The Cost of Collecting Fingerprints

In January 2019, the Illinois Supreme Court upheld consumers’ rights to sue companies for collecting their fingerprints without explicit consent. This precedent-setting case, Rosenbach v. Six Flags Entertainment Corp, was the first to extend the interpretation of the Illinois Biometric Information Privacy Act (BIPA) holding that individuals do not need to prove they were actually harmed by the misuse of their biometric information—only that their rights under the law were violated.

The Rosenbach interpretation of the Illinois BIPA gives individuals more agency to act if they suspect their personal information is being used without their consent. As a result, the Rosenbach decision may dramatically and fundamentally change the way that companies think about, use, and collect biometric data from both their customers and employees.

How Biometric Data Is Used

While it may sound like biometric data is something out of a sci-fi movie, it’s actually quite common. An increasing number of employers are collecting and using employee fingerprints to allow access to the factory floor or enable them to clock in and out of shifts.

However, biometric identifiers don’t afford the same practical features of “traditional” passwords. You can’t “reset” your fingerprint or your facial features. Therefore, once this data is compromised, it’s permanently breached. As a result, companies are facing increased scrutiny surrounding the collection and use of any biometric identifiers.

The 2008 Illinois BIPA regulates the collection, use, storage, and destruction of biometric identifiers from employees and customers alike.

It is estimated that violations of BIPA can cost companies between $1,000 and $5,000 per violation. This cost, if compounded by hundreds of individuals in a class-action suit, can quickly lead to millions of dollars in punitive damages. Coupled with the recent surge in BIPA-related lawsuits—such as the Six Flags case detailed above—the prospective financial penalties have created a growing need for organizations to better understand current and emerging privacy laws.

Regulations Emerging Across the U.S.

While BIPA is specific to Illinois, it is just the tip of the iceberg, representing a larger movement across the country to shore up privacy laws at the state level. For instance, Washington, California, and Texas have passed their own versions of BIPA, while Massachusetts, New York, Delaware, Alaska, and Michigan are all currently considering similar laws.

One of the most recent updates to state law, crafted in the spirit of BIPA, is the California Consumer Privacy Act (CCPA), which is expected to take effect on January 1, 2020. The CCPA provides residents of California with the right to know what personal data is being collected; whether their personal data is being disseminated or sold and, if so, to whom; and request that businesses delete any personal information they may have previously collected. It also provides protection to prevent consumers from being discriminated against if they opt out of having their data collected, used, or sold.

Since biometric regulation varies at the state level, it’s imperative that companies understand the legal requirements of each state in which they do business—both in terms of the company’s physical location and its virtual footprint (for example, it may have out-of-state customers or employees)—and recognize what it needs to do to comply with local laws. For example, BIPA regulates biometric data collection and use, whereas the CCPA applies to all data collection and use—regardless of the type.

What Should Businesses Be Doing?

In addition to understanding what local laws require, there are a few basic steps companies can take in order to comply with current and emerging laws. Namely, companies should work with legal counsel to update companywide disclosures and create a written consent model for obtaining explicit consent from both consumers and employees regarding all data collection and usage.

In addition, companies should annually review and update both applicable customer and employee privacy policies. For example, California has already tabled several components of its CCPA legislation for review in 2020 to update in 2021. Corporate privacy policies need to remain fluid to stay compliant with evolving legislation.

Regardless of where you do business, data-regulating laws are coming. By taking the right precautionary steps and staying informed, you can help protect your organization, no matter what.

Jennifer Gentry is senior vice president and employment practices liability product manager for Chubb North America.

From: BenefitsPro