Corporations in Illinois, Texas and Washington could be subject to extensive monetary damages if they collect any biometric identifier, including fingerprints or voice scans. Businesses should carefully comply with privacy laws to avoid liability.
Illinois Biometric Information Privacy Act
Nearly a decade after its implementation in October 2008, the Illinois Biometric Information Privacy Act has seen a surge in class actions and individual claims. In September 2017 alone, seven class actions were filed in Illinois, compared to nine in all of 2016.
Under the act, any private entity must follow detailed requirements to ensure any individual providing identifier data has fully consented. Each entity must, in part:
- Develop a publicly available written policy regarding its retention and destruction of any biometric identifying information
- Provide any individual releasing the information with disclosures addressing the purpose and length of time the information is retained
- Receive a signed consent form from the individual
Violation of these provisions subjects entities to a $1,000 or $5,000 fine per violation, attorney fees, and other relief.
Texas Capture and Use of Biometric Identifier Act
A similar law was passed in Texas, limiting the use and retention of biometric identifiers. While the statute allows for employer use of the information, the risks are much steeper. Each violation of the Texas act is subject to a civil fine up to $25,000. Importantly, there is no private right of action, so enforcement is left to the Attorney General.
Washington Biometric Act
Washington is the third state prohibiting use of biometric identifying information. Washington legislators learned from their predecessors and created a more narrowly tailored violation provision. The Washington statute limits liability to commercial use or sale. Moreover, its consent requirements are less burdensome.
At least three states have pending legislation to limit the collection and use of biometric identifiers, with some proposed legislation permitting a private right of action.
Because biometric information has proven to be one of the best ways to protect the safety of proprietary information, more and more businesses are requiring employees to provide their biometric information. As this trend grows in popularity, courts are just beginning to interpret these acts, and some courts are interpreting them broadly. While exposure to liability varies by state, it is critical for every entity to examine its collection and retention policies for biometric information. As states continue to enact these laws, corporations must ensure they are proactively complying to avoid extensive liability.