You are the only person with your exact handprint – the same goes for your fingerprints, facial geometry, eyes and voice.
This type of information – known as biometric data – is uniquely yours. That’s why many businesses, like Suparossa Restaurant Group in Chicago, use biometric time clocks to keep track of their employees.
“We could easily keep time, and we didn’t have to monitor it because nobody could clock anybody in or out,” said Ben Cirrincione, whose family owns Suparossa. “The clock did it all for you.”
Cirrincione has worked at his family business for 21 years. But for the past seven years, Cirrincione says it’s been an “uphill battle."
In 2017, the company was hit with a lawsuit from a former employee alleging that the company’s timekeeping method violated a controversial Illinois law.
The state’s Biometric Information Privacy Act, or BIPA, requires private companies to obtain informed written consent from individuals before collecting their biometric data. It was enacted in 2008 to protect consumer privacy.
“If this information were to fall into the wrong hands, there is a huge concern about the potential for abuse,” Gregg Barbakoff, a Chicago attorney with Keogh Law told NBC Chicago.
Local
Barbakoff specializes in cases involving BIPA violations, and has handled dozens of them thus far.
“Before we start asking consumers to hand over this type of sensitive information, they should at the very least know exactly what it is they're giving up, how that information is going to be retained, and most importantly, how it's going to be safeguarded and used,” Barbakoff said.
Feeling out of the loop? We'll catch you up on the Chicago news you need to know. Sign up for the weekly Chicago Catch-Up newsletter.
But some, like Cirrincione, are concerned that the law is going too far. He said his business lost around $400,000 in settlements because it didn’t obtain informed written consent before collecting employees’ handprints.
“She was able to sue us and receive damages just for that mere fact – even though she could not prove that she was hurt in any way, that her information was being used for anything except timekeeping,” Cirrincione said.
NBC 5 Responds reached out to the former employee who filed the lawsuit but did not receive a response.
His family business hasn’t been alone. According to Bloomberg Law, over 400 lawsuits alleging BIPA violations have piled up across the state over the past four-and-a-half years, with many of them employment-related.
Cirrincione says there’s a reason so many Illinois companies are being targeted by BIPA – many didn’t even know about the law.
“The state did a terrible job of informing businesses that they had to do this,” he said. “I don’t know if anybody really thought that it was going to be this massive in the beginning.”
After the lawsuit seven years ago, Suparossa Restaurant Group stopped using handprints for timekeeping for a while.
Now, they’re back to biometric time clocks, using retinal scans to track their employees. But this time, they’re making sure to obtain informed written consent first.
“It was an expensive lesson,” Cirrincione said.
Here are BIPA’s primary requirements for private entities:[D(1]
- A private entity in possession of biometric information must develop a written, publicly accessible policy for retaining and destroying that information after its initial purpose has been satisfied.
- No private entity may acquire a person’s biometric information unless it obtains informed written consent.
- No private entity in possession of biometric information may profit from that information or disclose that information without consent.
On Aug. 2 Illinois Governor JB Pritzker signed an amendment to the legislation to curb the amounts of damages plaintiffs can claim for violations.