Biometrics are physical or behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices, or data. Biometrics can come in an array of technologies including facial and/or fingerprint recognition, voice scans, etc. Also, the onset of COVID-19 introduced new uses including facial recognition to track employee temperature checks, and the list goes on.
The Illinois Biometric Privacy Information Act (BIPA) passed in 2008 requires a corporation that obtains a person’s biometric information to: 1) obtain a “written release” from them prior to collection, 2) provide them notice that their information is being collected and stored, and 3) state the duration the information will be collected, stored, and used as well as its specific purpose. The law gives a private right of action to anyone “aggrieved” under the statute.
In January 2019, the Illinois Supreme Court ruled that Six Flags Great America in Gurnee, Illinois, was liable for damages after parents sued the theme park after it collected a child’s fingerprints, charging a violation of the Illinois biometric privacy law. The fingerprint scan was part of a nationwide policy that Six Flags rolled out in 2014 as a security process for pass holders to enter and exit amusement parks. The theme park claimed that their biometric procedure did not show harm (“aggrieved”), but the Illinois Court ruled that plaintiffs need not show harm beyond a violation of the law.
Likewise, a former employee at a Chicago hospital filed a suit against them claiming this employee was required to use biometrics to authorize access to the hospital’s nuclear medications and radio areas, and alleged that the employee was never properly informed in writing of the purpose of the biometric data collection or of details about the data’s use. Similarly in July 2020, another hospital in Chicago was sued in a class- action lawsuit alleging that it improperly collected, stored, and disclosed biometric data from employees’ time-tracking fingerprint scans claiming that since 2006 the hospital required employees to scan their fingerprints at the beginning and end of each shift into two different time-tracking and payroll systems, but never obtained their informed consent.
Facebook is facing a $650 million class action lawsuit under Illinois’ BIPA because of their facial recognition technology tags in photos. It started with three different Illinois residents that filed suit against Facebook in 2015, and now includes nearly 1.6 million Illinois Facebook users that believe Facebook violated their rights under BIPA.
This exponential growth in litigations under 2006 BIPA in this ever-expanding technology calls for a re-visit to this policy to ensure that our businesses are being adequately protected.
There are several BIPA reform bills filed this session in Springfield. Two bills that seem promising are HB 559 BIPA-PROCEDURE-LIMIT DAMAGES and 560 BIPA-VIOLATION that would be worthy of further read to make sure you are fully informed.
Reach out if you have questions or would like more information on this topic or other policies impacting your business or organization. I can be reached at (630) 544-3387 or email@example.com.