Do Not Use Biometric Data Until the Illinois Legislature Acts

Class action lawsuits involving biometric data are on the rise in Illinois. One example of this is a recent suit against Mariano’s.

In 2008, the Illinois legislature passed the Biometric Information Privacy Act (BIPA) to protect citizens against identity theft. Biometric identifiers may include: retina or eye scans, fingerprints, voiceprints, hand scans, or face geometry. Proof that “no good deed goes unpunished,” Illinois employers are now facing lawsuits for their use of fingerprints when employees clock in and out of work.

Plaintiff Proposed Policy

Many employers use finger-print scans for their timekeeping function and they are encouraged to do so by their payroll company. Plaintiffs argue, however, that Illinois employers who use finger-print technology must comply with BIPA which includes a requirement that employers publish a written policy which describes the purpose for collecting biometric data.

Such a policy must also describe the employer’s schedule for destroying the biometric data. Employers who collect biometric data must also inform their employees that they are collecting biometric data, and obtain a written release from every employee before they collect such data.

Combatting Arguements

Some payroll companies argue that their biometric technology is not governed by BIPA because they do not store employee fingerprints. Instead, they argue that they are scanning fingerprints and then reducing the fingerprints to an encrypted mathematical representation. This argument is untested in the courts. Meanwhile, these same payroll companies disclaim any legal liability arising from their biometric timekeeping devices and will refuse to an indemnify an employer if it is served with a class action lawsuit.

The penalties for every violation of BIPA is a statutory fine of $1,000-$5,000. Although other states have laws protecting biometric data, these states do not empower individuals to bring suit. Rather, that power is reserved for the state’s attorney general. In Illinois, however, individual employees can bring their own suit, they can petition the court for class-action status, and they can recover their attorney’s fees if they win.

Preventing BIPA Lawsuits

There are two ways for employers to prevent these lawsuits. On a micro level, employers should not use fingerprints or biometric data in connection with their time-keeping function. Old-fashioned time clocks are a better solution until the Illinois legislature changes BIPA. On a macro level, employers must continue to be sensitive to how they handle discipline and terminations. Most disgruntled employees do not go to an attorney because their employer uses biometric data. Rather, they consult an attorney because they believe they were treated unfairly.

If you have any questions about the matters addressed in this CCM Alert, please contact the following CCM author or your regular CCM contact.