Do you use ﬁngerprints or other biometrics in your business? Do you need a thumbprint to access a door or biometric to login to a computer system? Illinois has a law regulating that. It is called the Illinois Biometric Privacy Act (BIPA), and the Illinois Supreme Court just made it easier to be sued for a violation of the act.
BIPA passed in 2008 to address concerns around the growing number of businesses collecting biometric data. The statute was enacted in response to the bankruptcy sale of a company called, Pay By Touch, which used biometric technology to allow consumers to pay for items using their ﬁngerprint at Chicago area Jewel-Osco stores. In 2008, Pay By Touch attempted to sell its biometric data. As a result, the Illinois legislature passed BIPA. BIPA applies to biometric data, including “a retina or iris scan, ﬁngerprint, voiceprint, or scan of hand or face geometry,” and “sensitive and conﬁdential information,” which covers any other unique information that links to individuals.
Companies with locations in Illinois (even if they are headquartered in other states) that collect this data must adhere to requirements for collection, destruction and disclosure of this data. The statute requires entities that collect and retain this data to obtain informed consent and to make certain disclosures upon collection. Further, the statute provides for a private right of action for violations of the statute, with damages of up to $1,000 per negligent violation and $5,000 per intentional or reckless violation.
The Illinois Supreme Court ruled in January 2019 that a violation of the act does not require an injury in fact or, in other words, for an individual to have suffered harm, only that a company be in violation of an element of the statute. The above-mentioned case, Rosenbach v. Six Flags Entm’t Corp, involved a child who used his ﬁngerprint as part of a Six Flags Great America season pass ticket. In Rosenbach, the child’s ﬁngerprints were taken without any of the required disclosures or consents under BIPA.This ruling opens many companies to potential lawsuits just for collecting any biometric data and any conﬁdential and sensitive information from an employee or customer.
RSM recommends you take three important steps:
- Investigate whether you capture any biometric identiﬁers or biometric information within your company, including simple tasks such as for entry into doors, access to computer systems or as part of any business process.
- If you are capturing any biometrics, you should evaluate their need and potential replacement.
- You must build a notice and consent structure to make sure that you are not in violation of the statute.
How can RSM help?
RSM’s security, privacy and risk practice can help ensure your organization is in compliance with BIPA by:
- Evaluating and updating your policies and procedures to comply with the law
- Identifying and locating any sensitive and conﬁdential information or biometric data you may be receiving, collecting, storing or sending
- Evaluating your organizational information security safeguards by conducting risk assessments, penetration testing and a number of other technical and governance-focused analyses
In addition, should a potential breach occur, our digital forensic and incident response team can help conduct the incident investigation.