Nine years after Illinois legislators passed the Biometric Information Privacy Act (BIPA), a surge in litigation has forced state courts to consider sui generis questions related to privacy and the legal definition of “actual harm.” Though the law was passed in 2008, it wasn’t until late 2017 that workers started pursuing legal action in response to mandatory finger-scanning. Washington and Texas have passed similar laws, but those measures preclude the private right to sue. Instead, they endow the state with regulatory powers over the retention and use of biometric data. In Illinois, there is also a regulatory framework, but in addition to that framework, state residents may sue their employer for $1,000 in cases of negligence and $5,000 in cases of intentional tort.
There are a number of actions a company must take to comply with BIPA. Those include a written policy containing a schedule for the use and destruction of the biometrics; a notice stating the employer’s intent to collect data and the length of time they plan on using said data; a consent form obtained from each worker; a policy of reasonable confidentiality; and a policy prohibiting the selling of data to third-parties.
By contrast, the Washington law pertains primarily to biometric data obtained for the purposes of commercial use. In order to sell such data, companies must obtain consent from consumers prior to the sale, and where the company intends to extend their use of biometrics beyond the initial consent, they must, once again, ask for permission. Moreover, the requirement to obtain permission is “context-dependent.” For instance, in security situations, companies may forgo the acquisition of consent altogether.
There is a debate brewing over whether the BIPA provision allowing for statutory damages is adequate to its purpose. Lisa Sotto, a privacy advocate at Hunton & Williams LLP, told Bloomberg that it may be more beneficial to allow attorneys general – as opposed to individual residents – to handle matters of biometric privacy, as they “might be much more thoughtful about what kind of actions they bring.” By contrast, Ari Scharg, a class action lawyer for Edelson PC, surmised that attorneys general might be reluctant to pursue such cases because of some inherent difficulties, not least of which is the tendency for companies to effectively hide their less-than-savory activities.
Questioning the Practice
It is important to note, however, that recent disputes have led to a deeper interrogation of biometric data collection as a practice. Instead of alleging any particular harm, litigants have pursued claims related to seemingly innocuous practices, such as clocking in and out with fingerprints. In Paramount of Oak Park Rehabilitation & Nursing Center LLC, a rehabilitation center was sued for precisely this reason. And nearly 30 more companies have been sued under similar circumstances.
The Normalization of Biometric Data Collection
According to some critics, actions such as these might dissuade technological advancement in the field of biometrics, but one might wonder, along with the entire academic field known as surveillance studies, whether we should allow such “advancements.” Once upon a time, biometric data was stigmatized as a marker of criminality. Now, the practice of biometric data collection has been normalized to such a degree that those of us who own iPhones or those of us who move through airports are used to such bodily impositions.
The Question of Privacy
On this view, the issue of privacy – that is, the ability to control the flow of one’s biometric information – may be a red herring, obscuring the more fundamental problem of how we relate to our own bodies. In a chapter entitled “Biometrics and the Body as Information,” Irma van der Ploeg asserts the following: “[P]roclaiming body data ‘private’ or ‘worthy of protection,’ just like any other ‘personal data,’ goes some of the way, but does not exactly do justice to the fact that embodiment is central to individuality and identity in a way that my social security number or my car rental records are not.”
Thus, the lawsuits emerging in Illinois might be precisely what companies need to refrain from delving further down the rabbit hole of biometric data collection.
Related article: medium.com/the-future-of-biometric-privacy-legislation-a059ef04c280