Biometric Class Action; Is Our Privacy Being Affected?
Recently, numerous biometric class action lawsuits have been filed against companies who require employees to clock in and out of work, illegally, with the use of biometric scans, such as fingerprinting and facial recognition. These biometric lawsuits accuse their respective companies of scanning employee fingerprints for timekeeping, without first obtaining permission from the worker, while also failing to establish company policy on the collection, storage, and destruction of said private employee information. These biometric practices are considered a breach of privacy, and are increasing as employees and consumers begin to sharpen up on their state’s existing laws.
In a lawsuit against fast-food giant Wendy’s, the complaint expresses that “if a fingerprint database is hacked, breached, or otherwise exposed, employees have no means by which to prevent identity theft and unauthorized tracking.” Similarly, these lawsuits are also holding companies accountable for damages if they fail to inform employees on the use of these biometric identifiers, including fingerprints and retina scans.
Consumer Privacy Laws by State
States continue to step up and prohibit the use of facial and fingerprint recognition technologies, and recently, California was added to this list. Per Veridium, last June, California passed the California Consumer Privacy Act, which will change how companies in the state collect and commercialize consumer data. This groundbreaking consumer privacy rights law—which goes into effect on Jan. 1, 2020—enacts rules that make the collection, sharing and sale of personal information, including biometrics, more transparent.
In short, The California Consumer Privacy Act includes biometric information within the definition of personal information, and defines it as “an individual’s physiological, biological or behavioral characteristics … that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina … [and] face …, from which an identifier template such as a faceprint … can be extracted ….”
Within this new act, if a business holds annual gross revenue of more than $25 million, or receives the personal information of 50,000 or more consumers annually, it must comply with the new law. Similarly, if the business collects personal information of more than 137 people per day, it must also comply.
BIPA in Illinois
Moreover, Illinois has established the Biometric Information Privacy Act (BIPA), and the Act continues to grow stronger and gain more support as litigation against biometric data collection practices continues to increase.
Per Law360, Illinois enacted BIPA in 2008 after Pay By Touch, a company that sold fingerprint scanners to Illinois retailers for processing purchases, filed for bankruptcy, putting millions of fingerprints at risk of being sold through the bankruptcy hearing.
Since this occurred, many forms of biometric scanning have faced legal challenges under Illinois law, like the face-scanning technology that Facebook Inc. is currently defending in California federal courts, and the “voiceprint” technology an online driving school uses to verify students’ identities.
BIPA regulates the collection and storage of biometric identifiers such as retina or iris scans, fingerprints, voiceprints, or any scan of hand or face geometry. Under BIPA, a private entity must provide written notice to individuals that collections will occur, as they must also state the purpose of said collection. The companies must also receive informed written consent from the individual/employee to proceed with this collection process. Moreover, before any sharing of this biometric data with third parties occurs, a private entity must also obtain additional consent beyond their initial required consent as well.
What Does This Mean For Businesses That Use Biometrics?
As laws increase against the use of Biometric tracking, businesses will have to start complying with the laws listed above. These businesses must also be prepared to provide this information to consumers upon it being requested, and also to delete any biometric information they control if a consumer or employee requests it.
If businesses refuse to comply, the California Attorney General may enforce these laws subject to a thirty-day cure period. The penalty for intentional violations can total $7,500 per violation.
Major companies like Facebook, Google, Comcast, AT&T and Verizon lobbied against the legislation while privacy advocates supported it.
A Call To Action – Protect Your Biometric Information!
If you believe to have been affected by unlawful biometric data collection practices, we ask that you share your story with us! Please provide some detail on your issues with the process, whether you are an employee or a consumer, and what you’d like to see done! We urge you to reach out to us using the Call To Action Button, below, or even by simply commenting on and sharing this story with your friends to spread the word.
Did we not cover an issue concerning your Biometric Data Collection experience? We’d love to hear from you! If so, we ask that you shoot us an email to Outreach@ConsiderTheConsumer.com, find us on Twitter, Facebook, Instagram, LinkedIn, or even connect with us directly on our website! We look forward to hearing from all of you.
Interested in articles like these? Become a subscriber below!