2017 brought dozens of lawsuits against businesses, most of them from employees, around alleged violations of the Illinois biometric Information Privacy Act (BIPA).
This has caused many employers to ask fundamental questions around whether or not their employment policies and procedures are enough to keep them compliant with the law.
The purpose of this article is to provide an overview of BIPA and the processes that employers should have to stay compliant.
Background Behind Biometric Privacy Laws
Biometrics was first introduced by a company called Pay By Touch which first introduced biometrics and a promise to change the world of payments.
Customers were able to link their credit cards, bank accounts, rewards programs and more to their fingerprint. Instead of swiping a card or paying with cash, they could pay with their fingerprint. Millions of customers signed up.
Unfortunately, the company and one of its founders was entangled in litigation and the company declared bankruptcy and closed its doors in 2008.
Since that point biometric technology has continued to advance and now includes dozens of ways that technology can identify individuals. It includes identification through fingerprints, voice prints, face scanning, iris scanning and many other individual identifiers.
Biometric technology is often used for timekeeping, security, and convenience.
In addition to expanding the way the way we see biometric information Pay By Touch was also the catalyst for the first state law governing how biometric information is collected, stored, and protected.
In 2008, Illinois passed BIPA, but the law has only recently become the subject of dozens of litigations. Since that point two other states, Texas and Washington have passed biometric privacy laws.
Uses of Biometrics in Employment
Employers may use biometric information in a variety of ways.
One of the most common uses of this technology is with biometric time clocks. These clocks utilize biometric information and identifies the employee clocking in and out by identifying their fingerprint or other biometric information. It eliminates time theft, a common problem among employers, and is cost effective and accurate.
Employers also use biometrics to secure business assets and areas. Businesses use fingerprints, hand geometry scans and facial recognition software to lock down secure areas, laptops, and storage devices. Retina and Iris scanners are more costly and usually only used for high security clearances.
Employers use biometrics as a means of creating a one stop shop to track employee trainings, certifications, credentials, and access to company information.
Biometrics is also gaining use in employer health plans and wellness programs. If an enrolled population is biometrically scanned, then data can be aggregate and provide a complete risk profile for each individual. These plans can provide incentives for behavior changes to lower the identified risks.
The SwipeClock biometric time clocks eliminate buddy punching by collecting a hashtag pattern using the employees fingerprint. Employee fingerprints are not stored in the clock or by the employer, rather, the technology creates a computer hash using ZKfinger 10 algorithm. The computer hash does not carry or retain enough information to recreate a fingerprint, but it does allow certain points on the finger to match the hash.
Overview of BIPA and Its Applications to Employers
Illinois BIPA does not prohibit the use or collection of biometric data from employees.
BIPA identifies “biometric identifiers and information” as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.
It does not include things like writing samples, written signatures, photographs, demographic data, physical descriptions, and biomimetic materials such as tissue samples used for medical or scientific purposes.
BIPA requires that employers notify employees about the collection of information and take measures to secure the information.
The law is enforceable through a private right of action. Employees, and other individuals affected, can sue businesses for non-compliance with the law. However, the practical applications of the law will continue to be interpreted and Illinois courts rule on the pending litigation cases.
Types of Biometric Data that falls under the Illinois Biometric Information Privacy Act:
- Renta or iris scan
- Hand geometry
- Face recognition
- Voice recognition
- Hand vein recognition
- And more!
Biometric and other personal data that does not fall under the Biometric Information Privacy Act:
- Writing samples
- Written signatures
- Demographic data
- Physical descriptions
- Biometric materials used for medical or scientific purposes
It is possible that BIPA would not include analysis of biometric information to identify individuals as long as the actual biometric information is not stored with the analysis. In the coming months, Illinois courts will show the legal interpretation of this law as dozens of recent suits make their way through the court system.
Complying with BIPA: Steps Employers Must Take
Employers must ensure that they are following BIPA compliance guidelines. These guidelines require that employers disclose their intent and purposes for collecting employee biometric data and that they get permission from their employees to do so.
It also prohibits employers from selling the data or profiting off of it in any manner.
Employee biometric data must be kept confidential and safeguarded and after the purposes for the data is completed, it must be destroyed.
BIPA Notification Requirements
BIPA requires that any private entity first notify and obtain consent before collecting any biometric information.
Employers must notify employees that their biometric information is being stored, the purpose for collecting, storing and using the employee’s biometric data, and the length of time the data will be retained.
Employers must also obtain written consent from employees for using their biometric data.
- Inform employees that their biometric data is being collected.
- Include the purpose of the biometric data (such as for use in time clocks)
- The length of time the employees biometric data will be retained.
- Employees give written consent to collect biometric data
Profiting off Biometric Data
Illinois law prohibits any company from profiting off of their biometric data.
This means employers, and other businesses, cannot sell, trade, lease, or profit in any way from biometric information collected.
In addition, employers cannot release employee biometric information unless the employee consents, is required by law, requested vía a subpoena or warrant, or completes a financial transaction authorized by the individual.
- Biometric data cannot be sold, traded, leased, or used for profit in any manner
- Biometric data cannot be shared without the employee’s consent unless:
- It is required by law
- A search warrant or subpoena requires the information
Security of Biometric Data
Businesses in Illinois who keep biometric data on file must ensure that the data is secured. BIPA requires that these companies “store, transmit, and protect from disclosure all biometric identifiers and biometric information.”
Employers must use the same standard of care available within their industry. They must also use the same or better protections that they use for other confidential and sensitive information.
Retention and Destruction of Biometric Data
Employers must also have a written policy regarding the retention and destruction of biometric data. This policy must be made available to employees.
It must establish a retention schedule for the biometric data. It must ensure secure destruction of biometric data at the termination of the employee’s employment or within three years of the employee’s last interaction with the company. It must also explain how the biometric data will be destroyed.
Illinois employers who use the SwipeClock biometric technology need to inform employees that biometric data is deleted once one of three things occur.
First, if a new print information is recorded, old information is automatically deleted.
Secondly, when the employee is terminated, their biometric information is deleted.
Third, biometric information can be deleted through TimeWorksPlus Biometric Management Page by the employer.
Consequences of Non-Compliance with BIPA
BIPA allows for private rights of action. This means that employees can get statutory damages through the courts vía class action lawsuits.
Although, BIPA was mainly ignored, in 2017, that ceased to be the case. BIPA covers all biometric data collection by private companies and not just employers. As a result over 30 lawsuits were filed in Illinois in 2017.
BIPA allows for up to $5,000 penalty for each violation. This means that violations of BIPA can become very costly for employers as employees can sue for multiple violations.
Interpretation of BIPA through the Illinois Courts
Recently in November, 2017, one of the first BIPA cases was closed. Vigil vs Take-Two Interactive Software affirmed several interpretations when it dismissed the suit. First, although the video game failed to provide the proper BIPA notices, that alone was not sufficient to cause “material harm.”
Although the notice was not provided the court maintained that the 15 minutes of scanning the game required was enough to cause any reasonable person to understand that biometric data was being collected.
The court also upheld that although the video game didn’t get the required BIPA authorization, the game did require a notification of biometric data being collected even if it didn’t notify users in BIPA language.
These rulings indicate that if employers are in current violation of BIPA, that they should collect information on all notices and authorizations provided and collected by the employer or any software the employer uses.
These notifications, although not conforming completely with BIPA, may protect and employer who has violated BIPA in court.
Steps to Comply with BIPA
There are several steps that employers should take when using biometric information.
First, identify what biometric information is being collected and stored.
Second, only collect the information you need that is directly related to your business operations. If the purposes for collecting biometric data can be met with less data or with less sensitive biometric data, then only that data should be collected.
Third, retain biometric data only as long as it is needed. Destroy data as soon as the need for the data is satisfied. Make sure that all copies of the data are destroyed including backups, vendors, devices etc.
Fourth, ensure that your organization has a plan for keeping biometric data safe. It must be kept at least as secure, if not more, than other confidential information your business stores.
Safeguard policies can include assessing risks around employees, implementing trainings and limiting who has access to the biometric data.
Technical risk management could include storing individual data on local devices to minimize a mass data loss. It can also include keeping summarizing information instead of raw data and encrypting the information.
Physical safety includes keeping the systems that store biometric data secure, locked up, and maintaining an inventory of all devices.
Let SwipeClock Help
Businesses often have to comply with multiple conflicting city and state ordinances defining sick leave, family or medical leave and scheduling laws.
Additionally, these businesses have to also comply with Federal Overtime Laws, the Family Medical Leave Act and any other national or local laws that are enacted. SwipeClock provides a comprehensive array of workforce management and time tracking tools that can help businesses to more easily stay in compliance with local and national laws.
Records are effortlessly kept for years and accrual is automatically tracked and reported to employees according the state and city laws.
Additionally, with geo-timekeeping clocks, businesses can effortlessly track time worked in specific cities to ensure compliance.
Written by Annemaria Duran. Last updated on December 27, 2017