BIPA stands for “Biometric Information Privacy Act,” and it guards against the unlawful collection and storing of biometric information. This law was first passed in 2008 in Illinois. Since then, two other states have instituted similar laws, Washington and Texas. The purpose of the law was to create a standard of conduct for private entities to collect or possess biometric information responsibly.
A very important aspect of this law is that it is the ONLY US Law that allows for private individuals to file a lawsuit for damages stemming from a violation. In the language of the act, the penalties per violation are $1,000.00 and $5,000.00. The lower amount if the act was unintentional, and the higher amount if the violation was intentional or reckless. Needless to say, these damage provisions have caused several class-action lawsuits.
BIPA basic requirements are:
1. Obtain consent from individuals if the company intends to collect or disclose their personal biometric identifiers.
2. When the employee leaves or is terminated, the employer must destroy biometric identifiers in a timely manner.
3. Securely store the biometric information.
This, of course, makes sense if biometric data can be reconstructed and identify the employee. But many systems have safeguards in place where that is a mathematical impossibility.
What personal data does the BIPA cover?
The term in the law is “biometric identifiers” but, according to many law professionals, that is a very broad term. Section 10 of the BIPA defines it more precisely as retina or iris scan, fingerprint, voice print, hand scan, and face geometry.
The law also includes biometric information.
The definition of Biometric information – data “based on an individual’s biometric identifiers” that is “used to identify an individual.”
There are many judgments from the courts that flip flop back and forth on this issue, and it can become a very sticky situation for an employer.
How to comply with the BIPA?
- Develop a biometric collection and retention policy.
This should be drafted by an attorney that is familiar with the BIPA as well as your data collection system and procedures. Post this policy along with others that you post for your employees to see and understand. - Develop a biometric consent approval form.
This should be a hard copy paper form. There is nothing more safe than have someone read and sign a consent form.
There are some time clocks that have a “passive consent” added to the process of enrolling employees in the clock, but there is some doubt as to whether that is adequate. It is more dificult to deny signing a consent form than it would be to remember what occured during the enrollment process. - Verify and document that the Biometric data is secure.
- Create a written schedule for biometric data cleanup based on the BIPA Act to protect yourself and your employees.
Taking advantage of Technology is important, but you must also educate yourself as to the laws and how the technology can affect you and your company.
For more information concerning the BIPA see below