Biometrics lawsuits are heating up, with plaintiffs filing actions against employers who are replacing older time and attendance systems with technology that relies on fingerprints, face scans or other individually unique biometric identification data.
The suits, which join other actions against companies that collect and sell biometric data to third parties, have all been brought under Illinois’ Biometric Information Protection Act (BIPA).
That means that any company with operations in Illinois needs to immediately assess the risks of legal liability, but other states are considering similar statutes and many are on track for legislative action in 2020.
Informed consent
The Illinois law requires anyone who collects biometric information in Illinois or of Illinois residents anywhere else, to inform customers in writing how that information will be used, stored, and destroyed. And the law requires that anyone collecting the data get affirmative assent from individuals involved.
Suits filed to date include one filed against fitness chain operator Capital Fitness and its subsidiary Executive Affiliates. The suit, filed with the Circuit Court of Cook County, alleges that Executive Affiliates collected employees’ fingerprints to track time and attendance, but failed to follow BIPA’s policy disclosure requirements.
In another case, filed in January, employees of the PersonalizationMall.com, an online retailer owned by Bed Bath & Beyond, assert that the company unlawfully collects and stores workers’ biometric information by requiring employees to provide their fingerprints to track hours and breaks on the job.
The workers say they still don’t know whether the PersonalizationMall.com has destroyed or still retains their biometric information or the information it continues to collect.
Settlements rare so far
In one of the few cases brought under BIPA that looks likely to settle soon, an Illinois state court judge said February 24 that she would decide whether to approve a $467,500 biometric privacy settlement. Workers sued in 2017 claiming they were unlawfully required to scan their fingerprints for work.
The lawsuit claims Multimedia Sales implemented finger-scan technology as a condition of employment to combat timekeeping fraud, but never informed Illinois employees how it would use the data nor obtained consent.
The claimants said the marketing company had no policy in place to inform the public or its employees what it does with workers’ information if they’re terminated or what it will do if the information gets stolen.
The suit is one of only a few to approach settlement since Facebook announced in January it would settle (non-employee) biometric privacy claims for $550 million. The Internet behemoth settled after the U.S. Supreme Court declined to consider its appeal.
No way to repair damage
Plaintiffs in these and other cases claim the exposure of biometric information is particularly damaging because it cannot be changed if it is ever exposed in a data breach.
People can open new bank accounts, change passwords, or order a new credit card. But once a face scan or fingerprint is exposed, it is effectively impossible to change them to protect against identity theft and other forms of fraud.
Significant potential liability
While case law around biometrics is still evolving, the U.S. Supreme Court decision not to review Facebook’s biometric privacy class action and the size of the subsequent settlement throws a spotlight on the scale of employers’ potential liability under BIPA.
The law allows plaintiffs to seek up to $1,000 for each negligent violation of the law and $5,000 for each knowing violation.