Companies encouraged to revisit privacy policies in light of projected increase in litigation
The Illinois Supreme Court in January 2019 held that plaintiffs bringing claims under the Illinois Biometric Information Privacy Act (BIPA) are not required to allege that they suffered any actual harm as the result of a violation of the act. Instead, it’s enough to allege that an employer or other entity simply violated BIPA’s notice, consent or disclosure requirements. The court’s opinion in Rosenbach v. Six Flags is expected to result in an increase in class action litigation under BIPA, which regulates how private entities use information based on “biometric identifiers” such as fingerprints and retina scans.
The court emphasized in Rosenbach that individuals suffer “real and significant” injuries when the right to control biometric data is compromised. For that reason, the act was intended to prevent harm by “imposing safeguards to insure that individuals’ and customers’ privacy rights in their biometric identifiers and biometric information are properly honored and protected to begin with, before they are or can be compromised.” As a secondary measure, BIPA subjects “entities who fail to follow the statute’s requirements to substantial potential liability.” In designing the act to impose liability even for “technical” violations of the statute, companies have the “strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone.”
The decision serves as an important reminder to businesses — even those operating outside Illinois — to consider the need for information privacy policies and notice and consent procedures related to the collection of biometric or other personal information. In light of the Rosenbach decision’s projected impact on litigation in this arena and increasing concerns surrounding individual privacy rights in connection with technology, companies should review the following checklist of preliminary considerations related to biometric and information privacy programs:
- Take an inventory of current practices and policies.
- What types of biometric or personal information is the company collecting, storing or transmitting?
- Does the company have a policy in place, complete with notice and consent procedures designed to educate individuals about the company’s privacy practices?
- Become familiar with applicable law.
- Biometric privacy: Illinois, Washington and Texas have biometric information privacy laws.
- Fingerprinting: New York prohibits employers from requiring employees to be fingerprinted as a condition of employment.
- Data breach: Most states have adopted laws related to data breach notification requirements that may influence your company’s privacy program. In fact, some states, like Illinois, specifically include “biometric data” in the definition of protected “personal information.”
- Other state laws also may potentially impact an information privacy program.
- Has the company considered potential accommodations that may be offered to employees or other individuals who decline to provide biometric information for religious, medical or other reasons?
- Has the company considered whether a proposed policy or changed procedure may trigger bargaining obligations with a representative union?
- Do the company’s insurance policies provide coverage for BIPA violations or common law privacy tort claims?
- Do vendors or third parties that have access to biometric data, such as personnel services providers or payroll companies, comply with applicable law and information privacy best practices?
For questions about the impact of Rosenbach v. Six Flags or to discuss designing a biometric information privacy program for your company, contact the attorneys in our Employment & Labor group.