How Businesses Must Manage Biometric Data
BIPA mandates that companies cannot collect biometric information from their employees without giving notice, obtaining consent, and making certain disclosures. The company must articulate to its employees why they seek to collect their biometric data and what they hope to accomplish with it. The involved employees must also provide written consent to allow the collection, storage, and usage of their data.
Companies hoping to use employee biometric data must also create a policy document that outlines retention schedules and means of eventually destroying the data. Under no circumstances can a business sell employee biometric data without their express authorization, and companies are expected to institute security measures that reasonably protect the personal information in a manner that is at-minimum consistent with how they protect their intellectual property and trade secrets.
How To Stay Compliant With BIPA Requirements
The best you can do is ensure that you meet the requirements under the Illinois Biometric Information Privacy Act before a lawsuit begins. Reach out to Chicago BIPA attorneys backed by years of experience or follow the tips below.
Tips on meeting BIPA requirements:
- Limit what data is collected
- In writing, inform employees that biometric data will be collected and/or stored
- In writing, inform employees how long the biometric data will be stored and what it will be used for
- Do not profit from the data
- Have a plan for handling potential data breaches
A Recent Illinois Supreme Court Decision
Previously, BIPA was interpreted to give employees the right to pursue legal action against their employer if the company’s mishandling of biometric data or failure to follow BIPA’s requirements led to some measurable injury. Companies could be liable to pay damages for those injuries in addition to attorney fees and any injunctive relief ordered by the court. The Act allows for up to $1,000 in relief for negligent infractions and up to $5,000 for each reckless or deliberate infraction.
In 2019, Illinois Supreme Court case, Rosenbach v. Six Flags Entertainment Corp., dramatically changed the playing field and opened companies up to new risks. The case decided that potential plaintiffs, including an employee or group of employees could pursue legal action against a company in any situation where they violate any term of BIPA – even if the violation resulted in no material harm or injury.
In other words, any technical violation of BIPA’s rules – inadvertent or otherwise – could result in an employee or group of employees pursuing legal action against your company. This decision predictably opened a floodgate of class action lawsuits. Some BIPA litigation has posited that every single usage of a biometric datapoint constitutes a negligent infraction, meaning that a group of employees doing something as innocuous as scanning their fingerprints could lead to millions in potential damages.
If your business has ever gathered, used, or stored employee biometric data, there is a possibility you could at some point face legal action stemming from alleged BIPA violations. Our Chicago BIPA attorney at the Kenny Law Firm can provide the aggressive defense you need to overcome these litigious obstacles. Our firm understands how BIPA litigation continues to evolve and can leverage our hands-on knowledge to deliver the results your company needs.