US State supreme court sets high bar on handling of biometric information

Source: Business Insurance

Franklin Z. Wolf April 01, 2019 The Illinois legal landscape recently became more of a minefield for employers due to the decision by the state’s Supreme Court in Rosenbach v. Six Flags Entertainment Corp. that gives the Illinois Biometric Information Privacy Act new teeth and requires all private entities — subject only to limited exceptions — to be even more cautious in how they collect, store and use biometric information. Enacted in 2008, the law requires private entities, including employers, that collect or maintain employees’ fingerprints, retinal or iris scans, voiceprints, hand scans or face geometry to first receive written consent from the employee, and also develop a publicly available policy that establishes the retention schedule for the applicable biometric information. The law further mandates that the employer destroy biometric information upon the earlier of either of the following circumstances: the initial purpose for collecting the relevant biometric information has expired, or within three years of the individual’s last interaction with the employer. Further, the law implements a reasonable standard of care upon employers that applies to collection, maintenance and transmission of biometric data, and prohibits the sale, leasing or trading of any such information. The implications are apparent from the plain language of the law. If an individual prevails in a lawsuit, he or she is entitled to $1,000 per negligent violation and $5,000 per willful violation, or actual damages, whichever is greater. Perhaps most importantly, it also provides for attorneys’ fees, costs and any other relief that a court may deem appropriate. If a private entity collected, maintained or used biometric data on a mass or even moderate scale, violating the statute’s provisions could result in costly penalties that escalate quickly. The magnitude of these risks is evidenced by yet another Illinois class action case, Sekura v. L.A. Tan Enterprises Inc., wherein the parties reached a settlement of approximately $1.5 million in connection with various violations of the law.