Using a fingerprint to clock into work or a retinal scan to open a door was once the stuff of science fiction. Fast forward to today and biometric technology is a part of everyday life. Whether unlocking your cell phone or using a retina scan to gain access to your office, biometric technology is only going to increase in the future.
What is biometrics?
Biometrics is defined as the process by which a person’s unique physical and other traits are detected and recorded by an electronic device or system as a means of confirming identity.
Since biometric identifiers are unique to individuals, they are more reliable in verifying identity than token and knowledge-based methods, such as identity cards and passwords.
“As of May 2020, Illinois’ Biometric Information Privacy Act (BIPA) is the only biometric privacy law that contains a private right of action. Almost all of the litigation regarding biometric privacy has been under BIPA. And, although the law took effect in 2008, the past few years has seen an explosion of class action lawsuits alleging violations of BIPA,” according to Laura Lapidus at CNA Insurance.
How does BIPA affect companies?
BIPA regulates the collection, storage, use and destruction of biometric Identifiers and biometric information. BIPA also protects biometric information, which is defined as any information, regardless of how it is captured, converted, or stored based upon an individual’s biometric identifier and used to identify an individual .
According to The Act, private entities that utilize biometric information must have a written policy, schedule, and guidelines its collection, retention, and destruction. BIPA also requires disclosure and a written release from the subject or employee whose information is going to be collected. It also severely restricts the entity’s right to disseminate biometric information.
In a recent case, Peatry v. Bimbo Bakeries, the court acknowledged that with approximately 300 employees who had used biometric time clocks over a two-and-a-half-year period, the potential damages could exceed $5 million.
How should companies respond?
According to Natalie Prescott of Mintz Lawfirm, to protect your company against allegations involving biometrics, implement the following steps:
- Consider whether use of biometric technology is necessary and appropriate for your business.
- Ensure that the notice discloses why you collect, how you use, how you store, and how you disclose biometric data.
- Include notice of biometric policies in “terms and conditions” and in the privacy policy.
- Obtain written informed consent from each individual, when appropriate.
- Allow individuals to opt out of biometric information collection.
- Stay abreast of the latest legal developments and work with your outside counsel on implementing and updating relevant policies and procedures.