You may have heard about biometrics in the news lately involving certain tech giants like Google, Facebook, and Snapchat. Biometrics are unique physical characteristics, such as fingerprints, that can be used for automated recognition. Although more commonly recognized in the consumer context, the use of biometrics in the workplace is now leading to lawsuits against major companies, and we anticipate that this is only the beginning.
In 2008, Illinois enacted the Illinois Biometric Information Privacy Act (BIPA), a privacy law which, amongst other things, requires written notice and consent before the use and storage of unique identifiers, such as fingerprints and handprints. The law provides for damages of $5,000 for each reckless violation and $1,000 for each negligent violation, along with attorney’s fees and costs. Illinois was the first state to pass legislation addressing a private entity’s collection of biometric data, but it is not the last. Texas and Washington have similarly passed laws dictating a private business’ use and storage of biometrics, and several other states have enacted laws protecting students and government actors. Illinois is the only state that provides for a private cause of action against a business entity.
In late June, a former employee of Kimpton Hotels filed a class action lawsuit against his former employer and its parent company, Intercontinental Hotel Group, for allegedly violating BIPA as a result of the company requiring employees to scan their fingerprints to punch in and out without first obtaining written approval. The lawsuit further alleges that Kimpton failed to provide the proper required written disclosures. This lawsuit is pending and could result in significant damages for the hotel chain.
Similarly, in May, a former manager of a grocery store chain filed a class action suit against the store’s parent company alleging that it violated BIPA by requiring employees to clock in and out of their shifts using a fingerprint scanner, without first obtaining proper releases required by the statute. The lawsuit further alleges that the store failed to disclose how long it may store the fingerprint scans, nor how it plans to destroy that information. According to the court documents, the company currently has over 10,000 employees who work in grocery stores located in Illinois who have clocked in and clocked out of their shifts using biometric technology. The company estimates that it also has several hundred or thousand former employees who worked in Illinois stores and clocked in or out of work using biometric technology. If all of those employees join in the class and it is found liable, the company could face damages in the millions.
We expect to see more lawsuits about biometrics in the future as more and more companies enhance their employee-tracking technology. Three Square Market, a Wisconsin company, for example, is the first company in the U.S. to microchip its employees for various reasons such as making purchases in the breakroom, to open doors, login to computers, use the copy machine, etc. The implantation of the microchips is voluntary, and over 50 employees have been chipped so far. Although there are no pending complaints against the company for use of this technology, it will be interesting to see if other companies follow suit and abide by relevant privacy laws.
The takeaway – if your organization uses biometrics for its timekeeping system, or any other purpose, make sure that you are complying with BIPA and obtain the necessary consent from your employees, and provide the required written disclosures.
If you have any questions about these issues, or any other employment law topics, please contact us.