Who’s got your fingerprint and what are they doing with it?

Posted: November 16, 2017

Pretty amazing: Workers can now punch in simply by touching a fingerprint scanner. The technology, however, is a landmine in what one writer calls “the next class-action battleground.”

More than 40 class action suits have been filed in the last three years for improper handling of biometric information. Fingerprints captured by an employer is the classic case.

The troubles started with an Illinois law, enacted in 2008, designed to protect the privacy of people’s biometrics information, including retina scans, fingerprint scans, voice prints and facial geometry. The Biometric Information Privacy Act or (BIPA), doesn’t ban use of biometric technologies outright; rather, it addresses privacy protection.

It requires entities capturing or storing biometric identifiers or information to:

  • Secure the express written consent of affected individuals;
  • Publish a policy specifying a biometric retention schedule and guidelines for destruction;
  • Destroy the stored information within three years of the person’s last interaction with the organization or whenever the purpose has passed;
  • Protect the information with a reasonable standard of care.

Penalties include $1,000 for negligent violations and $5,000 for reckless or intentional violations.

Typical fact patterns

The first class-action defendant was Facebook in 2015, followed by Google, Shutterfly and Snapchat. Early suits tended to focus on facial recognition in online photographs. Cases against these companies are still working their way through the courts.

The other fact pattern is improper collection and use of fingerprints, primarily in the workplace. Writes the law firm Winston and Strawn, “[D]ozens of complaints have been filed alleging that companies failed to provide notice or obtain consent before collecting individuals’ fingerprints. This complaint typically arises in the employment context, where hourly employees use their fingerprints to clock in.”

Hyatt was sued on this on Oct. 30. United Airlines was sued Nov. 7.  If every touch of the screen constitutes a separate violation, damages could get expensive.

Regardless of the resolutions of cases like these, writes Christina Ferrari of Bernstein Shur, “businesses should expect to see similar lawsuits in states that enact legislation modeled after BIPA.”

Defenses and advice

Winston and Strawn point to a number of defenses.

  • The definition of an identifier is untested in the facial recognition context.
  • The typical harm to a plaintiff may be too abstract or immaterial to give rise to standing.
  • When defendant organizations have national footprints and only minimal operations in Illinois, jurisdictional questions arise. Ferrari names a handful of states with similar legislation in the works.

Whether your state is one of those or not, here’s advice from Ferrari for every business using biometric technology.

  • Develop a clear and conspicuous notification and consent process that follows applicable state law;
  • Develop data retention and disposal policies that are disclosed to its customers; and
  • Employ an opt-out structure for customers.

Although biometrics are on the rise and present a convenient way to authenticate identities, individuals are worried about privacy (or at least claim to be) and lawyers are holding companies accountable.

With a few careful measures, corporate legal departments can avoid litigation and step safely around the landmines in the next-class action battleground.