The recent decision by the Supreme Court of Illinois in regards to the Illinois Biometric Information Privacy Act (BIPA) has huge implications for HR professionals and organizations alike. The court’s ruling, that claims under BIPA accrue on each scan or collection, allows for individuals to be awarded per-scan damages if their biometric privacy rights have been violated. This means that organizations have to be more mindful of their biometric data collection practices, and HR departments must be aware of their responsibility for compliance with BIPA.
To understand why this is a momentous ruling, it is important to first understand what BIPA is and what it aims to protect. BIPA is the first of its kind in the United States, and it was enacted in 2008 with the goal of protecting the privacy of individuals’ biometric information. BIPA requires companies to obtain written permission from individuals before collecting any biometric data, as well as informing them of how the data will be used and stored. Further, organizations are also required to comply with stringent security measures to protect biometric data from being accessed by unauthorized parties.
The Supreme Court ruling further strengthens the already existing protections provided by BIPA. Prior to this ruling, Illinois residents could only file a lawsuit against an organization if they had suffered a “concrete harm” due to a breach of their biometric data. Now, however, an individual can sue an organization for each time their biometric data is unlawfully collected and/or stored, regardless of whether they have suffered a “concrete harm” or not. This means that organizations can be held liable for thousands of dollars in damages if they are found to have violated BIPA.
At first glance, the ruling may seem daunting for HR professionals and organizations, but there are steps that can be taken to ensure compliance with BIPA and avoid facing costly legal action. The first and most important step is for organizations to obtain written permission from any individuals whose biometric information is being collected. This permission must include a clear explanation of how the biometric data will be used and stored, and how long it will be kept. Organizations must also ensure that the biometric data is stored in a secure manner, and that it is only accessible to those individuals who are authorized to access it.
Finally, organizations should also implement a compliance plan that outlines the steps they are taking to protect biometric data and ensure compliance with BIPA. This compliance plan should be regularly reviewed and updated, and HR professionals should be trained on the details of the plan and how to ensure compliance with BIPA.
The Supreme Court of Illinois’ ruling on BIPA is a landmark decision that has far-reaching implications for organizations and HR professionals alike. It is now more important than ever for organizations to be aware of their responsibility to protect biometric data, and to ensure that they are taking the necessary steps to comply with BIPA. By doing so, organizations can avoid facing costly legal action, and can protect the privacy rights of the individuals whose biometric data they are collecting.
