In January 2019, the Illinois Supreme Court upheld consumers' rights to sue companies forcollecting their fingerprints without explicit consent. Thisprecedent-setting case, Rosenbach v. Six Flags Entertainment Corp,was the first to extend the interpretation of the IllinoisBiometric Information Privacy Act (BIPA) holding that individualsdo not need to prove they were actually harmed by the misuse oftheir biometric information—only that their rights under the lawwere violated.

The Rosenbach interpretation of the Illinois BIPA givesindividuals more agency to act if they suspect their personalinformation is being used without their consent. As a result, theRosenbach decision may dramatically and fundamentally change theway that companies think about, use, and collect biometric datafrom both their customers and employees.

How Biometric Data Is Used

While it may sound like biometric data is something out of asci-fi movie, it's actually quite common. An increasing number ofemployers are collecting and using employee fingerprints to allowaccess to the factory floor or enable them to clock in and out ofshifts.

However, biometric identifiers don't afford the same practicalfeatures of "traditional" passwords. You can't "reset" yourfingerprint or your facial features. Therefore, once this data iscompromised, it's permanently breached. As a result, companies arefacing increased scrutiny surrounding the collection and use of anybiometric identifiers.

The 2008 Illinois BIPA regulates the collection, use, storage,and destruction of biometric identifiers from employees andcustomers alike.

It is estimated that violations of BIPA can cost companiesbetween $1,000 and $5,000 per violation. This cost, if compoundedby hundreds of individuals in a class-action suit, can quickly leadto millions of dollars in punitive damages. Coupled with the recentsurge in BIPA-related lawsuits—such as the Six Flags case detailedabove—the prospective financial penalties have created a growingneed for organizations to better understand current and emergingprivacy laws.

Regulations Emerging Across the U.S.

While BIPA is specific to Illinois, it is just the tip of theiceberg, representing a larger movement across the country to shoreup privacy laws at the state level. For instance, Washington,California, and Texas have passed their own versions of BIPA, whileMassachusetts, New York, Delaware, Alaska, and Michigan are allcurrently considering similar laws.

One of the most recent updates to state law, crafted in thespirit of BIPA, is the California Consumer Privacy Act (CCPA), whichis expected to take effect on January 1, 2020. The CCPA providesresidents of California with the right to know what personal datais being collected; whether their personal data is beingdisseminated or sold and, if so, to whom; and request thatbusinesses delete any personal information they may have previouslycollected. It also provides protection to prevent consumers frombeing discriminated against if they opt out of having their datacollected, used, or sold.

Since biometric regulation varies at the state level, it'simperative that companies understand the legal requirements of eachstate in which they do business—both in terms of the company'sphysical location and its virtual footprint (for example, it mayhave out-of-state customers or employees)—and recognize what itneeds to do to comply with local laws. For example, BIPA regulatesbiometric data collection and use, whereas the CCPA applies to alldata collection and use—regardless of the type.

What Should Businesses Be Doing?

In addition to understanding what local laws require, there area few basic steps companies can take in order to comply withcurrent and emerging laws. Namely, companies should work with legalcounsel to update companywide disclosures and create a writtenconsent model for obtaining explicit consent from both consumersand employees regarding all data collection and usage.

In addition, companies should annually review and update bothapplicable customer and employee privacy policies. For example,California has already tabled several components of its CCPAlegislation for review in 2020 to update in 2021. Corporate privacypolicies need to remain fluid to stay compliant with evolvinglegislation.

Regardless of where you do business, data-regulating laws arecoming. By taking the right precautionary steps and stayinginformed, you can help protect your organization, no matterwhat.

Jennifer Gentry is senior vice presidentand employment practices liability product manager for Chubb NorthAmerica.

From: BenefitsPro