Biometric information privacy may be an emerging area of employment law, but last month, employers saw an example of why it should be taken seriously.
On June 22, the U.S. District Court for the Northern District of Illinois approved a settlement agreement between entertainment company Topgolf and a class of former employees who alleged Topgolf collected and disclosed their biometric data through a "finger-scan timekeeping system" in violation of the Illinois Biometric Information Privacy Act, or BIPA, per a court document. Though Topgolf denied the claims, the parties agreed to a $2,633,400 award to be split between more than 2,600 class members.
BIPA, passed in 2008, is a relatively new statute, but lawsuits invoking it "didn't really start popping up until 2016," said Lauren A. Daming, associate at management-side firm Greensfelder, Hemker & Gale.
"I can't say why they exploded in 2016, but I imagine that's when plaintiff's attorneys took notice of the law," Daming explained in a follow-up email, noting that the statutory damages for BIPA violations are $1,000 or $5,000 per violation, depending on the circumstances.
"Also, in the last year or so, there have been quite a few plaintiff-friendly court decisions about how BIPA should be interpreted," she added. "Several of those decisions are on appeal right now either in federal or state court, so the issues have not been decided with finality, but the lower court holdings are fairly plaintiff-friendly."
The Illinois law sets forth a number of stipulations about collecting, retaining and disclosing biometric identifiers — including retina or iris scans; fingerprints; voiceprints; hand or facial scans — and biometric information, which includes any information based on these identifiers.
Under BIPA, employers and other entities in possession of such information must develop a written, publicly-available policy outlining how long the information will be retained as well as how it will be permanently destroyed — which the law says should occur "when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first."
Additionally, BIPA stipulates that no private entity can collect, capture, purchase, receive through trade or otherwise obtain biometric identifiers or biometric information unless:
The entity informs the subject or their representative in writing that their information is being collected or stored.
The entity informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term that their information is being collected, stored and used.
The entity receives a written release executed by the subject or the subject's legally authorized representative.
Very few such laws exist in the U.S. Other examples include Texas and Washington, both of which have placed restrictions on the collection and possession of biometric identifiers for commercial purposes. New York City enacted in January a law addressing the collection and use of customers' biometric identifiers by certain "commercial establishments," including places of entertainment, retail stores and food and drink establishments.
Meanwhile, several other states and localities have proposed similar legislation, with others having passed laws that specifically address consumer data privacy, said Daming; "I expect to see more of that in the future."
Topgolf is not the only employer to face litigation under BIPA so far in 2021. Earlier this month, a former Walmart fulfillment center employee filed a class action suit alleging that the retailer violated state law by requiring employees to use voice recognition software to track their work, Law360 reported. In January, Walmart agreed to a $10 million settlement over claims by current and former employees that the company required them to use a palm-scanning device without obtaining written consent, the Chicago Tribune reported.
In June, a group of consumers filed a BIPA lawsuit against Apple over the use of electronic fingerprint and facial recognition in its products.
The news is reflective of a "consistently huge volume" of BIPA litigation since 2016, Daming said; "There's a new BIPA lawsuit every single day it seems."
Daming noted that the statute most commonly comes up in the employment context for situations in which employers require their workers to clock in and clock out using hand or fingerprint scans, but facial recognition software and other technologies also may be implicated.
The technology is utilized for a number of reasons, she said. Employers may use it to cut down on situations in which employees clock in or out for their co-workers, or may prefer it for accessibility or ease-of-use. But as employees grow more conscious of their privacy rights and more concerned about the use of their personal data, employers may see increased legal risk in jurisdictions that have enacted biometric privacy laws.
Such laws are also separate from the federal Genetic Information Nondiscrimination Act, Daming added, which has its own set of considerations for employers. But as legislation targeting biometric identifiers and information spreads, she said employers may need to re-examine whether they are transparent about their use of this data; "I think that's something employees are increasingly going to find important and expect from their employers."
While Daming has not experienced a situation in which a client had employees say they did not want to hand over their information, she noted that employers may also need to consider how the use of biometric information-collecting technologies may interact with anti-discrimination laws. If an employee has a religious objection to such technologies, or has a disability that makes it impossible or difficult to collect that kind of data, the employer may need to provide an accommodation, Daming said.
Examples of such accommodations may include allowing an employee to manually clock in, or otherwise permit them to use a four-digit code or I.D. card instead.
HR personnel also may need to be aware of third-party providers' use of biometric information. "If they have arrangements with third parties like that, they need to be checking whether those companies are also complying with BIPA and looking at their agreements with these companies to make sure they're protected if the other company is not following the law," Daming said. "I think that's where HR can really add some value to helping their company comply with BIPA."