Skip to main content
With Great Data Comes Great Responsibility: The Illinois Biometric Information Privacy Act and the Construction Industry
Biometrics – a person’s unique genetic characteristics such as fingerprints, facial characteristics and retina features – are used in a variety of commercial contexts. Whether it’s a fingerprint scan to unlock a smartphone or a facial scan to allow secured access to a sensitive laboratory or government facility, the use of biometrics is widespread and will only expand. This is the case in the construction industry as well with the use of biometrics for site security, timekeeping and other functions. While the efficiency and accuracy that biometrics allows are impressive, such use is not without legal pitfalls. Some states – most notably Illinois – have passed laws to address the privacy concerns implicated by the use of biometric data. This article will examine the provisions of the Illinois Biometric Information Privacy Act (“BIPA”), briefly address other states’ biometric laws, review how biometric data is used in the construction industry, discuss the current litigation under BIPA and illustrate some steps that construction companies can take to comply with, and avoid exposure to claims under, BIPA.
The Illinois Biometric Information Privacy Act
In 2008, Illinois enacted the BIPA. The passage of this legislation was prompted, in part, because some major national corporations selected locations in Illinois for pilot tests of new and novel applications of “biometric facilitated financial transactions, including finger-scan technologies at grocery stores, gas stations, and school cafeterias.” 740 ILCS 14/5(b). The key features of the BIPA are:
(1)Obtaining consent prior to collection
(2)Limiting rights to disclosure
(3)Mandating protection obligations and retention guidelines
(4)Prohibiting profiting from biometric data
(5)Creating a private right of action for individuals aggrieved by BIPA violations
Notably, BIPA only applies to “private entities.” A private entity does not include “a State or local government agency” or any “court of Illinois, a clerk of the court, or a judge or justice thereof.” 740 ILCS 14/10.
BIPA regulates the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” 740 ILCS 14/5(g) (emphasis added). BIPA defines a “biometric identifier” to include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” but to exclude things like writing samples, written signatures, photographs, demographic data, physical descriptions, and certain biological materials or tissue samples used for medical or scientific purposes. 740 ILCS 14/10. “Biometric information,” in turn, includes “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual,” but excludes “information derived from items or procedures excluded under the definition of biometric identifiers.” Id.
Expanding upon the key features listed above, BIPA prohibits any private entity from collecting, capturing, purchasing, or otherwise obtaining a person’s biometric identifiers or information without first informing the person in writing of the collection or storage (including the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used) and obtaining a written release from the person to do so. 740 ILCS 14/15(b).
BIPA further restricts any private entity “in possession” of biometric identifiers or information from (i) selling, leasing, trading, or otherwise profiting from such identifier or information; and (ii) from otherwise disclosing or disseminating such information unless the person consents, the disclosure completes a financial transaction authorized by the person, or the disclosure is required by law or requested pursuant to a warrant or subpoena. 740 ILCS 14/15(c)-(d).
BIPA also imposes duties on private entities to protect biometric identifiers or information that such entities obtain. In particular, BIPA requires any private entity in possession of biometric identifiers or information to “store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry,” which must be at least “the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.” 740 ILCS 14/15(e).
Finally, BIPA requires a private entity to create a written policy governing the retention and destruction of biometric identifiers and information collected. Specifically, BIPA requires any private entity in possession of biometric identifiers or information to develop and adhere to “a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.” 740 ILCS 14/15(a).
Other States’ Biometric Information Laws
The states of Texas and Washington are the only other states that currently have biometric privacy laws similar to BIPA although legislation has been introduced in several other states. Many states already have data privacy laws that govern circumstances such as notifying persons whose personal data has been compromised due to a security breach but those laws address different concerns than BIPA. The Texas and Washington laws define “biometric information” in slightly different ways than Illinois. For example, Washington defines biometric information as “data generated by automatic measurements of an individual’s biological characteristics.” See Litigation Under Illinois Biometric Information Privacy Act Highlights Biometric Data Risks https://www.lexology.com/library/detail.aspx?g=8c3e4f57-8115-4b70-afaa-d262e0b45a9b. Use of biometric data is restricted only if such information is reduced or enrolled in irreversible form in a database. Texas more narrowly defines “biometric identifiers” to include only “a retina or iris scan, fingerprint, voiceprint or record of hand or face geometry.” Id. Most significantly each state provides different means of enforcement. Only Illinois has created a private cause of action with provisions for statutory damages and recovery of attorneys’ fees (more on this below). The Texas law is enforced by its attorney general. In Washington, a violation of its biometric privacy law is a violation of Washington’s Unfair Business Practices-Consumer Protection Act which allows a cause of action for actual damages. Id.
The Use of Biometric Information in the Construction Industry
The use of biometric data in the construction industry is expanding. Timekeeping for site employees has been made more accurate and efficient due to biometric tools. Contractors are using biometric handheld readers that use fingerprint scans to accurately record hours worked. This information can be stored in the cloud and used to quickly generate timesheets that can more accurately track progress and productivity. Billing for labor can, as a result, be generated in a shorter time frame.
Site security is another area where biometric information is being used. For sensitive construction projects, facial recognition software is being used to check workers in and out. A company based in the United Kingdom provided infrared facial recognition software for just such a use on some of London’s largest high-rise towers including the Shard. See Biometrics Securing Construction Sites https://www.secureidnews.com/news-item/biometrics-securing-construction-sites/2/.
The benefits of using biometric information are significant. Biometric information – fingerprints, retina features and facial characteristics – captures uniquely personal data that makes verification of a person’s identity tremendously accurate. Biometric information is also extremely difficult (never say never) to steal. Compared to name badges, security cards and photo badges these new tools are more reliable. Because they are more reliable, these tools also better enable owners, contractors and subcontractors to control sites and the movement of workers onto and through the site. It is easy to understand, for example, on a complex renovation at a pharmaceutical facility the importance of restricting access to certain areas. When such areas are identified and a plan is developed to police access to those areas, that plan will be much more effectively implemented with biometric information.
However, as the discussion of BIPA above illustrates, there are now evolving compliance issues to be addressed when using these biometric tools on construction sites. Consents are critical. It may seem simple but obtaining such consents from all workers with multiple employers on site can be complicated especially if the gathering of information is done, not by a worker’s employer, but by a third party who will need consents from all of these workers regardless of their employer.
Litigation under BIPA
For many years after it was enacted, BIPA was largely ignored as a basis for litigation. That has changed. In the past several years, dozens of class action lawsuits have been filed seeking damages under BIPA. The companies targeted include not only technology firms but restaurants, airlines, grocery stores and others. The list includes American Airlines, United Airlines, Lettuce Entertain You, Speedway, Facebook, Google, Snapchat and others. Many of the alleged violations occurred in the employer-employee context but the lawsuit against Lettuce Entertain You alleges that the restaurant operator improperly collected and stored customers’ facial scans at self-service ordering kiosks. See Two More Companies Sued Under Illinois Biometric Information Privacy Act https://www.illinoispolicy.org/two-more-companies-sued-under-illinois-biometric-information-privacy-act/.
Why the sudden surge in litigation? There are probably a number of factors at play. First, the technology to recognize, collect and store biometric information and identifiers has improved since 2008 when BIPA was passed and its use has grown. When Illinois passed BIPA, it found itself in an unusual position — at the vanguard of legislative action to protect biometric information. The technology has caught up. Second, with the well-publicized and extensive hacks against companies like Target, Yahoo and any number of banks, the public has become more informed about just how much personal data is out there and how vulnerable it is.
Of course, there is the money. As mentioned above, BIPA creates a private right of action for statutory violations. Any “person aggrieved by a violation” may recover for “negligent” violations of BIPA either liquidated damages of $1,000 or actual damages whichever is greater. 740 ILCS 14/20(1). For “intentional” or “reckless” violations, an aggrieved person may recover $5,000 or actual damages whichever is greater. 740 ILCS 14/20(2). The prevailing party may also recover its reasonable attorneys’ fees and costs. While the value of an individual plaintiff’s case appears limited, the value of a class action case – with the aggregation of claims for hundreds or thousands of class members – could be substantial.
Finally, the limited case law is split on whether a claim under BIPA is viable for only statutory damages even in the absence of actual damages. In Monroy v. Shutterfly, 2017 WL 4099846 (N.D. Ill. Sept. 15, 2017), the plaintiff filed a putative class action complaint against Shutterfly. According to the allegations of the complaint, Shutterfly uses facial recognition software to scan digital photographs uploaded to its websites and then create maps or templates for each face in a photograph. Shutterfly stores the facial geometry and every time a new digital image is uploaded that new image is compared to the database of facial geometry. When there is match, users are invited to “tag” the image with the recognized person’s name. Id at 1. The plaintiff, not a Shutterfly user himself, alleged that a user uploaded a photo with his image which was then scanned, analyzed and his facial geometry then stored by Shutterfly. The defendant moved to dismiss on a number of grounds including failure to allege actual damages. After examining the statutory language and limited case law available on the issue, the court concluded that, while the question was a “close one,” actual damages are not required to state a claim under BIPA. In contrast, an Illinois appellate court in Rosenbach v. Six Flags Entertainment Corporation, 2017 IL App. (2d) 170317 (Dec. 21, 2017) interpreted the phrase “person aggrieved” to mean a plaintiff must have suffered some actual injury to even state a claim for statutory damages.
Steps to Protect Yourself under BIPA
There are some practical steps that you can take to avoid violations of BIPA and potential litigation over such violations. These include:
- Review your company operations to determine whether biometric information is used in your business.
- Establish a written policy on collection, use and storage of biometric information.
- Review your current data collection and retention policies and conform those policies to BIPA.
- Revise employee/worker consent forms to ensure that such consents cover all of the requirements in BIPA.
- Review your data protection policies to validate that such strategies comport with the reasonable standard of care in the industry for protection of data as required under BIPA.