Over a decade ago in 2008, after a unanimous vote, Illinois enacted the Biometric Information Privacy Act (“BIPA”) to regulate “the collection, use, safeguarding, handling, storage, retention, and destruction” of individuals’ biometric identifiers and information. 740 ILCS 14/5(g). Individuals, including employees, who have been required to scan their finger, hand, face, eyes, or record their voices for authentication purposes may have a cause of action under BIPA. This may include scanning a fingerprint in a timeclock or using a headset that collects voice data for identification purposes. Companies that utilize such “biometric” technology in Illinois must comply with simple informed consent requirements, but many do not. When companies collect the sensitive identifying information, such as fingerprints, they must also follow a publicly available policy for retention and deletion of the personal data. Companies must take careful steps—that they tell their employees about—to protect the data from being compromised.
Private entities must comply with BIPA before collecting biometric data. Under BIPA, private entities are prohibited from capturing, possessing, purchasing, or disseminating an individual’s “biometric identifiers” (which includes handprints) and “biometric information” (information based on a biometric identifier that is used to identify an individual) without first complying with easy-to-follow requirements. See 740 ILCS 14/15. These basis protections are designed so that the privacy rights of Illinoisans are properly honored.
Protections include:
- A private entity must first inform the individual that they intend to collect the data, as well as the purpose(s) and length of time the data will be stored and then secure a written release to do so.
- The private entity must receive a written release executedby the subject of the biometric data, and in the employment context, it must be a condition of employment.
- A private entity that possesses biometric data must establish, and follow, a publicly-available retention policy and destruction plan.
- A private entity may not disclose biometric data to third parties without consent or profit from the biometric information.
The Illinois legislature provided a private right of action to enforce BIPA rights, as well as a statutory remedy, without proof of any actual damages. This remedy is designed to promote enforcement of the law’s requirements through a private right of action. Damages range at either $1,000 or $5,000 per violation, depending upon willfulness.
In recent years, many more companies have moved toward compliance with BIPA’s requirements. But as different technologies are used to streamline production and identification, newly developed biometric equipment and products have entered the Illinois market and employment facilities without coordinated efforts to comply with BIPA. Both companies operating in Illinois and individuals working in Illinois must be careful before installing or using any technology that scans a person’s physical features or voice. The consent and retention requirements enacted by the Illinois legislature through BIPA must be followed before the equipment is used. If not, the company could be liable for substantial damages, even if the equipment was first introduced by a third-party vendor.