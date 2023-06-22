Law Firms Wilson Elser Moskowitz Edelman & Dicker LLP Follow

June 22, 2023 - Recent adverse rulings have demonstrated that no matter how fast companies run, they cannot hide from class actions and potentially astronomical damages awarded under the Illinois Biometric Information Privacy Act (BIPA). Moreover, in a recent spate of coverage decisions, courts have held that companies cannot necessarily count on their insurers to foot the bill for defense or damages in these cases.

Under the circumstances, companies should take heed and ensure they are in compliance with BIPA's consent requirements prior to collecting, processing, storing or sharing the biometric data of individuals. This article, the first part of a three-part series, offers insights and exposition of the state of laws vital to the security of private information under BIPA.

Overview

Enacted in 2008, the Illinois BIPA requires entities that collect or use biometric data to maintain policies and procedures to use this data securely and transparently. BIPA prohibits entities from selling or profiting from individuals' biometric information. The goal of BIPA is to prevent the misuse of biometric identifiers in light of the personal and immutable nature of biometric identifiers as authentication and verification tools compared with other identifiers such as a password.

BIPA applies to all private entities that operate or do business in Illinois, regardless of where they are headquartered or incorporated. A private entity is defined as any person, partnership, corporation, limited liability company, association or other group. State and local governments and their agents and contractors are excluded. It is important to note that Illinois courts must have specific personal jurisdiction over companies that are headquartered and incorporated outside of Illinois in regard to BIPA.

BIPA requires notice to individuals of the nature and purpose of the collection of biometric information, including the:

•Type of biometric data;

•Specific purpose of the collection;

•Time period of collection and storage of the data.

Obligations for covered entities under BIPA include:

•A written retention and destruction policy for biometric information;

•Restrictions on obtaining biometric information;

•A prohibition on profiteering from biometric information;

•Restrictions on sharing biometric information;

•A security program to ensure the safe collection and storage of biometric identifier data.

Biometric identifiers under BIPA include fingerprints, voiceprints, retina scans, hand scans or face geometry. Identifiers do not include biological data collected for health or medical purposes such as those defined under the Illinois Anatomical Gift Act, Genetic Information Privacy Act, or other similar acts that regulate biometric identifiers and data for the privacy of individuals.

Generally, photographs are not considered biometric identifiers. However, in Sosa v. Onfido, Inc., No. 20-CV-4247, 2022 (N.D. Ill. Apr. 25, 2022), the court held that photographs are included as biometric identifiers if the pictures are used, collected or stored for purposes of a facial geometric scan or similar purpose to authenticate an individual's identity.

Negligent violation of BIPA may result in damages equal to the greater of $1,000 per violation or actual damages. Intentional or reckless violation of BIPA may result in damages equal to the greater of $5,000 per violation or actual damages.

Other biometric privacy laws

While the Illinois BIPA is one of the most widely recognized in the United States, with the threat of sizeable statutory damage awards "per violation," other states have enacted laws governing the collection, storage and use of biometric data.

Texas

Similar to Illinois BIPA, the Texas Capture or Use of Biometric Identifier Act (CUBI) defines biometric identifiers as fingerprints, voiceprints, retina or iris scans, and hand or face geometry. CUBI bars capturing biometric identifiers for commercial purposes, unless notice and consent is first given.

However, the Texas CUBI does not specify the method of consent required, unlike the Illinois BIPA. CUBI bars selling or disclosing biometric identifiers, with very limited exceptions, and requires protection and confidentiality of data and deletion within a reasonable time frame (but not later than one year after the purpose of the data expires). CUBI provides for a civil penalty up to $25,000 for "each violation," and is enforceable only by the Texas Attorney General.

California

Another law similar to BIPA is California Labor Code §1051, an obscure provision, which provides in relevant part:

[Any] person or agent or officer thereof, who requires, as a condition precedent to securing or retaining employment, that an employee or applicant for employment be photographed or fingerprinted by any person who desires his or her photograph or fingerprints for the purpose of furnishing the same or information concerning the same or concerning the employee or applicant for employment to any other employer or third person, and these photographs and fingerprints could be used to the detriment of the employee or applicant for employment is guilty of a misdemeanor.

In short, California labor law makes it a misdemeanor for an employer to require an employee to be fingerprinted as a condition of employment if the employer plans to provide the information to a third party and if the information could be used to the employee's detriment.

New York

New York Labor Law prohibits employers from fingerprinting employees as a condition of employment or continued employment unless specifically authorized by another law. N.Y. Labor Law § 201-a. On April 22, 2010, the New York Department of Labor issued an opinion clarifying that it is prohibited under the law to capture a fingerprint, even if it is not stored. Voluntary fingerprinting of employees is not prohibited under this law. However, employees cannot be coerced into volunteering.

Colorado

Colorado requires employers to develop policies to properly secure and dispose of paper and electronic documents containing "personal identifying information," which is defined to include biometric information. Colo. Rev. Stat. Ann. § 6-1-713(1), (2).

North Carolina

North Carolina includes biometric data attached to a person's name as personal information for purposes of its Identity Theft Protection Act. N.C.G.S. 75-61, 65. Entities that have such information must take reasonable measures to protect it against unauthorized access. In addition, North Carolina requires development and implementation of policies relating to the proper disposal of this information.

Florida

Florida bars public schools from collecting, obtaining or retaining any biometric information from students or their immediate family members. Fla. Stat. § 1002.222(1)(a).

The table below cites proposed laws that are similar to BIPA in many respects — including compliance and consent requirements, statutory damages and permitting an individual to bring a private right of action.

