You are the only person who has your exact handprint – the same goes for your fingerprints, the geometry of your face, your eyes and your voice.
This type of information – called biometric data – belongs only to you. That’s why many companies, like Suparossa Restaurant Group in Chicago, use biometric time clocks to track their employees.
“We could easily keep time, and we didn’t have to watch it because no one could time anyone going in or out,” said Ben Cirrincione, whose family owns Suparossa. “The clock did everything for you.”
Cirrincione has worked in his family business for 21 years. But over the past seven years, Cirrincione says it’s been an “uphill battle.”
In 2017, the company was the subject of a lawsuit filed by a former employee alleging that the company’s timekeeping method violated a controversial Illinois law.
The state’s Biometric Information Privacy Act, or BIPA, requires private companies to obtain written, informed consent from individuals before collecting their biometric data. It was adopted in 2008 to protect consumer privacy.
“If this information got into the wrong hands, there would be enormous concern about the potential for abuse,” Gregg Barbakoff, a Chicago attorney with Keogh Law, told NBC Chicago.
Barbakoff specializes in cases involving BIPA violations and has handled dozens to date.
“Before we start asking consumers to provide this type of sensitive information, they should at least know exactly what they are giving up, how this information is going to be retained and, most importantly, how it will be kept backed up and used,” said Barbakoff.
But some, like Cirrincione, fear the law goes too far. He said his company lost about $400,000 in settlements because it failed to obtain written, informed consent before collecting employee handprints.
“She was able to sue us and receive damages just for that simple fact – even though she couldn’t prove that she was harmed in any way, that her information was used for anything other than the timing,” Cirrincione said.
NBC 5 Responds reached out to the former employee who filed the complaint but did not receive a response.
His family business is not alone. According to Bloomberg Law, more than 400 lawsuits alleging BIPA violations have accumulated across the state over the past four and a half years, many of them employment-related.
Cirrincione says there’s a reason so many Illinois businesses are targeted by BIPA: Many didn’t even know about the law.
“The state has done a terrible job of informing businesses that they have to do this,” he said. “I don’t know if anyone really thought it was going to be this big at first.”
After the lawsuit filed seven years ago, Suparossa Restaurant Group stopped using handprints for timekeeping for a time.
Today, they are returning to biometric time clocks, using retinal scanners to track their employees. But this time, they first make sure to obtain written, informed consent.
“It was an expensive lesson,” Cirrincione said.
Here are the main BIPA requirements for private entities:[D(1]
- A private entity in possession of biometric information must develop a written, publicly available policy for retaining and destroying that information once its original purpose has been served.
- No private entity may acquire an individual’s biometric information without obtaining their written, informed consent.
- No private entity holding biometric information can profit from or disclose this information without consent.
On August 2, Illinois Governor JB Pritzker signed an amendment to the legislation aimed at reducing the amount of damages plaintiffs can seek for violations.
