The rise of biometric technology in the workplace may leave employees vulnerable to serious misuse or their personal, private biometric data.
The Illinois Biometric Information Privacy Act (BIPA), passed in 2008, allows employees to sue a business or entity that has violated their biometric privacy rights. BIPA allows employees to obtain damages for the unlawful collection, storage, transfer, and retention of their personal biometric information. Biometric information, such as a fingerprint or facial scan, is unique from other types of person information, such as usernames or passwords, in that it is entirely unique to the individual and cannot be changed following a data breach.
The following frequently asked questions (“FAQ’s”) can help employees understand their biometric privacy rights and determine if they have a viable BIPA claim against a business or other entity.
What Qualifies as Biometric Data Under the BIPA?
While almost all employers collect and utilize an employee’s personal data, such as usernames, passwords, or even social security numbers, BIPA protects only personal biometric data. Biometric data is defined under BIPA as “any information . . . based on an individual’s biometric identifier used to identify an individual.” Biometric identifiers are significantly more permanent identifiers than other types of personal information. Under BIPA the following biometric identifiers are protected:
- Facial scans
- Retina or iris scans
- Hand scan
- Identifying information collected from these identifies, i.e., scientific description of fingerprint patterns
However, under BIPA, the following biometric identifiers are not protected, even if an employee’s identity can be derived from them:
- Blood, hair, urine or other biological specimens collected to conduct a drug test
- Handwriting samples
- Physical descriptions of an individual such as height, weight, and eye color
Biometric data typically refers to fingerprint scans, facial I.D., or voiceprint commands used to enter the workplace, access certain areas of a building, or utilize a work computer or phone. BIPA protects biometric data from unlawful use, however, personal identifying information like your name, address, or security number, is not protected under BIPA.
How Is Biometric Data Used in the Workplace?
BIPA was originally drafted to address the use of biometrics in the security and access industry. While biometric data is still used in these areas, recently employers are utilizing the biometric data of employees in new and innovative ways.
The following are some common ways employers utilize employees’ biometric data:
- Physical Security: Using biometric data to allow employees access to certain private areas of their workplace. This can mean biometric data, such as a fingerprint or retinal scan, is used to enter a building, elevator, or office in a way that prohibits unregistered individuals from entering the space.
- Data and Information Security: Employers may require voiceprints, fingerprints, or biometric data for employees to access computers, work phones, programs, or safes in the workplace. This type of data use is typically designed to prohibit unlawful access to confidential workplace data, financials, or trade secrets.
- Health & Wellness Plans: Some employees are required to submit certain health and biological information to an employer-sponsored health insurer or wellness plan. Some of these submissions may qualify as the collection of biometric data under the BIPA.
- Time Management: One of the latest uses of biometric data in the workplace is through biometric time clock systems. These devices typically scan an employee’s fingerprint to clock in and out of the office. This data is then collected to monitor the employee’s time management and attendance. Using biometric data cuts down on fraud, i.e., clocking in for a friend, and helps employers determine whether an employee is abiding by attendance policies.
Do I Have to Consent to Collection of My Biometric Data?
Yes. The Illinois BIPA requires all entities, including employers, to obtain the written consent of the biometric data owner or his/her personal agent to collect, utilize, and store biometric data. This written consent must describe:
- What biometric data is being collected;
- What the data is being collected for; and
- How long the data will be stored.
Failure to obtain informed written consent to collect and utilize an employee’s biometric data can result in employer liability under the BIPA. However, Illinois’ law doesn’t prohibit employers from lawfully collecting or utilizing this data, nor does it protect employees who refuse to provide lawfully requested biometric data. Though you do not have to provide the data if an employer has failed to comply with the requirements of BIPA. Additionally, you may have a claim under federal and state employment discrimination and whistleblowing laws if your employer retaliates for your refusal to provide unlawfully requested biometric data.
BIPA states an employee must be informed of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used, or the consent is not informed. This means that an employer must obtain updated written consent each time the employer elects to use the employee’s biometric data in a new way. So, even if you’ve already consented to the use of your thumbprint for building access, an employer still must obtain new consent to use your fingerprints in a different way, such as to track time management.
You may have a claim under the BIPA if an employer is using your biometric data in a way you didn’t explicitly consent to in writing. Blanket consents, i.e. stating that the employer may “use biometrics for any purpose,” may not be sufficient to meet BIPA requirements.
What’s the Best Way to Protect my Biometric Data?
Being aware of an employer’s biometric data collection, storage, and destruction policies is the best way to safeguard your biometric data. Every employer collecting biometric data in Illinois is required to have a publicly available policy describing how that data is protected. An experienced Chicago biometric data litigation attorney can review this policy to ensure compliance with BIPA standards. Ask your employer what steps it’s taking to safeguard your biometric data and be vigilant in ensuring your employer is operating in accordance with its public biometric use policy and within the confines of your informed consent. Even a minor violation or deviation may be evidence of more serious employer BIPA violations.
Call Us Today to Speak with a BIPA Violation Attorney in Illinois
At Werman Salas P.C., our attorneys are experienced in employee biometric and privacy rights litigation and can help employees determine whether they can recover damages for an employer’s failure to comply with the BIPA. We may also be able to assist employees who have been wrongfully terminated or threatened for refusing to comply with or reporting unlawful biometric data policies. Contact our experienced Chicago BIPA class action and individual employment litigation attorneys at 321-419-1008 or online for your free employee privacy rights consultation.