The Illinois Biometric Information Privacy Act has been in effect since 2008. There has been little awareness of this law until this year. Between July 2017 and October 2017, there have been at least 26 class action suits filed in the Illinois state courts by employees against their employers alleging violations of the Act. Companies being sued have included Intercontinental Hotels, Mariano's, Zayo Group, Peacock Foods, Superior Air Ground Ambulance Service, Bob Evans Restaurants, Hyatt Corp. and Alliance Ground International.
The Act applies to any private entity in possession of biometric identifiers or biometric information. What is a biometric identifier? It includes a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric information means any information based on an individual's biometric identifier used to identify an individual. Most of the lawsuits filed to date have been against employers who use fingerprinting as part of a timekeeping system.
The Act requires businesses collecting biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information and making such policy available to the public. The Act also requires that no business will collect, capture, purchase or receive a person's or customer's biometric identifier or biometric information unless (1) it informs the person that a biometric identifier or biometric information is being collected or stored; (2) it informs such person the specific purpose and length of term for which the biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release from the person. The Act also restricts the business from selling or disseminating a person's biometric identifier or information, and requires that the business use reasonable care in storing, transmitting and protecting the biometric identifier or information.
The Act permits any person aggrieved by a violation of the Act to bring a lawsuit in state court (or a supplemental claim in an existing federal court claim). The person can recover at a minimum $1,000 for each violation resulting from the business' negligence in not complying with the Act, or $5,000 for each violation resulting from the business' intentional violations of the Act. If the person has actual damages higher than those amounts, the actual damages will be awarded to them. The Act also provides for the award of attorney's fees and costs.
What should an Illinois business do if it currently collects biometric identifiers from employees or customers of the business? If the company wants to continue this collection, it should immediately take steps to prepare the required written policy, establish procedures for notifying the employees or customers in writing of the collection and obtaining written releases, establish procedures for safely destroying the biometric identifiers and information when it is no longer needed, and provide for necessary safeguards to protect the biometric identifiers and information collected. Businesses may also want to consider offering some consideration to employees in exchange for a release of claims.
Franchisors who provide or designate software or point of sale systems for use by franchisees that collect biometric identifiers should take note of this law if they have franchised locations in Illinois. Currently Illinois and Texas are the only states that have biometric privacy laws.