A spate of large Biometric Information Privacy Act settlements in Illinois and the prospect of future legislation in other U.S. jurisdictions are forcing companies to think long and hard about whether—and how—to roll out biometric technology.
Employers with hundreds or thousands of employees sometimes turn to biometric timekeeping systems, which use fingerprint, face, or palm scans to verify workers’ identities, to save time and cut down on fraud. But those tools and ones like it are being reconsidered in the wake of high volumes of litigation, recent plaintiff-friendly decisions, and other legal risks, attorneys say.
“Some companies that have been tagged in these types of lawsuits or are aware of the risks are moving away from biometric timekeeping systems,” said Dmitry Shifrin, an attorney at Polsinelli PC in Chicago. “Those employers are phasing them out in favor of tech that doesn’t fall into BIPA’s orbit.”
The Illinois Supreme Court last week ruled that the state’s biometric privacy law is not preempted by the Illinois Workers’ Compensation Act, eliminating a key legal defense for employers. Many federal court cases were stayed pending that decision, but now that it’s been decided, those paused cases will resume, Shifrin said.
“If anything now plaintiffs are going to be emboldened,” he said. “I don’t see these cases going away anytime soon unless the Illinois legislature amends the law.”
Recent settlements include a $2.6 million deal with Top Golf USA Inc. and a $1 million deal with retirement community chain Lifespace Communities Inc., both of which resolved claims the companies collected workers’ fingerprints without their consent.
Illinois isn’t the only state with a biometric privacy law on the books—Texas and Washington also have statutes. But the llinois law poses more danger to companies because it has a private right of action, allowing consumers and employees to sue over alleged violations of the law.
That litigation risk is causing some companies to avoid including Illinois in their biometric rollout plans, as many want to use the innovative technology but aren’t willing to risk pricey litigation, said David Saunders, a partner at McDermott Will & Emery in Chicago.
“If you’re not compliant with the law in Washington or Texas, the outcome is likely a conversation with the attorney general,” Saunders said. “You’re not bogged down with litigation that will cost you six figures—it’s a different risk analysis.”
Still, businesses anywhere should want to do the right thing—telling consumers and workers they’re collecting biometrics and getting their permission, requirements that are hardly onerous, said Ben Whiting, a Chicago-based partner at plaintiffs law firm Keller Lenkner LLC.
“It’s easier to keep data safe and tell your employees what you’re doing than to continue violating the statute and have a whole legal fight once you’re sued,” Whiting said.
And lawsuits continue to happen, even though BIPA has been on the books for over a decade, he said.
“Defendants are upset that they’re being called out with not complying with the law,” Whiting said.
Outside of litigation, businesses are starting to see other risks associated with biometrics, though many opt to continue using them because of their utility, said Ryan Blaney, a partner at Proskauer Rose LLP in Washington.
In mergers and acquisitions, as well as other types of deals, investors have begun to dig more deeply into biometric privacy practices and data collection risks, Blaney said.
“Now, given the number of class action lawsuits we’re seeing and the high settlement amounts, there are so many more questions during due diligence,” he said.
Current litigation trends, and the fact that more states are contemplating passing their own BIPA-like legislation, are forcing companies to focus on whether it makes sense to roll out biometrics, said Molly McGinley, a partner at K&L Gates LLP in Chicago.
And just as a patchwork of general consumer privacy laws makes compliance difficult for companies, a variety of biometric-specific laws and regulations would complicate the compliance landscape, McGinley said.
Kentucky, Maine, Maryland, Massachusetts, New York, and West Virginia are weighing bills similar to BIPA. New York City last year enacted an ordinance that requires signage for businesses employing biometric tools.
Even for states that don’t currently have biometric privacy laws, employees can still sue and allege common law invasion of privacy type claims if they feel their data is being collected improperly or not being well guarded, said Karla Grossenbacher, a partner at Seyfarth Shaw LLP in Washington.
“If that information gets breached, it could trigger data breach notification statutes,” Grossenbacher added.
Such notifications could, in turn, trigger litigation or regulatory scrutiny.
Although future regulations and state laws may cause more companies to pause and beef up their compliance programs, biometrics are still useful for businesses and likely aren’t going away, said David Oberly, an attorney at Blank Rome LLP in Cincinnati.
“Ideally, companies will put compliance preparations in place before new regulations come online,” Oberly said. “There’s a sense of what’s at stake now.”
Bloomberg Law subscribers can find related content on our In Focus: Biometrics page.