Modern technology is a wonderful thing. It can provide directions, the words to a song, or even an idea for a presentation. Some companies even use modern technology like biometric devices as security and safety measures. Biometrics are sophisticated enough to protect against data breaches unlike passwords and PINS, yet user-friendly enough that they do not impede workflow.
What Are Biometrics?
Biometrics involves the use of unique physical or behavioral characteristics, such as fingerprints, facial recognition, iris scans, and voice recognition, to verify an individual's identity. These characteristics are difficult to replicate or steal, making biometrics a highly reliable method for security.
How Can Businesses Benefit from the Use of Biometrics?
Enhanced Security: Biometric data is unique to each individual, making it extremely difficult for unauthorized users to gain access. Unlike passwords, which can be forgotten or stolen, biometric identifiers are part of the user’s intrinsic identity. No more finding passwords written on paper near the computer.
Convenience and Efficiency: Biometrics streamline the authentication process. Employees no longer need to remember complex passwords or carry access cards. A quick fingerprint scan or facial recognition can grant access within seconds.
Reduced Fraud and Identity Theft: Since biometric traits are unique to each person, the risk of fraud or identity theft is significantly minimized. This is particularly crucial for financial transactions and access to sensitive data.
Audit and Compliance: Biometrics provide a clear audit trail of access and activities. This is invaluable for regulatory compliance and internal security audits. So, when the Federal Motor Carrier Safety Administration wants to audit the records of your drivers, that data will be readily available and linked to each specific driver.
The Biometrics Information Privacy Act (BIPA)
The use of biometrics may sound great, but it brings privacy concerns with it. After all, biometric data cannot be changed. As the use of biometrics spreads, lawmakers have taken note. The Biometrics Information Privacy Act (BIPA) was first enacted in Illinois in 2008 and has since been enacted by Texas and Washington State. Colorado expanded its consumer privacy law, which protected biometric data, to include its use by employers. Additionally, several other states such as California, Connecticut, Utah, and Virginia have enacted consumer privacy laws that include provisions for biometric data. Several cities like New York City have adopted similar laws.
BIPA sets stringent requirements for the collection, use, and storage of biometric identifiers. In a nutshell, it requires four things:
What are the Penalties for Violating BIPA?
Non-compliance with BIPA can result in significant legal and financial repercussions, including hefty fines and lawsuits. Therefore, businesses must prioritize compliance by conducting regular audits, training employees on data privacy practices, and staying updated with any legislative changes.
For every negligent violation, a business can incur a penalty of $1,000. If the violation is intentional or reckless, the penalty increases to $5,000. In addition to fines, businesses may also be liable for actual damages if they exceed these penalties, as well as reasonable attorneys’ fees and litigation costs. BIPA also allows for injunctive relief, which means a court can order a business to take specific actions to comply with the law.
Strict Compliance is Crucial: In the case of Rogers v. BNSF Railway Co., BNSF Railway was found to have violated BIPA by collecting fingerprints from over 45,000 truck drivers without obtaining proper consent. The company was initially ordered to pay $228 million in damages. However, a recent ruling by the U.S. District Court for the Northern District of Illinois determined that BIPA’s statutory damages are discretionary, not mandatory, leading to a new trial to reassess the damages.
Repeated Violations Increase Liability: In Cothron v. White Castle Systems, the Illinois Supreme Court ruled that a BIPA violation occurs each time biometric data is collected or disclosed without consent, not just the first time. This decision has expanded the potential liability for companies, as repeated violations can lead to substantial cumulative damages.
What Best Practices Can Your Business Follow to Minimize Risk?
Obtain Informed Consent: Always inform individuals about the purpose and duration of biometric data collection, storage, and use. Obtain explicit written consent before collecting any biometric data.
Minimize Data Collection: Collect only the biometric data necessary for the specific purpose. Avoid excessive or unnecessary data collection to reduce the risk of misuse.
Implement Strong Security Measures: Use advanced security protocols, such as encryption, to protect biometric data both in transit and at rest. Regularly update security measures to address new threats.
Limit Access: Restrict access to biometric data to authorized personnel only. Implement physical and digital access controls to ensure that only trained and authorized individuals can handle biometric systems.
Regular Audits and Assessments: Conduct regular audits and privacy impact assessments to ensure compliance with data protection regulations and to identify potential vulnerabilities.
Transparency and Communication: Clearly communicate with individuals about what biometric data is being collected, how it will be used, and with whom it will be shared. Provide easy-to-understand privacy policies and obtain feedback from your employees.
Retention and Destruction Policies: Establish clear policies for the retention and destruction of biometric data. Ensure that data is destroyed securely once it is no longer needed for the original purpose.
Training and Awareness: Train employees on the importance of data privacy and security. Ensure they understand the proper procedures for handling biometric data and the potential consequences of non-compliance.
Conclusion
It’s crucial for businesses to ensure compliance with BIPA to avoid substantial penalties and the potential for costly litigation. Regular audits and employee training on data privacy practices can help mitigate these risks. If you have employees in Illinois, Colorado, Texas, or Washington, you better take note of the requirements. In other states, some form of biometric protection is around the corner.
If you have specific questions related to this article or any privacy issue, please contact Mitchell Goldstein (mgoldstein@setlifflaw.com) at (804) 377-1269, or Steve Setliff (ssetliff@setlifflaw.com) at (804) 377-1261.
© 2025 Setliff Law, P.C.| View Our Disclaimer | Privacy Policy