What is BIPA? BIPA was enacted in 2008 in response to growing concerns about the use and disclosure of biometric information and the growing risk of identity theft. BIPA makes it unlawful for employers to collect an employee’s biometric information without notice and consent. Unlike similar laws in other states, BIPA expressly regulates employer conduct. Key provisions of the law include the following:
- Definition of Biometric Information. Biometric information is broadly defined to include any “biometric identifier” such as a retina or iris scan, fingerprint, or the scan of a hand or face. Significantly, the definition also includes any information based on a biometric identifier, which includes the size or measurement of an employee fingerprint. Many timekeeping systems store measurements associated with an employee’s fingerprints – not the actual fingerprint. Collecting these measurements is subject to BIPA.
- Notice and Consent Requirements. Under BIPA, employers are required to:
- Inform employees that biometric information is being collected and the purpose for the collection.
- Inform employees how long the biometric information will be retained.
- BIPA requires employers to permanently destroy biometric information when the initial purpose for collecting the information has been satisfied or within 3 years, whichever occurs first.
- Obtain employees’ written consent to collect the biometric information.
- Develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric data.
- Comply with the written policy.
- Protect the biometric information from unlawful disclosure.
- Additional Prohibitions: Employers cannot sell, lease, trade or otherwise profit from the biometric information, and they cannot disclose or otherwise disseminate the information unless the employee consents.
- Penalties for Violations: BIPA allows an employee to sue to recover the greater of actual damages or $1,000 per violation ($5,000 if the violation was intentional or reckless).
Are there defenses to BIPA lawsuits? The best defense to a BIPA lawsuit is to develop in advance the required written policy and provide employees the required written notices. Employers should also require that employees sign a written release – consenting to the collection and storage of the biometric data – as a condition of employment. For those employers already in litigation, some have successfully argued that there has been no actual harm to the employee when the only violation was a failure to provide notice or obtain written consent. In some instances, courts have held that “bare procedural violations” of BIPA (i.e., failing to notify and obtain requisite consent) – without additional allegations of wrongful use or disclosure of biometric information resulting in harm – were insufficient to state a valid claim against the employers. There is significant litigation risk, however, which can easily be avoided by addressing the BIPA issues in advance.