In recent years, the use of biometric data, such as fingerprints, facial recognition, and iris scans, has become increasingly common in the workplace. However, with the rise of biometric data collection comes the need for robust privacy protections. In Illinois, the Biometric Information Privacy Act (BIPA) provides a framework for the collection, storage, and use of biometric data. As a Chicago personal injury lawyer, it’s essential to understand the implications of BIPA for employers in Illinois. BIPA is a critical law that protects employees’ sensitive biometric information from misuse. Employers who fail to comply with BIPA may face significant penalties and damage to their reputation.
(The Intersection of Employment Law and Social Media: A Guide for Chicago Employers)
What is BIPA?
BIPA is a state law that regulates the collection, storage, and use of biometric data. The law defines biometric data as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” BIPA requires employers to obtain written consent from employees before collecting or storing their biometric data. Employers must also provide employees with a written policy outlining the purpose and length of time for which the biometric data will be collected, stored, and used. BIPA applies to all private entities, including employers, who collect or store biometric data. The law provides a private right of action for employees who allege that their biometric data has been mishandled.
Requirements for Employers Under BIPA
Employers in Illinois must comply with several requirements under BIPA:
Written Consent
Employers must obtain written consent from employees before collecting or storing their biometric data. This consent must be obtained before the employer collects or stores any biometric data. The consent form must be written in a manner that is clear and easy to understand. Employers must also ensure that employees understand the purpose and scope of the biometric data collection.
Written Policy
Employers must provide employees with a written policy outlining the purpose and length of time for which the biometric data will be collected, stored, and used. This policy must be written in a manner that is clear and easy to understand. Employers must also ensure that employees understand the procedures for accessing, correcting, or deleting their biometric data. The policy must also include information on how the employer will protect the biometric data from disclosure.
Data Protection
Employers must take reasonable care to protect the biometric data from disclosure. This includes implementing and maintaining reasonable technical, administrative, and physical data security measures. Employers must also ensure that all biometric data is stored in a secure manner, such as through encryption. Employers must also limit access to biometric data to only those individuals who need it to perform their job duties.
Data Retention and Destruction
Employers must have a retention schedule and guidelines for permanently destroying biometric data when the purpose for collecting the data has been satisfied or when the individual is no longer employed by the employer. Employers must also ensure that all biometric data is destroyed in a secure manner, such as through shredding or electronic wiping. Employers must also maintain a record of all biometric data that has been collected, stored, and destroyed.
Penalties for Non-Compliance
Employers who fail to comply with BIPA may face significant penalties. Under employment law, employees may bring a private right of action against employers who violate BIPA. The penalties for non-compliance include:
- Liquidated damages of $1,000 or actual damages, whichever is greater, for negligent violations. Employers may also be liable for attorney’s fees and costs. In addition, employers may face reputational damage and loss of business.
- Liquidated damages of $5,000 or actual damages, whichever is greater, for intentional or reckless violations. Employers may also face punitive damages and fines. In addition, employers may face regulatory action and audits.
- Reasonable attorney’s fees and costs. Employers may also be liable for expert witness fees and other litigation expenses.
Best Practices for Employers
To avoid the penalties and risks associated with non-compliance, employers should follow these best practices:
Develop a Comprehensive Biometric Data Policy
Employers should develop a comprehensive biometric data policy that outlines the purpose and scope of biometric data collection, storage, and use. The policy should also include information on how the employer will protect the biometric data from disclosure. Employers should also ensure that the policy is easily accessible to all employees. The policy should be reviewed and updated regularly to ensure compliance with changing laws and regulations.
Obtain Written Consent
Employers should obtain written consent from employees before collecting or storing their biometric data. The consent form should be written in a manner that is clear and easy to understand. Employers should also ensure that employees understand the purpose and scope of the biometric data collection. Employers should maintain a record of all consent forms obtained from employees.
Implement Reasonable Data Security Measures
Employers should implement and maintain reasonable technical, administrative, and physical data security measures to protect biometric data from disclosure. Employers should conduct regular security audits and risk assessments to identify vulnerabilities. Employers should also implement incident response procedures in the event of a data breach.
Retain and Destroy Biometric Data Properly
Employers must have a retention schedule and guidelines for permanently destroying biometric data when the purpose for collecting the data has been satisfied or when the individual is no longer employed by the employer. Employers must also ensure that all biometric data is destroyed in a secure manner, such as through shredding or electronic wiping.
Train Employees
Employers should train employees on the proper handling and protection of biometric data. Employers should also ensure that employees understand the procedures for accessing, correcting, or deleting their biometric data. Employers should provide regular training and updates to employees on BIPA compliance.
Conclusion
In conclusion, BIPA provides essential protections for employees in Illinois whose biometric data is collected, stored, and used by employers. Employers must comply with the requirements of BIPA, including obtaining written consent, developing a comprehensive biometric data policy, and implementing reasonable data security measures. By following these best practices and complying with BIPA, employers can avoid the penalties and risks associated with non-compliance.
If you’re looking for an experienced Chicago personal injury lawyer to help navigate your claim, we will fight assiduously for your right to the compensation you deserve. Call Bizzieri Law Offices at 773.881.9000. The case evaluation is free, and we never charge a fee unless we recover damages for you.