Opening a door by using a retinal scan or clocking into work using a fingerprint scan was once the stuff of science fiction. Yet today, biometric technology is a part of everyday life, from enabling us to open our cell phones, to scanning a fingerprint on a biometric timeclock, to using a retina scan to gain access to a baseball stadium. Biometric technology is poised to increase dramatically in the near future.

What is biometric data?

Generally, it is a measure of the unique biological or behavioral characteristics of an individual, such as a fingerprint, voiceprint, hand or retina scan. More and more, biometric data is used for identification and/or authentication, as it can be more secure than a password. For example, banks are using biometric data for ATM access and employers are using fingerprint scans for timeclocks and access to secure areas.

There is currently no federal law that regulates biometric information privacy. However, as is often the case when there is an absence of federal law, state law may fill the gap. State lawmakers in Illinois, Texas and Washington, concerned about the increased use of biometric information, enacted biometric information privacy laws to protect consumers and employees.¹ However, because the Illinois Biometric Information Privacy Act (BIPA or the Act) is the only biometric privacy law as of May 2020 that contains a private right of action, almost all of the litigation regarding biometric privacy has been under BIPA. And, although the law took effect in 2008, the past few years has seen an explosion of class action lawsuits alleging violations of BIPA.

How does BIPA affect companies?

BIPA regulates the collection, storage, use and destruction of biometric Identifiers and biometric information. The law defines biometric identifiers as a retina or iris scan, fingerprint, voiceprint, or scan of the hand or face geometry.² BIPA also protects biometric information, which is defined as any information, regardless of how it is captured, converted, or stored based upon an individual’s biometric identifier and used to identify an individual.³ Prior to collecting biometric identifiers or information, a company must implement a publicly available policy which includes a retention schedule and destruction procedures. Most importantly, prior to collecting biometric identifiers and/or information, a company must first provide written notice providing the reason for the collection of the data and the length of time it will be used or retained, and must obtain written consent.⁴

BIPA requires a company to protect biometric identifiers and information using the reasonable standard of care prevalent in its industry, but in a manner that is no less protective than the ways in which that same company protects its other confidential and sensitive information.⁵ BIPA prohibits a company from disclosing or re-disclosing biometric data unless one of the following occurs:

• The individual grants consent
• Disclosure completes a transaction authorized by the individual
• Disclosure is required by federal, state or local law
• Disclosure is required by a warrant or subpoena⁶

Selling, leasing or otherwise profiting from biometric data is also prohibited.⁷ Lastly, employers must destroy biometric data once the initial purpose for collecting the biometric data has ended or three years after the employee’s last interaction with the employer, whichever comes first.⁸

What kind of exposure do companies face under BIPA?
 

If a consumer or employee sues under BIPA and prevails, he/she may recover actual damages or $1,000 per negligent violation or $5,000 per intentional violation in liquidated damages, plus attorneys’ fees.⁹ Although these numbers may appear relatively small, damages under the Act can be significant because alleged violations of biometric privacy rights typically involve numerous consumers or employees. In a recent case, with a class of at approximately 300 employees who had used biometric time clocks over a two and a half year period, the court acknowledged that the potential damages could exceed $5 million.¹⁰

BIPA does not expressly define what constitutes a “negligent violation,” an “intentional violation,” or even a “violation.” For example, in the context of a biometric time clock, it may be debatable whether the violations are counted based on each affected employee or based on each fingerprint scan. Although BIPA took effect in 2008, it wasn’t until 2017 that a significant amount of litigation arose under the Act. This trend was accelerated in early 2019 when, in Rosenbach v. Six Flags Entm't Corp.,¹¹ the Illinois Supreme Court held that an “actual injury” or adverse effect was not required under BIPA. Rather, the Court held that a technical violation alone was sufficient to allow a plaintiff to recover damages under the Act. By making it easier to file a lawsuit under BIPA, the Rosenbach decision opened the floodgates for a significant increase in BIPA filings. In the ten years before Rosenbach, there were 173 BIPA cases, while in the eleven months afterward, approximately 260 BIPA cases were filed (approximately an 18x greater filing rate).¹²
 

How should companies respond?

It is important for all companies to take the following steps regarding biometric data:

• Determine what, if any, biometric information the company collects.
• Review with their legal counsel applicable biometric information privacy laws.
• Create appropriate policies and procedures, including biometric data protection protocols.
• Advise consumers (or employees) what information is being collected, how it will be collected, maintained, shared and destroyed, and obtain written consent when required.
• Determine if vendors collect biometric data and, if so, discuss compliance. Consider including compliance requirements in vendor contracts.

For companies that collect biometric data from Illinois residents, it is imperative that they review the requirements of BIPA and ensure compliance with its written notice and consent, data protection, disclosure and other requirements. Although a company may incur some expense to comply with BIPA’s requirements, as noted in the Rosenbach case, that expense will pale in significance compared with the potential liability for failing to comply.

_{¹Other states are considering, or have enacted, similar laws.}

_{²It does not include items such as writing samples, written signatures, photographs, demographic data, and physical descriptions. 740 ILCS 14/10}

_{³It does not include biological materials regulated under the Illinois Genetic Information Nondiscrimination Act of 2008 (GINA) or Information collected in a health care setting or collected or used for health care treatment. 740 ILCS 14/10.}

_{⁴740 ILCS 14/15(a), (b)}

_{⁵740 ILCS 14/15(e)}

_{⁶740 ILCS 14/15(d)}

_{⁷740 ILCS 14/15(c)}

_{⁸740 ILCS 14/15(a)}

_{⁹740 ILCS 14/20}

_{¹⁰Peatry v. Bimbo Bakeries, 393 F. Supp 3d 766 (2019)}

_{¹¹2017 IL App (2d) 170317, appeal allowed, 98 N.E.3d 36 (Ill. 2018), and rev'd, 2019 IL 123186 (Jan. 25, 2019)}

_{¹²The New Class Action Frontier Under Illinois Privacy Law, Law360, January 16, 2020. https://www.law360.com/articles/1234424}

_{The information, examples and suggestions presented in this material have been developed from sources believed to be reliable. However, this is not legal advice, and CNA cannot accept responsibility for its applicability to your specific circumstances:  no one should act on the basis of this article without first seeking appropriate professional advice, including advice of legal counsel, based on a thorough examination of their individual situation, relevant facts, laws, and regulations.  This material is for illustrative purposes and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. “CNA" is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the "CNA" trademark in connection with insurance underwriting and claims activities. Copyright © 2020 CNA. All rights reserved.}