As technology progresses employers are adopting more advanced ways of identifying their employees. The days of having an employee identification number or a PIN are giving way to fingerprints, retina scans, and even facial recognition systems. Though the latter two are usually only seen in high security industries, fingerprinting is becoming more mainstream.
Understandably, employees are wary of relinquishing such personal information—unchangeable information that can be abused, hacked, or sold. Illinois recognized these dangers and has passed the Biometric Information Privacy Act to establish rules for those wishing to collect or store biometric data.
Can Employers Take a Fingerprint?
Yes, employers can take a fingerprint or other biometric data, but they must follow the law if they do so. The law is complex, and employers face real consequences for failure to comply. Let’s break it down in a manner that is easy to comprehend.
What Type of Information Is Regulated?
As one can imagine, the Biometric Information Privacy Act regulates only biometric information, not all “private information.” Specifically, the following types of information are regulated by the Act:
Fingerprints;
Retina scans;
Iris scans;
Voice prints; and
Scans of hand or face geometry.
The act also includes a lengthy list of exclusions to the type of information that is regulated. However, for the purpose of this article, it is sufficient to say that biometric information stored by healthcare providers in order to render care is not regulated. (However, if it is stored for some other purpose, such as identifying employees, it is regulated).
Who Does the Act Apply To?
The Biometric Information Privacy Act applies to private entities. That means that any level of government can capture and store your biometric information without having to comply with the Act.
An Employer Wishing to Collect Fingerprints Must Have Written Consent
The Biometric Information Privacy Act requires that a private entity wishing to obtain a fingerprint (or other biometric identifier) must inform the employee (or his/her legal representative), in writing, that biometric information is being collected or stored.
The employer must also inform the employee, in writing, of the specific purpose for which the fingerprint or other biometric information will be used. The employer must also disclose to the employee the length of time the fingerprint will be stored and used.
Finally, the employer must obtain a written release from the employee authorizing collection, storage and use of the fingerprint.
Can an Employee Refuse a Fingerprint?
The Biometric Information Privacy Act only briefly touches on the employer-employee relationship. It states that the term “written release” means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment. This seems to imply that an employer can make a written release a condition of employment; therefore, if an employee refuses to sign the release he or she may be subject to termination.
If this is how courts end up interpreting the law, employees will be powerless to stop fingerprinting if they want to obtain or keep a job. Biometric waivers will become part of the large packet of documents employees sign when hired.
Given that biometric consent can likely be a term of employment, and assuming the employee signs a waiver, most legal violations will relate to safeguarding procedures.
What Must Employers Do to Safeguard Fingerprints?
The Illinois Biometric Information Privacy Act establishes a framework of safeguards that employers (and other private entities) wishing to collect fingerprints (and other biometric data) must follow.
Illinois Employers Must Have a Publicly Available Written Policy
If employers wish to collect, store, or possess fingerprints, they must have a publicly available written policy that establishes a retention schedule and guidelines for permanently destroying the stored fingerprints.
Illinois Employers Must Destroy Stored Fingerprints
Fingerprints collected by an employer must be destroyed either when the initial purpose for collecting the fingerprint is satisfied or within three years of the employee’s last interaction with the employer, whichever comes first. Thus, a fingerprint taken as part of a background check must be destroyed after the background check is passed, and fingerprints taken for most other purposes must be destroyed no later than the end of employment. If a fingerprint is taken for use in a system, such as logging into a system, the fingerprint must be destroyed when the system is no longer in use.
Selling or Otherwise Profiting from Fingerprints Is Not Allowed
The Illinois Biometric Information Privacy Act puts stringent regulations on what an employer can do with collected fingerprints, even with a signed waiver.
The following actions are prohibited:
Selling fingerprint data;
Leasing fingerprint data;
Trading fingerprint data; or
Otherwise profiting from fingerprint data.
Though trade in biometric information is not yet widespread, one can see it as a future technology that advertisers will desire to use as a tool for pairing individuals with targeted marketing. (This is especially the case with facial recognition data.) Additionally, companies that trade in information will be tempted to sell biometric data to whomever is willing to pay. It is highly likely that there will be substantial violations of the Biometric Information Privacy Act when companies attempt to profit from biometric data they collect.
Disclosing or Giving Away Fingerprint Data Is Not Allowed
Employers who collect fingerprint data are not allowed to disclose or disseminate the data to anyone else unless one of the following conditions is met:
The subject of the fingerprint consents;
The disclosure completes a financial transaction requested or authorized by the subject of the fingerprint;
The disclosure is required by state or federal law or municipal ordinance; or
The disclosure is required pursuant to a valid warrant or subpoena.
If an employer discloses a fingerprint without being exempt under one of these four categories, the employer is in violation of the Act.
Reasonable Care Must Be Taken to Protect Fingerprint Data
If employers store or transmit fingerprint data, they must take reasonable care to protect disclosure of that data. This standard is determined by what is considered reasonable in the employer’s industry.
Employers must also treat fingerprints in an equal or more protective manner than the manner in which they treat other confidential and sensitive information. For example, one can examine the methods an employer uses to protect social security numbers or credit card numbers and expect that the employer would protect fingerprint data in a manner that is at least as protective.
What Happens If There Is a Violation?
Unlike so many laws, the Illinois Biometric Privacy Act has teeth. The Act provides for a penalty against an employer that uses or stores a fingerprint without full compliance with the law. The penalty depends on whether the violation was merely negligent (careless) or if it was reckless or intentional.
If the employer negligently violates the Illinois Biometric Privacy Act, the employee is entitled to $1,000.00 or the value of the actual harm he or she suffered (whichever is greater).
If the employer recklessly or intentionally violates the Illinois Biometric Privacy Act, the employee is entitled to $5,000.00 or the actual value of the harm suffered (whichever is greater).
Not only is the employee entitled to the compensation noted above, the employer also has to pay the employee’s attorney fees, case costs, expert witness fees, and other litigation expenses.
These cases can also be brought as a class action where an employee represents all those who are similarly situated and similarly harmed. Such cases are the best way to convince employers that they cannot scoff at laws meant to protect employees since the amount of money they have to pay is meaningful to them. (Few employers find an individual case financially meaningful.)
Where Can I Get Help?
Click here to contact us and we will put you in touch with one of our colleagues who handles this type of case. Initial consultations are free and these cases are typically handled on contingency (the attorney is paid from winnings).