It’s the same with retinal scans, iris scans, voiceprints, palm prints, hand scans, face scans, etc., and the same for customer information, and it’s all because of the Illinois Biometric Information Privacy Act (BIPA) thanks to a recent opinion from the Illinois Supreme Court. You can read the Illinois Supreme Court’s opinion on the issue in Rosenbach v. Six Flags Entertainment here (link).

The case is about Six Flags collection of a fingerprint from a customer without obtaining the proper notice under BIPA. Section 15 of BIPA delineates the notice, collection, retention, and disclosure requirements and applicable restrictions for a company capturing someone’s biometric information in Illinois. The requirement for giving written notice describing what biometric information is collected, and for what purposes, accompanied by a written release or consent from the individual before it collects the information.

After vacillating district and appellate court opinions about whether an actual injury is necessary to trigger the minimum $1,000.00/$5000.00 statutory damages (that’s per person and the 5x multiplier is the difference between a simple negligent violation and a reckless or intentional one) scheme enforced by Illinois Biometric Information Privacy Act (BIPA) the Illinois Supreme Court finally weighed in. And the Court found Rosenbach that no actual injury was necessary to received the liquidated damages – a simple violation of the statute gives rise to the right to recover this award.

Illinois is one of only three states with a biometric information privacy act (Texas and Washington in case you were wondering) and it is the only one that combines the statutory penalty and a private right of action allowing the aggrieved to pursue a civil remedy. The statutory penalty gives the right teeth, the ability to pursue a class action for every person someone collected information from give those teeth a razor’s edge and put them in the mouth of a bloodthirsty chupacabra.  

So what does this mean for you? Here’s a scenario:

Say you have 26 workers and you use an employee timekeeping system that has them scan their fingerprint to check in – unless you properly achieved their consent to take their fingerprint before you put them in the system, that’s $26,000 plus attorneys’ fees you owe when they sue you. And if you’re found to have intentionally violated the statute, that’s $130,000.00 plus whatever attorneys’ fees and costs come to.

The Takeaway: Stop collecting this information … or get compliant with all the necessary disclosures and processes for keeping, securing, tracking and eventually destroying this information. Seriously, this is a big deal – for those looking to get compliant, start by:

  1. Creating proper and publicly available policies controlling the collection, storage, use and destruction of the biometric information you are collecting;
  2. Getting a written authorization for collection and release from employees (or customers) BEFORE you collect the information or put it to use;
  3. Maintain the information you collect in a proper fashion (pursuant to a written policy that you can show meets a reasonable standard of care within your industry) – at least with the same protections and with the same care as you treat other confidential and private info like credit card numbers, SSNs, etc.