Posted October 11, 2021
Biometric Tech: The Wave of the Future and a Violation of Privacy?

Illinois restaurants and bars are facing a new wave of class action lawsuits over their use of biometric information to identify customers and employees. Although Illinois may have the first and strictest set of laws about this type of information, business owners across the country should be prepared for their states to follow suit.

Biometric information—think facial recognition, fingerprints, and retinal scans—can be incredibly useful for bars and restaurants seeking to increase profits. With this data, customers (and their past orders or preferences, for example) can be instantly recognized.

Clubs that offer memberships can ensure that membership privileges are being enjoyed by the actual paying member (versus someone to whom a membership card or key fob has been “loaned”). Employers can have employees clock in or access a POS system with a fingerprint, which can help prevent employee theft and fraud. Bars can quickly scan faces and IDs for underaged drinkers and banned patrons.

However, believing there is too much uncertainty surrounding the privacy rights of individuals’ biometric data, the Illinois legislature passed the Biometric Information Privacy Act in 2007. Known as “BIPA”, the act seeks to protect data that is truly unique to the individual—and unlike a compromised social security number, cannot be changed.

BIPA went largely ignored for many years until 2015, when an Illinois Supreme Court decision allowed a 15-year-old to recover damages after his fingerprint was improperly used for admission to an amusement park. What followed was a staggering 3,233% increase in litigation by employees and customers in just six years. Plaintiffs filing these class actions—many against small businesses—seek $1,000 per violation (plus costs and attorney fees) if the BIPA violation was negligent, $5,000 if it was intentional or reckless, or more if they can show higher actual damages stemming from a business’s failure to follow BIPA’s strict requirements. 

What are BIPA’s requirements? In short, a business cannot collect biometric information without written consent, and it must disclose specific written details of how it intends to use, retain, protect, and ultimately destroy that information.

Technology can be a lifesaver for businesses looking to improve efficiency, especially when faced with staffing challenges as the coronavirus pandemic subsides. But it can expose a business to substantial liability if it is not handled according to the precise letter of the law.

If you are considering any new software, program, or vendor that might make use of biometric data, consult with an attorney to be certain you are complying with all disclosure, consent, and storage obligations. If the software or program comes with a contract, be sure to carefully read the fine print to avoid unknowingly agreeing to defend and indemnify the vendor for allegations it has violated BIPA as a result of your use of the product.  

Learn more about insuring your business with ICC by contacting an ICC agent today. The Find an Agent search on our homepage will help you locate an ICC agent in your area.