Skip to content

Menu

Robinson & Cole LLP logo
About UsOur PracticeContactTopics
Search
Close
Subscribe

Data Privacy + Cybersecurity Insider

Leveraging Knowledge to Manage Your Data Risks

Biometric Information Litigation Update

By Linn Foster Freedman on December 5, 2019
Posted in New + Now

Despite repeated warnings, companies continue to be hammered with class action lawsuits for violation of the Illinois Biometric Information Privacy Act (BIPA) [view related posts].

BIPA requires that any company that is collecting, using and disclosing biometric information (such as facial recognition, iris scans, fingerprints, DNA testing, to name a few) must basically obtain consent before collecting the information; tell the individual why they are collecting it and what they are doing with it; protect the information while it is in the company’s possession; and destroy it when it no longer has a business purpose to keep it. That is the crib version of the statute.

Companies continue to collect fingerprints of employees for time accounting (instead of the old method of punching in and out), but if they don’t get consent, tell the employees why they are collecting the prints, what they are doing with them, and whether they will or will not destroy them, they often find themselves being sued.

The companies that have recently been hit with class action suits for violation of BIPA include: Caterpillar, Keurig, Pepsi, WeWork and Juul. Of course, Facebook and Shutterfly were the early victims. (We used to write about each such lawsuit, but now they are popping up so frequently that we are aggregating them in one post.)

A particularly interesting recent case is one against Octapharma Plasma, Inc. (OPI). In the Complaint, the plaintiff alleges that OPI “operates a chain of blood plasma donation centers throughout the State of Illinois…” and that “when consumers donate plasma…they are required to scan their fingerprints and enroll in Octapharma’s customer membership database.”

The case points out that when people come in to donate plasma, they must scan their fingerprints; more conventional methods are to use a registration card for identification. Registration cards can be replaced if they are lost or stolen, but fingerprints cannot be replaced, and if the database were to be compromised, this loss would cause risk to those whose fingerprints are contained in the database.

The suit states that OPI is in violation of BIPA because it failed “to adequately inform its customers of the complete purposes for which it collects their sensitive biometric data or to whom the data is disclosed, if at all…” and “failed to provide customers with a written, publicly available policy identifying the retention schedule, and guidelines for permanently destroying their fingerprints.”

This and other cases illustrate how easy it is to get caught in the web of BIPA-related class action litigation. If you are collecting biometric information, be aware of BIPA (and other state laws) that require transparency and consent, and address these requirements in your compliance program.

Tags: BIPA, Caterpillar, Illinois Biometric Information Privacy Act, Keurig, Octapharma Plasma Inc, opi, Pepsi, Shutterfly, WeWork and Juul. Facebook
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Read more about Linn Foster Freedman
Show more Show less
Related Posts
NYAG Issues Fine Against Law Firm for Data Breach
March 30, 2023
Social Media Enables Social Engineering Scams
February 2, 2023
T-Mobile Sued for Data Breach of 37 Million Records
January 26, 2023
Follow us on X Follow us on X
Follow Us on Facebook Follow Us on Facebook
View Our Linkedin Profile View Our Linkedin Profile

Data Privacy + Cybersecurity Insider

Our Authors
Robinson & Cole LLP logo
Connecticut•Massachusetts•New York•Washington DC•Rhode Island•Florida•California•Delaware•Pennsylvania•Texas
Follow us on X Follow Us on Facebook View Our Linkedin Profile RSS
Privacy PolicyTerms of UseCalifornia Privacy Rights Notice
  • Home
  • Subscribe
  • Our Practice
  • Contact

Robinson+Cole is a law firm serving regional, national and global clients from nine offices throughout the Northeast. Our Data Privacy + Security Team brings together lawyers from the firm’s Intellectual Property and Technology, Commercial Litigation, and E-Commerce Groups.

Read More...

Topics

Archives

Copyright © 2025, Robinson & Cole LLP. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo

Please note that as of January 1, 2023 our Privacy Policy has changed. Click here for details on our new terms.

OK