COVID-19 and the Illinois Biometric Information Privacy Act

May 13, 2020

The COVID-19 pandemic has forced much of the American workforce online, where employers are making use of a variety of platforms to facilitate remote work. Some of these platforms involve video recording or access by fingerprint, face scan, or retina or iris scan, which may result in the capture and storage of sensitive biometric information. As workplaces reopen, there may well likely be an uptick in the collection of biometric data as employers turn symptom screening technologies that collect biometric data, such as contactless thermometers that identify particular employees through facial recognition technology and look to facial recognition and retina or iris scanning technologies to facilitate contactless security access.

If you work in Illinois, your employer must comply with the Illinois Biometric Information Privacy Act (BIPA) when collecting and storing sensitive biometric information. Should your employer fail to do so, you may have a legal claim for invasion of privacy.

What Is A Biometric Identifier and What Is Biometric Information?

Under BIPA, a “biometric identifier” includes “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” The law defines “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”

Does BIPA Apply to COVID-19 Screening?

BIPA specifically excludes several categories of information from the definition of “biometric identifier,” including “biological samples used for valid scientific testing or screening.”

Generally, BIPA does not govern COVID-19 testing or temperature screening that may be administered by an employer. The act does apply, however, if an employer uses screening technology that captures a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” such as a contactless thermometer that uses face scan technology to identify employees before taking their temperatures.

BIPA’s History

BIPA was passed in 2008 to protect the public from the unique and largely unknown risks associated with the collection and storage of biometric identifiers and biometric information. The statute imposes several requirements on private entities that possess or collect biometric data, requiring them to:

  • Develop and publish a written policy for the retention and destruction of biometric identifiers and information;
  • Provide written notification informing individuals that their information will be stored and collected, the purpose of storage and collection, and the length of time information will be stored. BIPA requires entities to obtain prior written release from individuals before collecting and storing their biometric identifiers; and
  • Store biometric identifiers and information using a reasonable standard of care, consistent with the standard used in the entity’s industry, and which is as protective if not more protective than methods the entity uses to protect other sensitive and confidential data.

In addition, BIPA prohibits entities from selling or profiting from the use of biometric data and prohibits the disclosure of this information without written consent, subject to certain exceptions.

Enforcing Your Rights and Recovering Damages for BIPA Violations

If your employer collects your biometric information without providing notice and obtaining a written release, or before publishing a written policy, you may be able to enforce your rights and the rights of your coworkers through a class action lawsuit. Similarly, if you believe your employer or a third-party vendor is not safely storing your biometric data, has disclosed your biometric information, or has sold your biometric data, you could also file an individual or class action suit.

An employee bringing a successful BIPA claim can recover actual damages (the economic harm they incurred for the violation) or $1,000 in liquidated damages per violation, whichever is greater, plus attorneys’ fees and costs. If an employee can prove the violation was intentional or reckless, they may recover $5,000 in liquidated damages per violation. Also, a court may order the employer or vendor that violated BIPA to comply with the law and make necessary changes to workplace practices, policies, and procedures.

Proof of actual harm isn’t necessary. Employees may recover liquidated damages under BIPA even if the only harm suffered was the violation of their rights. Additionally, employees working in Illinois and having biometric information collected in Illinois may be protected by BIPA even if their employers are based in a different state.

COVID and BIPA in the Courtroom

Since the beginning of the COVID-19 crisis, there has been at least one class action lawsuit claiming BIPA violations. In H.K. v. Google LLC, a federal case in California, a father suing on behalf of his two students has alleged that Google violated BIPA and the federal Children’s Online Privacy Protection Act, by “collecting, storing, and using the personally identifying biometric data of millions of school children throughout the country (including thousands in Illinois)… without seeking, much less obtaining the requisite informed written consent from any of their parents or other legal guardians.” As employers turn to tools and services similar to the G-Suite for Education platform at issue in H.K. v. Google, employees and others concerned about their personal privacy are likely to enforce their rights through litigation.

If you work in Illinois are concerned an employer or third-party vendor violated your BIPA rights, please contact us today.

(*Prior results do not guarantee a similar outcome.)