Biometrics and Privacy Law

Posted by Mark Greisiger

A Q&A with Al Saikali of Shook, Hardy & Bacon, LLP

Up until recently class action suits involving the Biometric Information Privacy Act were rare. In the past two years, however, this Illinois statute has become the focus of a trend, with plaintiffs attorneys zeroing in on companies that employ Illinois residents. I spoke with Al Saikali, chair of the data security and privacy practice at Shook, Hardy & Bacon, LLP, about the law and the current landscape of biometric privacy litigation.

Biometric information includes any information, regardless of how it’s captured, converted, stored or shared, based on an individual’s biometric identifier that’s used to identify an individual…

What is the Biometric Information Privacy Act (BIPA)?
An Illinois statute put into effect in 2008, BIPA imposes obligations on entities that collect or possess biometric information. Several months ago, there was a sudden tidal wave of class action lawsuits against companies like United Airlines, L.A. Tan Enterprises, Facebook, Google, Shutterfly and others.

What is “biometric information”?
Biometric information includes any information, regardless of how it’s captured, converted, stored or shared, based on an individual’s biometric identifier that’s used to identify an individual, such as:

  • retina or iris scan
  • fingerprint
  • voiceprint
  • scan of hand
  • scan of face geometry

Biometric information does not include:

  • writing samples
  • written signatures
  • photographs
  • human biological samples used for valid scientific testing or screening
  • demographic data
  • tattoo descriptions
  • physical descriptions such as height, weight, or hair or eye color

How is it used?
There are a few primary reasons why a company would use biometrics. Ironically, in all cases it’s to improve security, though plaintiffs lawyers will argue that it’s raising privacy risks. One use is time clocks, which have been adopted to eliminate the problem of “buddy punching,” i.e., when an employee punches someone else’s timecard in their absence. They are also used by companies as a means of authentication for log-ins to customer profiles. Another way BI might be used but we haven’t seen yet is if a company lends out iPhones to its employees. When the device is returned to them eventually, that might be considered the company “collecting” the biometric information, although in the case of iPhones, the fingerprint is used as a mathematical representation and it’s then encrypted so no one else can access or reverse engineer that information.

What does BIPA require?
BIPA requires companies that collect BI to:

  • provide notice that the information is being collected or stored and the purpose or length of term for which the BI is being collected, stored and used.
  • receive a written release by the data subject and/or their representative.

BIPA requires companies that possess BI (which would include companies that collect it):

  • develop a retention schedule and guidelines for the permanent destruction of the BI.
  • use a reasonable standard of care when storing, sharing and protecting the BI.

The law also prohibits companies from:

  • selling, leasing, trading or profiting from the BI.
  • disclosing, re-disclosing or disseminating BI without consent.

Can a company be sued for violating BIPA?
Yes. One of the things that distinguishes BIPA from other states’ laws is that it creates a private cause of action for people who are “aggrieved by” a violation of the act. The plaintiff can seek $1,000 per violation in liquidated damages or actual damages, whichever is greater, where the violation was due to negligence. The plaintiff can seek $5,000 per violation where the underlying conduct was intentional or reckless. The prevailing party may be entitled to attorney’s fees. Just last week, in the Rosenbach v. Six Flags case, an Illinois appellate court issued an opinion that the plaintiff has to demonstrate actual harm separate from a technical violation.

If companies are not doing business in Illinois why should they care about BIPA?
Other states, such as Texas and Washington, have similar laws. More states, including Michigan and Connecticut, have legislation pending or are moving toward enacting similar laws. However, even in places where there are no laws, aggressive lawyers may try to bring a case based on theories of negligence without a statutory violation.

Can you tell us more about the litigation landscape in the area of biometric privacy?
As mentioned, there were only a handful of cases around this law up until a recently and since then there have been 50 class action suits—and not just against big companies. The latest wave concerns former employees bringing suit against companies that use finger-scanning time clocks to check employees in and out. The causes of action in these cases have been statutory violations and negligence. The defense so far has pointed out the lack of harm—no unauthorized access was given to the data and no other harm has been shown. My guess is that plaintiff’s attorneys will continue to push the theory that if the company has no policy or consent process in place then that alone entitles them to damages under the statute.

Shook is representing companies in these class actions. What can companies do to minimize risk?
First, determine if you are indeed collecting biometric information from either customers or employees. Understand the technology being used. For instance, many of these timeclocks can be used with the fingerprint function turned off, with a scanner card used in its place. Develop the requisite policy for use, storing, collection and destruction of BI and the proper release forms to solicit from employees or customers. Finally, monitor the laws in different states as this is an evolving area.

In summary…

We want to thank Mr. Saikali for his expertise and legal insight into this emerging cyber risk topic. Many companies deploy biometric security thinking it’s a bulletproof safeguard control to authenticate an online user while not fully thinking through the class-action exposures they might unknowingly create without proper policies/protocols in place (those which Al outlined above). This Illinois BIPA law is especially potent because statutory damages add up when thousands of victims are impacted and can attract the interest of leading plaintiff law firms.  As a final word of caution to risk managers, Al rightfully mentioned that other states already have similar laws and/or are moving towards enacting something similar to BIPA so the issue might only become more crystalized in the coming year.