Can You Sue Someone Over Fingerprints or Other Biometric Data?
These days, more and more companies are using employees’ fingerprints, face recognition, or other biometric data for security and administrative functions. This technology has made many things more convenient and accurate. And most workers don’t mind. After all, touching a fingertip to a scanner to clock in and out, for example, is quicker and easier than manually filling out a timecard.
However, the use of biometric data does raise some questions about personal privacy. Does a boss need permission to collect this information? What if the company misuses it in some way? Can an employee sue them if they do?
Businesses have the right to require biometric data, but there are only a handful of states that have legislation protecting the employee’s privacy. Illinois was the first to enact biometric data privacy laws and has the most strict requirements and the steepest penalties for companies that do not comply. It is important to understand the rules to make sure your data is secure and your right to privacy is intact.
What Is Biometric Data?
Anyone with a smartphone that uses a fingerprint or face ID is already using biometric data. Additional examples are retina scans, voice recognition, and DNA. The term refers to any human characteristics that are unique to an individual and can be used for identification and authentication.
Some may use the phrases biometric data and Personal Identifiable Information (PII) interchangeably. Is biometric data PII? Yes, it is. But PII is any form of personal data, including things that are not related to the human body. Examples are age, gender, date of birth, social security number, and phone number.
PII can be used to verify someone’s identity, but it can also be more easily duplicated or stolen than biometric data. Biometric data is the only way to be certain that someone is who they say they are.
Why Some Employers Collect Biometric Data
The unique nature of biometric data is why it is so useful to companies. These are some of its uses that are common in the workplace:
- Employee identification. Biometric data can not be lost, stolen, or copied like a key card or employee ID can.
- Attendance. Scanners can track the precise moment when employees clock in and out for more accurate record-keeping and payroll. There is also no way for someone to clock in or out for a coworker.
- Access to restricted areas and equipment. Doors, elevators, machinery, computers, and facilities can all be programmed to only give access to certain people.
- Tracking productivity. Just as attendance can be tracked with biometric data, so can a worker’s speed and accuracy as they do their job. Some employers can even monitor keystrokes and activity on work computers.
The technology used to collect this data usually consists of a scanner to read a fingerprint, eye, or face, and software to analyze and store the data.
How the Illinois BIPA Law Protects Employee Privacy
Illinois was the first state to address employee rights regarding biometric data, passing legislation in 2008 with the Biometric Information Privacy Act (BIPA). Texas and Washington followed with similar statutes. In the past three years, California, New York, and Arkansas followed suit.
The Illinois law, however, requires more from employers than the other states. Before any data is collected or stored, these things must happen under BIPA:
- The company must explain the following, in writing:
- What data they will collect and how they will use it
- How the data is to be stored and how they will protect it
- When and how the data will be destroyed
- The employee must provide written consent to the above
- The company must publish these policies and make them publicly available
In addition, it is illegal for businesses to misuse biometric data in any of the following ways:
- Sharing or selling the data to a third party without the employee’s consent
- Failing to protect the data from exposure to cyber-attacks or hacking
- Revealing personal information to anyone, including law enforcement, without a court order or subpoena
Illinois Laws Compared to Other States
In Illinois, employees do not have to suffer any harm from the misuse of their data. Simply failing to disclose the data collection and get written consent is enough to open up a company to liability. The fine is $1000 for each violation, and $5000 if it is deemed reckless and intentional. The company must also pay court costs and attorney fees.
Let’s say a company innocently forgets to tell a new employee about their fingerprinting system and does not get written consent. That employee could potentially collect $1000 for every instance when their fingerprint was scanned.
Illinois also has no cap in place for damages, unlike Texas which has a $25,000 limit. If the employee was harmed (for example their biometric data was compromised and their identity stolen) they could collect a significant amount.
Another way that Illinois differs is it allows any individual to file suit against their employer. In other states, the action must be taken by the attorney general. This means that Illinois residents can contact an attorney like Hipskind & McAninch to begin the process of seeking compensation.
What to Do If Your Employer Is Using Your Biometric Data Illegally
Using biometric data is already widespread. As technology advances, it will become common across all industries. Laws protecting personal privacy are certain to follow. While businesses have the right to collect this information, Illinois companies must follow BIPA.
Do you use biometrics at work to clock in or gain access to the building? Is your boss following these rules? If not, you could be entitled to compensation. Although the statute of limitations in Illinois is five years, it is best to get started as soon as possible. Contact Hipskind & McAninch to discuss your concerns. We are happy to review your situation to see if your case has merit.