Many employers have opted to use technology to their advantage by adopting biometric timekeeping systems or similar systems for workplace access. But adopting such technology is not without risk. Indeed, with data breaches on the rise, employees and consumers have become more vigilant about protecting their personal data and using state privacy laws and the like to do so. The Illinois Biometric Information Privacy Law is one such law that places restrictions on businesses that collect biometric information of individuals. That law defines biometric information as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier [i.e. ‘a retina, iris scan, fingerprint, voiceprint, or scan of hand or face geometry’] used to identify an individual.” 740 ILCS 14/10.
While the Illinois Biometric Information Privacy Law has been on the books for over a decade, there has been a question whether a person could assert a claim under that law without alleging actual harm. That question has now been resolved with the Illinois Supreme Court’s January 25, 2019 decision in Rosenbach v. Six Flags Entertainment Corp., et al. In Rosenbach, the Supreme Court had to consider whether a person whose thumbprint was collected to obtain a season pass at an amusement park, without the necessary consent, was an “aggrieved” person under the biometric statute and therefore could pursue a claim without alleging an actual injury or adverse effect. Using a statutory construction analysis, the Court held that a person is “aggrieved” under the statute even in the absence of an allegation of actual injury, and thus can pursue a claim.
The underlying facts of the Rosenbach case of course don’t relate to employment law or biometric timekeeping systems in particular. But the holding of the case should send a message to Illinois employers that the state biometric law, which provides for liquidated damages and attorney’s fees, cannot be ignored. Indeed, employers who require employees to use a fingerprint to access a timekeeping system or otherwise collect biometric information of employees MUST take the necessary steps to obtain an employee’s consent before that collection. Namely, employers must inform the person in writing that biometric information is being collected or stored, identify the purpose for which it is being collected or stored, and for how long, and obtain the person’s written consent. 740 ILCS 14/15(b). In addition, employers must develop a written policy that establishes a retention schedule and guidelines for permanently destroying the biometric information once it is no longer needed, or within three years of the employee’s last interaction with the employer, whichever occurs first. 740 ILCS 14/15(a).
Illinois employers who have questions about complying with the state biometric law and other state privacy laws should consult counsel.