The Illinois biometric privacy law says no private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information unless it first:
informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.
It also says no private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless the subject of the biometric identifier or biometric information or the subject’s legally authorized representative consents to the disclosure or redisclosure.
The law defines biometric information and biometric identifier to include fingerprints.
Years before the law was passed, an employer started using fingerprints for the payroll system. Each time an employee signed in or out of work or wanted access to their pay stub, they had to use their fingerprint to gain access.
After the law went into effect, the company did not go through the process of informing employees that they were using biometric information, how long they were going to store it, and getting written consent.
In addition, behind the scenes, the company used a third-party payroll system. Each time, the fingerprint data was transmitted to the third-party payroll system to be compared to what was stored in the system and give the employee access.
An employee sued for violation of the act because written notice wasn't given and consent was not received, and the fingerprint data was shared illegally with a third party because no consent for sharing the data was provided.
The company argued that the case should be dismissed because the first violation happened outside the statute of limitations. The employee argued, and the lower court ruled that each time a fingerprint was used and each time a fingerprint was transmitted to the third-party payroll software provider, there was a new violation of the law. The lower court also found that each time a fingerprint was obtained without consent and each time a fingerprint was transmitted to a third party without consent was a separate violation of the law allowing for separate damages.
The case was ultimately appealed to the Illinois Supreme Court. It agreed that each instance of fingerprint collection and each instance of transmission of the fingerprint to a third party without consent is a separate violation of the statute and that separate statutory damages apply to each instance even though on a class-wide basis, the damages in the case could exceed $17 billion.
WHY THIS IS IMPORTANT... State-level privacy laws are showing up throughout the United States. Many states are now adopting biometric privacy laws like the Illinois statute. Failure to comply could lead to business jeopardizing penalty levels if they are interpreted the same way this statute is.