Lawyer recommends that companies consult biometric privacy experts to avoid lawsuits
In light of several class action lawsuits from employees accusing companies of illegally collecting and storing their biometric data, a Chicago attorney has recommended companies to be conscious of the litigation threat stemming from an increasing number of state laws protecting biometric privacy, according to a report by Cook County Record.
“Companies should consult with their lawyers and… adopt policies and procedures to comply with these [and other] requirements,” said Steve Gold, an attorney with McguireWoods. “It is also important for a company to work with its lawyers and its information technology personnel to take steps to maintain the security and privacy of private information including biometrics so as to reduce any possible harm to the individuals whose information is collected.”
There have been two recent cases in the Chicago area highlighting the legal risk. First, employees of the Intercontinental Hotel Group filed a class action lawsuit against the hotel chain over claims that it wrongly collected and used their fingerprints and other biometric information.
The second case involves multiple lawsuits against supermarket chain Mariano’s which allege that the company violated the Illinois Biometric Information Privacy Act (BIPA) by requiring employees to submit their biometrics data without consent.
BIPA was enacted in 2008 protect the security of Illinois residents’ biometric data, including fingerprints and retinal data.
Mariano’s timekeeping system allegedly required the company to scan and store each employee’s unique fingerprint, however, Mariano’s never obtained the written consent of its employees before storing the data, the lawsuit said.
“In Illinois [and a few other states], there is a specific statute addressing biometric information, such [as] a fingerprint,” Gold said. “That law provides that no private entity may collect such information unless it first follows certain guidelines.”
Gold said the company must inform the employee in writing that it is collecting the biometric data; the purpose and length of time for which it is collecting the data; and obtain an informed written consent (which must be signed as a condition of employment).