In 2008, Illinois enacted the most stringent biometrics privacy law in the nation. The BIPA requires private entities to follow certain consent, notice and disclosure procedures when collecting, storing or using individuals’ biometric data. With biometric technology becoming more commonplace in commerce and the workplace, the plaintiff’s bar has begun exploring the BIPA as a potentially lucrative new litigation mechanism.
Under the BIPA, biometric data includes a retina or iris scan, fingerprint, voiceprint, scan of hand or face, or any information generated from, or based on, these identifiers. Collectors of biometric data must satisfy several preconditions, including the following:
- Informing the subject in writing that the biometric data is being collected or stored
- Informing the subject in writing of the purpose and length of time the data is being collected for
- Obtaining a written release signed by the subject of the data being collected
- Developing a publicly available written policy regarding how long the data will be kept and how and when it will be permanently destroyed
Additionally, the BIPA requires private entities to follow specific requirements when storing and destroying biometric data. For example, biometric data must be stored in the same manner that other confidential information is kept, may be disclosed only with the subject’s consent or if otherwise required by law, cannot provide an avenue for profit and can be kept only for three years or until the original collection purpose is satisfied, whichever is shorter.
The damages available under the BIPA make it an attractive litigation platform for both single-plaintiff and class actions. Each negligent violation allows plaintiffs to recover actual damages or $1,000, whichever is greater. Each reckless or intentional violation allows plaintiffs to recover actual damages or $5,000, whichever is greater. Prevailing plaintiffs also are entitled to reasonable attorney's fees, costs and other relief, including an injunction.
The BIPA’s stringent requirements and generous damages provisions recently landed several employers in Illinois state and federal courts. In particular, a regional supermarket chain has been accused of violating a class of employees’ rights under the BIPA by collecting employee fingerprints for timekeeping purposes without first obtaining their written consent and explaining how their data would be stored and when it would be destroyed. Similar class action lawsuits recently were filed on behalf of employees against a major gas and convenience store chain and a luxury downtown hotel, as well as their timekeeping provider and data center operator, respectively.
Illinois consumers have also launched class actions against major tech companies, retailers, daycare centers and other businesses related to their facial or fingerprint identification software. While some of these suits were dismissed on the pleadings, others are ongoing or have settled for as much as $1.5 million.
The Evolving Biometrics Landscape
Judicial interpretations of the BIPA during these lawsuits will restrain or embolden further BIPA litigation in Illinois as the scope of the statute continues to be disputed (please see Court Gives Broad Reading to Illinois Biometric Privacy Act). Regardless, the growth of biometric technologies in the workplace is inevitable. Biometric timekeeping devices, for example, are readily available, relatively inexpensive and keep more accurate, easily stored records. The BIPA, and associated litigation, are likely to correspondingly evolve. Additionally, several states including Alaska, Connecticut, Montana, New Hampshire, Texas and Washington either have or are considering laws similar to Illinois’ BIPA.
Implications and Recommendations for Employers
Given the evolving and fragmented legal landscape, some employers have opted to absorb the cost of technology that allows biometrics to be used for timekeeping and security purposes without storing the data. However, so long as employers keep abreast of developments in state and local biometric privacy laws before implementing collection practices, increased technology and litigation costs can be avoided.
Before collecting, receiving or storing biometric data in Illinois, employers should:
- Inform employees in writing of the following:
- that their biometric data is being collected or stored
- the purpose of collecting their biometric data
- the length of time their biometric data will be collected, stored and used for
- Obtain written releases from employees whose biometric data is being collected
- Make publicly available a written policy regarding how employees’ biometric data will be permanently destroyed and whether it will be destroyed within the shorter of three years or when the original collection purpose is satisfied.
Once employers collect biometric data they must also:
- Store, transmit and protect the data from dissemination in the same manner that other confidential and sensitive information is kept and with reasonable care
- Disclose or disseminate the data only if the employee consents to the disclosure, the employee requests the disclosure in order to complete a financial transaction, or if the disclosure is otherwise required by law
- Not sell, lease, trade or otherwise profit from the data
- Keep the data for the shorter of three years or until the original collection purpose is satisfied, as outlined in their publicly available retention and destruction policy
Employers should also adhere to general data collection principles. Limit what data is collected and the length of time it is collected for. Establish policies with safeguards for the handling, dissemination and accessibility of biometrics, both internally and with any external vendors. And, craft a plan for handling potential biometric data breaches.
The Above information is from the following page https://www.jdsupra.com/legalnews/developments-with-the-biometric-30827/
The software owned and or supported by Prime Time has the ability to Delete biometric templates from the software and the time clock itself from the software. If you have questions or need assistance with this please let our staff know and we will be happy to help.
Biometric Hand reader
People's hands and fingers are unique -- but not as unique as other traits, like fingerprints or irises. That's why businesses and schools, rather than high-security facilities, typically use hand and finger geometry readers to authenticate users, not to identify them. Disney theme parks, for example, use finger geometry readers to grant ticket holders admittance to different parts of the park. Some businesses use hand geometry readers in place of timecards.
Systems that measure hand and finger geometry use a digital camera and light To use one, you simply place your hand on a flat surface, aligning your fingers against several pegs to ensure an accurate reading. Then, a camera takes one or more pictures of your hand and the shadow it casts. It uses this information to determine the length, width, thickness and curvature of your hand or fingers. It translates that information into a numerical template.
Biometric Finger Scanner
A fingerprint scanner system has two basic jobs -- it needs to get an image of your finger, and it needs to determine whether the pattern of ridges and valleys in this image matches the pattern of ridges and valleys in pre-scanned images.
Only specific characteristics, which are unique to every fingerprint, are filtered and saved as an encrypted biometric key or mathematical representation. No image of a fingerprint is ever saved, only a series of numbers (a binary code), which is used for verification. The algorithm cannot be reconverted to an image, so no one can duplicate your fingerprints.