CSK&D is investigating potential class action cases against companies that collect and misuse biometric data gathered from their employees or customers without proper authorization. Biometric is the metric increasingly used by companies to identify specific individuals, i.e. fingerprints, retina/iris scans, DNA, and facial geometry scans. The frequency at which companies adopt these biometric measures for personnel and customer identification purposes outpaces the privacy policies needed to adapt to the changing scheme of consumer identification.
Consumers are concerned about the privacy intrusions involved with how biometric information is used or shared by these companies. In many cases, consumers and employees are not aware and do not consent to a company taking biometric information and storing it for their own unclear use.
Over the last few years, there have been increasing number of incidents involving companies misusing or misappropriating biometric data without the proper consent or authorization. These data collection practices may violate existing laws that prevent this kind of information being shared or used without the explicit consent or authorization. For example, the Illinois Biometric Information Privacy Act (740 ILCS 14/1, et seq.) (“BIPA”) imposes requirements on businesses that collect or otherwise obtain biometric information—such as fingerprints, retina/iris scans, DNA, and facial geometry scans (which could include identifying individuals through photographs)—used to identify individuals.
BIPA mandates that such businesses may not obtain, possess, or otherwise maintain consumers’ biometric information unless they:
- inform that person in writing that biometric identifiers or information will be collected or stored;
- inform that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used;
- receive a written release from the person for the collection of his or her biometric identifiers or information; and
- publish publicly available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information.
Media outlets, such as those in the article below, have warned consumers of the risks that biometric information storage creates, and advised consumers to disable features on social media platforms, such as Facebook, that collect biometric information (article accessible at: https://www.cnet.com/how-to/how-to-review-and-turn-off-facebooks-facial-recognition-feature/). Some examples where businesses would capture and/or use biometric information is at tanning salons, gyms, fitness centers, workout studios, etc., where the front desk employees scan consumers’ fingerprints to pull up his/her account, check-in, and/or charge for services. Other examples include internet websites/social media platform features that utilize facial recognition for image tagging or other purposes.
BIPA allows for an award of statutory damages in the amount of $1,000 per violation, or $5,000 per violations deemed to be intentional or reckless. If you believe that any of your biometric information is being created, collected, stored, processed, or otherwise maintained by any business without your authorization, please contact us.