Despite repeated warnings, companies continue to be hammered with class action lawsuits for violation of the Illinois Biometric Information Privacy Act (BIPA) [view related posts].
BIPA requires that any company that is collecting, using and disclosing biometric information (such as facial recognition, iris scans, fingerprints, DNA testing, to name a few) must basically obtain consent before collecting the information; tell the individual why they are collecting it and what they are doing with it; protect the information while it is in the company’s possession; and destroy it when it no longer has a business purpose to keep it. That is the crib version of the statute.
Companies continue to collect fingerprints of employees for time accounting (instead of the old method of punching in and out), but if they don’t get consent, tell the employees why they are collecting the prints, what they are doing with them, and whether they will or will not destroy them, they often find themselves being sued.
The companies that have recently been hit with class action suits for violation of BIPA include: Caterpillar, Keurig, Pepsi, WeWork and Juul. Of course, Facebook and Shutterfly were the early victims. (We used to write about each such lawsuit, but now they are popping up so frequently that we are aggregating them in one post.)
A particularly interesting recent case is one against Octapharma Plasma, Inc. (OPI). In the Complaint, the plaintiff alleges that OPI “operates a chain of blood plasma donation centers throughout the State of Illinois…” and that “when consumers donate plasma…they are required to scan their fingerprints and enroll in Octapharma’s customer membership database.”
The case points out that when people come in to donate plasma, they must scan their fingerprints; more conventional methods are to use a registration card for identification. Registration cards can be replaced if they are lost or stolen, but fingerprints cannot be replaced, and if the database were to be compromised, this loss would cause risk to those whose fingerprints are contained in the database.
The suit states that OPI is in violation of BIPA because it failed “to adequately inform its customers of the complete purposes for which it collects their sensitive biometric data or to whom the data is disclosed, if at all…” and “failed to provide customers with a written, publicly available policy identifying the retention schedule, and guidelines for permanently destroying their fingerprints.”
This and other cases illustrate how easy it is to get caught in the web of BIPA-related class action litigation. If you are collecting biometric information, be aware of BIPA (and other state laws) that require transparency and consent, and address these requirements in your compliance program.