Biometric Data Use in Illinois Workplaces

In 2008, when the Illinois Biometric Information Privacy Act (BIPA) was passed by the Illinois General Assembly, it was quite ahead of its time—it would be seven years before the first lawsuit was even filed.

“At the time, Chicago served as a sort of a pilot case in the commercial industry for conducting financial transactions via the use of biometrics,” says Stefan Dandelles, an insurance attorney with Kaufman Dolowich & Voluck who also practices in data privacy. “So the state of Illinois responded by saying, ‘Okay, well, in that case, we’re going to need to protect the use of consumer biometric identifiers when people engage in these financial transactions.’”

BIPA, which prohibits private companies from collecting an individual’s biometric data without consent, was born.

Fast forward to 2021, and consumer use of biometric data almost daily. Such data includes fingerprints, retina scans, facial scans and voice identification. And while you might find yourself using your fingerprint to unlock your personal laptop or an iris scan to open your phone, businesses, too, are increasingly asking employees to use biometric technology in the workplace. 

“The biggest way the collection of biometric data is used in the employment context is for timekeeping—punching in and out,” says Dandelles. “It’s intended to be more efficient and more transparent for employees.” He notes that employees might think, ‘Wait a second—is using my fingerprint and thus giving this unique sensitive information to my employer safe?’ 

“It’s not only not harming employees, but also its helping them have clear employment and time clock records,” he says. “For example, there’s a lot of wage and hour litigation around employees saying, ‘Oh, I was on the clock, and I wasn’t paid the proper overtime.’ Biometrics are going to make it abundantly clear when you were on the clock and when you weren’t. And it’s done knowingly. No employee goes in and puts their finger on a scanner not knowing what’s happening, so there’s implicit consent there already.”

For employers to utilizes such biometric practices in Illinois, there are biometric privacy laws and certain steps they have to take. 

“Most notably, it requires an explicit permission and a written release,” Dandelles says. 

Employers must inform employees in writing about the collection and storage of their biometric data, about the specific purpose and timeline for collecting and storing, and about any potential use of that data.

“Biometrics are good, because they can’t really be faked or duplicated,” says Dandelles. “But once it’s gone, it’s gone: You can’t un-ring that bell. If your credit card is stolen, you can cancel your credit card or get a new one. If your bank account is compromised, you can close that bank account and open a new one. But if your fingerprint or retinal scan is taken, you can’t change that. There is a permanence to it.”

But what can someone do with data like a fingerprint scan?

“It’s not like they have your finger, right, but they do have, for example, a pattern of activity,” Dandelles says, referring to the 2019 Rosenbach v. Six Flags Entertainment Corp., in which the Illinois Supreme Court held that a person can seek damages based on a technical violation of BIPA, even if that person has suffered no actual injury as a result of the violation. 

At issue in Rosenbach was a 14-year-old who had his fingerprint scanned so that he could enter Six Flags as he pleased under his season pass; his mother alleged that Six Flags did not inform them that biometric data would be collected.

“What Six Flags could have done is track you: ‘Oh, this kid came to Six Flags 10 times in the month of June,’” Dandelles says. “While they can’t sell a fingerprint to marketers, they can sell the tracked data that came from it.” 

Facebook, too, was recently at the heart of a BIPA class action lawsuit: It settled for $650 million with Illinois users under the act. “What Facebook does is they use facial recognition and face geometry based on pictures that are posted,” Dandelles says. “And there are however many millions of pictures posted to Facebook every single day. They can then say, ‘We recognize this face’ and tag you. But they did not inform users that they’d be collecting and storing digital scans of their faces.”  

While Dandelles appreciates the consumer protections BIPA allows, and says Illinois has the strictest such statutes in the nation (only Washington and Texas have similar biometric-related statutes), he would also like to see reform that ensures compliance and focuses on education and awareness.

“We need something more than just a bunch of litigation around something that’s really not causing, in most instances, any actual harm to consumers, especially as the advancement of biometrics becomes more accepted around the country,” Dandelles says. “I imagine many states will begin to enact laws to regulate and protect that information, and hopefully they do so in a measured way. As Illinois was a leader in providing these protections, it needs to also be a leader in saying, ‘Okay. We’re going to right-size this. We’re going to modify it, reform it so that it better suits the real world while still safeguarding consumers.’ Other states can then take the experience and enact similar statutes without setting businesses up for failure with this strict liability, ‘gotcha’-type mechanism, which is what we currently have on the books in Illinois.”