Biometric data (fingerprints, retina scans, voice recognition, etc.) are used to identify an individual using that person’s unique biological characteristics. No longer a thing of the future or portrayed in an episode of “Mission Impossible,” private companies and the government collect and use biometric data for a variety of reasons. The use of biometric data ranges from the mundane—tracking employees or serving as a substitute for a typed password log-in on a mobile phone—to the more sophisticated—enhancing national security by monitoring individuals’ whereabouts. The restaurant industry uses biometric data, for example, by scanning employees’ fingerprints to track time, allow access to restricted areas, or to access computer software to place an order. The use of fingerprints and other biometric data, while convenient and often necessary, is not without litigation risk.
The use of fingerprints and other biometric data, while convenient and often necessary, is not without litigation risk.
An increasing number of states have enacted statutes governing the protection of biometric information. Chief among these states is Illinois, which in 2008 passed the Biometric Information Privacy Act (BIPA). Under BIPA, a company must obtain consent from an individual whose biometric data it collects, stores, or uses. If the company does not obtain consent, the owner of the biometric data may recover statutory damages and attorneys’ fees from the company. For example, if a company collects one person’s fingerprints on one occasion, without the person’s consent, the individual can recover statutory damages of $1,000. If the company also used and stored the fingerprint data without consent, that amounts to two additional violations, each for an additional $1,000 in statutory damages. If the violations were reckless or intentional, damages rise to $5,000 each, so in this hypothetical the total climbs to $15,000. If the fingerprint data was given to an outside payroll company repeatedly, each time the data was shared constitutes a separate violation. If a company employs dozens, hundreds, or even thousands of people, the potential damages related to a BIPA violation quickly multiply. In addition to these statutory damages, BIPA allows for recovery of attorneys’ fees and injunctive relief, typically in the form of ceasing to collect, use, or store biometric data without consent.
Not surprisingly, BIPA has become a darling of the plaintiffs’ bar, with dozens of class action lawsuits filed in each of the last few years under the statute. A number of restaurants and other businesses in the hospitality industry, from national chains to single-location storefronts, have been hit with BIPA lawsuits. Most of these suits follow the same formula: an employee alleges that the defendant company scanned his or her fingerprints (often for payroll purposes), stored the fingerprints, and provided the fingerprints to a third party (such as a payroll vendor), all without the employee’s consent. The plaintiff employee typically seeks to represent a class of all employees from whom the company obtained, used, and stored fingerprint data.
The case law in this area is still in the early stages, as courts and parties to litigation grapple with what kind of injury (if any) a plaintiff must suffer to pursue a BIPA claim. Some courts have found that a plaintiff cannot bring a BIPA claim unless the violation of the statute led to some other injury, such as stolen identity or financial damages. Other courts have held that biometric information is so valuable that a plaintiff can successfully assert a claim for damages stemming from a violation of the statute even if he or she did not suffer any actual harm from the use of the biometric data.
Regardless of how different courts interpret and apply the Illinois statute, the BIPA class action trend has made companies understandably nervous about collecting data that is essential to their operation, even in states where biometric protection laws do not yet exist. The question becomes, then, how to limit the risks associated with collecting, using, and storing biometric data. The answer is simple enough: “consent, consent, consent,” but what does that mean? If a restaurant or other business collects, uses, or stores biometric data of any type, it must get explicit (i.e., written) consent from the owners of that data, and the consent must cover all aspects of collection, use, or storage. In the case of an employee whose fingerprints will be maintained during the course of employment for any reason, consent should be obtained prior to the time the employee’s fingerprints are first collected. Any business that collects biometric data should also have policies and procedures to ensure compliance surrounding the collection, use, and storage the data, as well as compliance with practices relating to obtaining consent. Implementing rigorous policies can also mitigate future liability if a third party were to steal that information.
Perhaps more importantly, the exercise of reviewing and implementing policies often helps companies shore up their practices relating to biometric and other sensitive information, preventing the unwanted exposure of that information. Although only a few states have biometric privacy laws on the books already, more states are considering this kind of legislation. Moreover, biometric information is the kind of “personally identifiable information” that can give rise to other legal claims if it is stolen or simply publicly exposed. Companies in all industries—and in particular those in the restaurant industry—should therefore review and implement policies to comply with the biometric protection laws of their states, and ensure the protection and safekeeping of information, including fingerprints. The costs of doing so are minimal compared to the future risk if an employee brings a lawsuit or the information is compromised.