By: Gwenn Barney
As punch cards are replaced with retina scanners, and keys with fingerprint identification, employers are facing more lawsuits related to the protection of employees’ biometric data.
Last week, an employee filed two separate class action lawsuits in Illinois against salad restaurant chain Sweetgreen and Philadelphia-based food services provider Aramark for violations of the Illinois Biometric Information Privacy Act (BIPA). The new lawsuits add to over 30 lawsuits already filed for violations of BIPA in the past three months.
BIPA requires employers in Illinois to:
- inform an employee in writing of any planned collection or storage of that individuals biometric information;
- receive a written release from the employee to collect the biometric information;
- receive employee consent before disclosing biometric information to any other person outside of the company or other entity;
- “[s]tore, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry,” which must be at least “the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information,” 740 ILCS 14/15(e); and
- have a written policy available to the public that establishes a retention schedule and guidelines for permanently destroying biometric information when the purpose for collecting the information comes to an end, or within three years of the company’s last interaction with the employee, whichever comes first.
Joseph Cintron, a former employee of Sweetgreen and Aramark, alleged that Sweetgreen improperly collected and stored employees’ fingerprints under BIPA. Cintron also alleged in a separate complaint that Aramark did not receive a written release from employees to scan and store their fingerprints, and did not explain in writing the company’s policies for storing and later disposing of the fingerprint data. Under the statute, violations of BIPA can result in damage awards of $1,000-$5,000 per violation, plus attorney fees. Cintron’s attorneys have requested that the suits be expanded to include classes of hundreds of individuals employed by Aramark and Sweetgreen in Illinois. For companies with many employees, violating BIPA could result in millions of dollars in damages.
BIPA also protects consumer biometric data, and consumers have brought lawsuits for violation of the law. For example, last winter a district court in New York dismissed a case involving a claim of insufficient notice and consent under BIPA for the facial recognition feature in the NBA 2K video game series for lack of standing. Similar lawsuits related to consumer facial recognition data against Google, Facebook, and photo printing website Shutterfly remain active.
While the bulk of litigation in this area has centered in Illinois, several other states have enacted or are considering legislation to protect both customer and employee biometric data. Texas and Washington also have laws to protect employee and customer biometric data, but claims for violations in those states may only be brought by the Attorney General, not by private citizens. In Alaska, Idaho and New Hampshire, the state legislatures are currently reviewing proposals for biometric data protection laws that would include a private right of action.
With more legislatures turning their attention to protecting biometric information, employers can stay ahead of the curve by preemptively adopting written policies to protect employee and customer biometric data. Any written policy on the topic should address employee consent for collection, storage, and sharing of information, the standard of care for storing the information, and retention and destruction plans for the data upon termination of the company’s relationship with the employee or customer.