User placing finger on fingerprint scanner

While not strictly speaking a wage and hour issue, here is a heads-up to any employers that use timekeeping systems featuring biometric security, like a thumbprint or fingerprint scanner:

You might want to read this recent Crain’s Chicago Business article about a class action lawsuit recently filed against the Mariano’s chain of grocery stores under the Illinois Biometric Information Privacy Act (BIPA). In this lawsuit, a former pharmacy employee claims that Mariano’s violated his rights under BIPA by requiring him and other employees to check in and out of work using a fingerprint scanner without providing the disclosures mandated by the law.

BIPA requires any “private entity” in possession of “biometric identifiers or biometric information” to, among other things:

  • Develop and make publicly available a written policy for retention and destruction of biometric identifiers and information;
  • Dispose of such information once the purpose for collecting it has been satisfied or within 3 years of the individual’s last interaction with the entity, whichever occurs first;
  • Provide a written notice to and obtain a written release from an individual before collecting or obtaining their biometric information or identifiers;
  • Treat any biometric data “in a manner that is the same as or more protective than” the manner in which it the entity “stores, transmits and protects other confidential and sensitive information.”

The law provides a private right of action against any private entity that violates it, and allows individuals to recover liquidated damages of $1,000 per violation for negligent violations, or $5,000 or for intentional or reckless violations, in addition to attorneys’ fees and court costs.

While it’s not at all clear that the law was written with employee timekeeping in mind, it’s provisions are certainly broad enough to cover those systems, and it applies to just about every organization other than state and local governments and certain financial institutions.

BIPA is an Illinois law, but other states have either considered or adopted similar legislation. For example, Texas Business and Commercial Code Sec. 503.001 imposes similar requirements. For a relatively recent overview of the law in this area, check out this article by Ted Claypoole and Cameron Stoll in Business Law Today.

If your organization uses biometric security for its timekeeping system, building access, information security, or any other purpose, either make sure that you’re complying with the law in your jurisdiction, or consider turning those features off and securely deleting any data that you may have collected.