Public interest continues to shift due to a growing belief
that individuals own their personal information and have the right to control
it. As such, human resource departments can expect to see more employment protections
amid growing regulations affecting human resource data. Several states have enacted
Privacy Acts, including Colorado, Utah, Virginia, California and Illinois.
The Illinois Biometric Information Privacy Act (“BIPA”) is
one of the most restrictive state laws regarding data privacy. BIPA prevents
employers from selling, disclosing or profiting from an employee’s biometric identifiers,
such as retina, hand or face geometric scans or fingerprints, used in the
course of business. BIPA requires the employer to tell the employee that it is
collecting or storing the data, specify why the data is being collected or
stored, how long it will be stored or used, and get written consent.
Under BIPA, the employer must also have a written policy
available to the public describing its retention schedule and guidelines for
permanently destroying that data within the time allotted. During its course of
access to this information, the employer is required to utilize a “reasonable standard of care” to protect
data from disclosure. If the employer negligently fails to comply, it can face
$1,000.00 in liquidated damages per violation. If the employer intentionally or
recklessly violates BIPA, that $1,000.00 becomes $5,000.00. Given this, BIPA
poses a significant risk for class action litigation and consequences of an
incomprehensible number.
A recent $6.9 million class action settlement to resolve
data privacy concerns verifies the necessity for employers to keep data privacy
on their radar. The lawsuit was filed against Little Caesars after Little Caesars used a timekeeping program
that scanned employees’ fingerprints without any prior consent. The Illinois Supreme
Court found that a five-year limitations period applies to BIPA and that a new
accrual period begins each time an employee’s biometric information was scanned
without consent. Two weeks after its decision regarding Little Caesars, the
Illinois Supreme Court held in a separate case against White Castle that an
employee has a separate claim for damages each time a business fails to seek
permission to gather biometric data from workers, and each time the business
fails to disclose its written policy regarding retention.
It is obvious both rulings are found to be detrimental to employers, as an employee who works 300 days a year and clocks in and out using his fingerprint could be entitled to $600,000.00 of damages for just that one year. Thus, employers even in states without statutes similar to BIPA, should consider implementing consent policies and procedures.
