Biometric fingerprint scan WhileBIPA is specific to Illinois, it is just the tip of the iceberg,representing a larger movement across the country to shore upprivacy laws at the state-level. (Photo: Shutterstock)

|

In January 2019, the Illinois Supreme Court upheld consumers' rights to sue companies forcollecting their fingerprints without explicit consent. Thisprecedent-setting case, Rosenbach v. Six Flags Entertainment Corp,was the first to extend the interpretation of the IllinoisBiometric Information Privacy Act (BIPA) holding that individualsdo not need to prove they were actually harmed by the misuse oftheir biometric information—only that their rightsunder the law were violated.

|

Related: Surge in class-action lawsuits resulting frombiometric privacy laws

|

The Rosenbach interpretation of the Illinois BIPA givesindividuals more agency to act if they suspect their personalinformation is being used without their consent. As a result, theRosenbach decision may dramatically and fundamentally change theway that companies think about, use, and collect biometric datafrom both their consumers and employees.

How biometric data is used

While it may sound like biometric data is something out of asci-fi movie, it's actually quite common. An increasing number ofemployers are collecting and using employee fingerprints to allowaccess to the factory floor or clock in and out of shifts.

|

However, biometric identifiers don't afford the same practicalfeatures of "traditional" passwords. You can't "reset" yourfingerprint or your facial features. Therefore, once this data iscompromised, it's permanently breached. As a result, companies arefacing increased scrutiny surrounding the collection and use of anybiometric identifiers.

Current laws in place

The 2008 Illinois BIPA regulates the collection, use, storage,and destruction of biometric identifiers from employees andcustomers, alike.

|

It is estimated that violations of BIPA can cost companiesbetween $1,000 and $5,000 per violation. This cost, if compoundedby hundreds of individuals in a class action suit, can quickly leadto millions of dollars in punitive damages. Coupled with the recentsurge in BIPA-related lawsuits—such as the Six Flags case detailedabove—has created a growing need for organizations to betterunderstand current and emerging privacy laws.

Emerging regulations

While BIPA is specific to Illinois, it is just the tip of theiceberg, representing a larger movement across the country to shoreup privacy laws at the state-level. For instance, Washington,California, and Texas have passed their own versions of BIPA, whileMassachusetts, New York, Delaware, Alaska, and Michigan are allcurrently considering similar laws.

|

One of the most recent state law updates, crafted in the spiritof BIPA, is the California Consumer Privacy Act (CCPA), which isanticipated to go into effect on January 1, 2020. The CCPA providesresidents of California with the right to know what personal datais being collected; whether their personal data is beingdisseminated or sold and if so, to whom; and request thatbusinesses delete any personal information they may have previouslycollected. It also provides protection and not be discriminatedagainst for opting out of having their data collected, used, orsold.

|

Since biometric regulation varies at the state level, it'simperative that companies understand the legal requirements of eachstate in which they do business—both in terms of the company'sphysical location and its virtual footprint (for example, they mayhave out-of-state customers or employees)—and recognize what isneeded to comply with those local laws. For example, BIPA regulatesbiometric data collection and use, whereas the CCPA applies to alldata collection and use—regardless of the type.

What should businesses be doing?

In addition to understanding what local laws require, there area few basic steps companies can take in order to comply withcurrent and emerging laws. Namely, companies should work with legalcounsel to update company-wide disclosures and create a writtenconsent model for obtaining explicit consent from both consumersand employees regarding all data collection and usage. In addition,companies should annually review and update both applicableconsumer and employee privacy policies. For example, California hasalready tabled several components of its CCPA legislation forreview in 2020 to update in 2021. Thus, privacy policies need toremain fluid to stay compliant with evolving legislation.

|

In conjunction with these measures, companies should also investin a comprehensive Employment Practices Liability insurance policyto help manage potential exposures that may arise. In the eventthat an employee of an insured company asserts that his or herpersonal data was mismanaged or collected without his or herconsent, Chubb will endeavor to work with legal counsel to weighthe employer's options, determine the best course of action, andhelp to offset associated costs.

|

Regardless of where you do business, data-regulating laws arecoming. By taking the right precautionary steps and stayinginformed, you can help to protect your organization, no matterwhat.

|

Jennifer Gentry is senior vice presidentand employment practices liability product manager for Chubb NorthAmerica.


Read more: 

Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.

  • Critical BenefitsPRO information including cutting edge post-reform success strategies, access to educational webcasts and videos, resources from industry leaders, and informative Newsletters.
  • Exclusive discounts on ALM, BenefitsPRO magazine and BenefitsPRO.com events
  • Access to other award-winning ALM websites including ThinkAdvisor.com and Law.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.