Public interest continues to shift due to a growing belief that individuals own their personal information and have the right to control it. As such, human resource departments can expect to see more employment protections amid growing regulations affecting human resource data. Several states have enacted Privacy Acts, including Colorado, Utah, Virginia, California and Illinois.
The Illinois Biometric Information Privacy Act (“BIPA”) is one of the most restrictive state laws regarding data privacy. BIPA prevents employers from selling, disclosing or profiting from an employee’s biometric identifiers, such as retina, hand or face geometric scans or fingerprints, used in the course of business. BIPA requires the employer to tell the employee that it is collecting or storing the data, specify why the data is being collected or stored, how long it will be stored or used, and get written consent.
Under BIPA, the employer must also have a written policy available to the public describing its retention schedule and guidelines for permanently destroying that data within the time allotted. During its course of access to this information, the employer is required to utilize a “reasonable standard of care” to protect data from disclosure. If the employer negligently fails to comply, it can face $1,000.00 in liquidated damages per violation. If the employer intentionally or recklessly violates BIPA, that $1,000.00 becomes $5,000.00. Given this, BIPA poses a significant risk for class action litigation and consequences of an incomprehensible number.
A recent $6.9 million class action settlement to resolve data privacy concerns verifies the necessity for employers to keep data privacy on their radar. The lawsuit was filed against Little Caesars after Little Caesars used a timekeeping program that scanned employees’ fingerprints without any prior consent. The Illinois Supreme Court found that a five-year limitations period applies to BIPA and that a new accrual period begins each time an employee’s biometric information was scanned without consent. Two weeks after its decision regarding Little Caesars, the Illinois Supreme Court held in a separate case against White Castle that an employee has a separate claim for damages each time a business fails to seek permission to gather biometric data from workers, and each time the business fails to disclose its written policy regarding retention.
It is obvious both rulings are found to be detrimental to employers, as an employee who works 300 days a year and clocks in and out using his fingerprint could be entitled to $600,000.00 of damages for just that one year. Thus, employers even in states without statutes similar to BIPA, should consider implementing consent policies and procedures.