Privacy Act (aka BIPA). Shortly before the introduction of the bill that would become BIPA, the entity that owned and administered the state’s largest fingerprint-reading system began bankruptcy proceedings; and BIPA was a reaction to the prospect of the company (or similar entities) selling its databases containing fingerprint scans and other biometric information. Indeed, the legislative conclusions included in the text of the BIPA note that “[b]iometric. . . are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at increased risk of identity theft.
Illinois lawmakers weren’t kidding, and to ensure that entities that collect citizens’ biometrics put enough emphasis on protecting biometrics, BIPA:
- Mandates that any private entity that collects or possesses biometric data (including, for example, fingerprint scans or digital codes created from the scans) develop and maintain a publicly available policy that addresses the retention and destruction of data;
- imposes limits on the transmission, disclosure and dissemination of biometric data by entities;
- Requires these entities to obtain informed consent, in writing, from any person whose biometric data they collect or possess; and
- Imposes liquidated damages in the amount of $1,000 for each negligent breach and $5,000 for each reckless or willful breach.
If you’ve been lying in your off-grid hideout for the past few years, you may not be aware of the action and twists of BIPA’s story; but between mid-2017 and the end of 2021, nearly 1,000 lawsuits were filed in Illinois for BIPA violations. Parties to many of these lawsuits are currently awaiting cliffhanger-style rulings from the Illinois Supreme Court regarding the scope of BIPA’s claims. And while Illinois’ BIPA currently reigns as the strongest biometric protection law in the United States, to date ten other states have laws in place that provide some or all of the same data protections. personal information, including biometric data, that BIPA. In addition to current laws, twenty-four states and the federal government are considering legislation that provides some level of personal data protection. While some of the pending bills appear to be at a standstill, it appears that before long, escaping coverage under laws protecting biometric data collected by an employer may become mission impossible. He’s a nail biter, of course, that has many employers on the edge of their seats.
If your organization collects biometric data from your staff for timekeeping or other purposes and you have employees in Illinois, you are likely well aware of BIPA requirements and the dangers associated with not -compliance. Even those whose operations do not currently touch Illinois should monitor the status of any pending legislation in states where they collect biometric data from employees, independent contractors or others. And as the law continues to evolve, all employers should consider talking to a lawyer about updating policies and procedures relating to the collection, processing and retention of biometric data, and ensure that employees are aware of these policies.
Good luck. This message will self-destruct in 5 . . . 4. . . 3 . . . 2 . . .