Ever since the enactment of the Illinois Biometric Information Privacy Act (BIPA), we have been watching the development of laws around the collection, use, disclosure and retention of biometric information. In general, BIPA and other biometric information privacy laws enacted since BIPA, require any company that is collecting biometric information, such as fingerprints, voice recognition, retinal scans or facial scans, to provide notice to individuals from whom they are collecting this information that they are collecting the biometric information, the purpose for which it is being collected and used, to whom they are disclosing it, and how long they are retaining it. The laws usually require companies to put appropriate security measures in place to protect  the biometric information.

Litigation is rampant with BIPA and other biometric information privacy laws. For instance, recently, a fast food chain was sued for using voice recognition technology in its drive-through facilities without providing notice to consumers and obtaining consent.

The reason for these laws is pretty clear—this information is highly sensitive and unique to each person and if it is compromised, it could be significant or even catastrophic for the people whose information is compromised. As I say, we have only one face, one set of fingerprints, a unique voice, and two irises. If a bad actor were to get ahold of this unique information, they could use it for nefarious purposes, including to steal our identity in very significant ways.

These laws, similar to the California Consumer Privacy Act (CCPA), include a private right of action if the company fails to comply with the provisions of the law. This means that if a company does not provide notice of the collection, use, disclosure and retention of the information, or if there is a compromise of the information, individual consumers can directly sue the company for failing to comply with the law and without showing actual harm, damages or consequences. This can lead to costly litigation.

It is hard (but necessary) for a full-time privacy professional like me to keep up with these laws, let alone businesses that are not focused on this area of law. Biometric laws are popping up like drone laws used to pop up back in the day on the state, county, city and municipal level. For instance, the City of New York has enacted a biometric law that becomes effective next month that applies to a “commercial establishment” in New York City, which means “a place of entertainment, a retail store, or a food and drink establishment,” that requires the business to place a “clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language…that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable.” The law further prohibits the sale of biometric information.

The New York City ordinance differs from BIPA and other state laws in that  it (1) does not apply to employees of companies; (2)  does not apply to financial institutions; and (3)  does not apply to governmental entities. The similarity of the statutes however, is that they both contain a private right of action for consumers. The New York City law states that an aggrieved person can sue the company for a violation of the law after first  giving the company thirty days’ notice to cure the violation. This is similar to the private right of action in the CCPA (an individual may seek damages of $500 for each violation, up to $5,000 for each intentional or reckless violation, and receive reasonable attorneys’ fees and costs, expert witness fees, litigation expenses and injunctive relief).

New York City establishments—take note. Other establishments—understand that this is a rapidly developing area of privacy law that is difficult to monitor and may be tricky to comply with on a national, state, and municipal level. If you are collecting any biometric data from employees or consumers, you may wish to consider implementing a biometric information compliance program.

Lifespace Communities Inc. (Lifespace), a retirement community chain with more than 15 communities in eight states, recently settled a class action for $987,850 for its alleged violation of the Illinois Biometric Information Privacy Act (BIPA).

The class action was filed in June 2020 in the U.S. District Court for the Northern District of Illinois by Sabrina Bedford, a former nursing assistant at one of Lifespace’s Illinois communities. Bedford alleged that Lifespace violated BIPA requirements by unlawfully requiring employees to scan their fingerprints to track their work hours without obtaining prior informed consent from employees, disclosing its data-collection practices or its retention policy, or informing employees that Lifespace shares their information with third parties.

In the final approval order, Judge Manish Shah approved the proposed settlement amount, which includes a $10,000 incentive award to Bedford and $330,000 in attorneys’ fees. Additionally, settlement class members are expected to receive approximately $1,150 each.

This is yet another example of consumers pushing for transparency and privacy of their personal information. If biometric data collection is necessary for your operations and your company is collecting biometric data (even outside of Illinois and the reach of BIPA), be aware of the risks associated with this type of data collection and seek guidance on appropriate privacy and security measures and safeguards.