Tag Archives: Biometric Data

Hotel Workers’ Claims under the Biometric Information Privacy Act Are Not Subject To Arbitration Clause

Contributed by Michael Faley, May 7, 2019

In only the latest of potential blows to companies that collect or use biometric data, an Illinois Appellate Court has ruled that claims brought by employees of the Four Seasons luxury hotel for alleged violations of the Illinois Biometric Information Privacy Act (BIPA) are not subject to arbitration under the workers’ respective employment agreements with the hotel. Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1st) 182645.

Lock on the converging point on a circuit, security concept

The BIPA was enacted to protect the privacy of individuals’ biometric data. It governs the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information, which includes retina or iris scans, fingerprints, voiceprints, or scans of “hand or face geometry.” 740 ILCS 14/1, et seq. BIPA contains a private right of action whereby a party may recover damages of $1,000 (or actual damages if greater) for each negligent violation of BIPA and $5,000 (or actual damages if greater) for each intentional or reckless violation, as well as attorney’s fees, costs, and expenses. Violations can be aggregated—meaning every day a company is not in compliance could serve as a separate “violation.” As reported in this blog, earlier this year, the Illinois Supreme Court lowered the bar for what a complaining-party must show in order to pursue a BIPA case against a company.

In Liu, the employees filed a class action complaint alleging that the Four Seasons violated BIPA through its method of collecting, using, storing and disclosing the employees’ biometric data (their fingerprints) for timekeeping purposes.

The Four Seasons maintained that the employees’ complaint fell within a provision of the employment agreement requiring arbitration of any claim for a “wage and hour violation.” The hotel argued that the sole reason for requiring employees to scan their fingerprints was to monitor the number of hours worked, which necessarily made it a claim for a “wage and hour violation.” However, the Appellate Court disagreed, holding that BIPA is a privacy rights law that applies inside and outside of the workplace. The Appellate Court explained that simply because an employer opts to use biometric data, like fingerprints, for timekeeping does not transform a potential BIPA-violation into a wage and hour claim. As a result, the Appellate Court found that the employees possessed the right to proceed with their claims in court.

Notably, the outcome may have been different had the Four Seasons’ employment agreements contained a broader arbitration clause or otherwise been updated to account for ongoing changes in the law.

To avoid and/or minimize any BIPA issues or potential liability, we continue to recommend that employers take the following steps:

  1. Review policies and procedures and identify if, and when, biometric data, such as retina or iris scans, fingerprints, voiceprints, or scans/pictures of hand or face geometry are being used.
  2. Establish a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
  3. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
  4. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
  5. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection.
  6. Train supervisors on the company’s policies and practices to ensure consistency.
  7. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
  8. Consult with competent employment counsel to ensure that policies, practices and agreements comply with the relevant law.
  9. Regularly review policies, procedures and agreements for compliance with updates to the law and current case law.

Illinois Supreme Court to Decide Biometric Privacy Case

Contributed by Carlos Arévalo, November 27, 2018

Data breach 2In October of 2017, we first reported on the filing of a class action suit by a group of Chicago-area employees where plaintiffs alleged that their employer’s use of worker fingerprints for time-tracking purposes violates the Illinois Biometric Information Privacy Act (BIPA).  Specifically, the employees claimed that their employer failed to properly inform them in writing of the specific purpose for which their fingerprints were being collected and the length of time their fingerprints would be stored. Plaintiffs also claimed the employer failed to obtain written consent before obtaining fingerprints.

Then, this past June, we reported on a federal court’s decision finding that despite no concrete damage, an employee (and her putative class) might have a triable cause of action for violating her privacy and right to control her biometric data. The allegations in this case also included a failure to inform the specific purpose of collection and failing to obtain written authorization for the collection of biometric data.

On November 20, 2018, the Illinois Supreme Court heard oral arguments in a Rosenbach v. Six Flags Entertainment Corp., a case specifically addressing BIPA. While Rosenbach is not an employment case (it concerns a patron’s access to Six Flags), it nevertheless involves the issue of whether collection of biometric data alone triggers statutory damages even if the plaintiff has not claimed actual harm. The lower appellate court in Rosenbach found that alleging only technical violations of the notice and consent provisions of the statute is not tantamount to alleging an adverse effect or harm. Thus, how the Illinois Supreme Court rules in the next few months is bound to have a significant impact on Illinois employers and potentially elsewhere in the country.

In the meantime, to avoid and/or minimize any BIPA issues or potential liability, we continue to recommend that employers take the following steps:

    1. Establish a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
    2. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
    3. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
    4. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection.
    5. Train supervisors on the company’s policies and practices to ensure consistency.
    6. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
    7. Finally, consult with competent employment counsel to ensure that policies and practices comply with relevant law.

 

More Technology, More Headaches for Employers

Contributed by Noah A. Frank, June 7, 2018

Technology is great. I can use my smartphone to change a million TV channels without getting up (of course, there’s still nothing to watch until Game of Thrones returns).

technology

Close up of business man working on blank screen laptop computer 

Employers, too, are reaping the benefits of technology for the most routine areas of employee and facilities management – including timekeeping and building security. But with the transitions from handwritten and manually punched time cards to fingerprint scanner timeclocks, and mechanical keys to retinal scanners, employers face significant risk under privacy laws.

As a result, many states are beginning to pass employee privacy laws related to biometric data (including but not limited to retina or iris scans, fingerprints and voiceprints, and hand and face geometry). And with laws and regulations, comes the need for compliance to stave off lawsuits, including private causes of action and class actions.

For example, a Federal Court in Illinois recently found that, despite no concrete damage, an employee (and her putative class) might have a triable cause of action for violating her privacy and right to control her biometric data. The employer and its timekeeping vendor allegedly failed to:

  • inform the employee of the specific purpose or length of time fingerprints were to be collected, stored or used;
  • make available any biometric data retention policy or guidelines (if there was one);
  • obtain  employee releases and authorizations for the collection and use such biometric data;
  • and implement reasonable procedural safeguards.

The employer is further alleged to have systemically disclosed the biometric data by sharing it with the timekeeping vendor.

Biometric Data Done Right.

Biometric data is not something to be afraid of, as long as it is administered and used appropriately. The following key steps can help businesses ensure that they are complying with relevant laws:

  1. Establish a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
  2. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
  3. If biometric data might leave a closed system, ensure that there are proper safeguards in place, including contractual liability shifting.
  4. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection.
  5. Train supervisors on the company’s policies and practices to ensure consistency.
  6. Have the biometric data systems audited to ensure that data is not open to the public or a systems breach.
  7. Finally, consult with competent employment counsel to ensure that policies and practices comply with relevant law.