In response to the global Covid-19 pandemic, employers and schools have turned to remote work and e-learning solutions, including meetings and classes held via Zoom, Google Hangouts, and Google’s “G Suite for Education,” among other applications.
Some employers are looking to facial recognition as a contactless alternative to timekeeping or building security. All thesee changes have significant implications under the Illinois Biometric Information Privacy Act, or BIPA.
BIPA provides that no private entity may collect, store, or use biometric identifiers or information without providing prior notice to and obtaining a written release or consent from the subject. BIPA penalties are hefty: $1,000 for each negligent violation or $5,000 for each intentional or reckless violation, plus attorneys’ fees and costs. As several violations of the statute per employee are possible, potential damages in BIPA cases are substantial.
While many BIPA cases tend to deal with employer-employee relationships, BIPA also applies to any private entity that collects and stores biometric identifiers or information.
As a prime example of the intersection of Covid-19 and BIPA, two students, through their father, sued Google in the Northern District of California alleging violations of BIPA and the Children’s Online Privacy Protection Act (COPPA), which was enacted to protect the privacy of children under the age of 13 by requesting parental consent for the collection or use of any personal information of the users. H.K. et al. v. Google LLC (April 2, 2020).
The plaintiffs allege that Google violated BIPA and COPPA by “collecting, storing, and using the personally identifying biometric data of millions of school children throughout the country (including thousands in Illinois), most of whom are under the age of 13, without seeking, much less obtaining the requisite informed written consent from any of their parents or other legal guardians.”
Specifically, plaintiffs claim that “Google has infiltrated the primary and secondary school system in this country by providing access to its ‘ChromeBook’ laptops, which come pre-installed with its ‘G Suite for Education’ platform.” The plaintiffs assert that, when they—as well as other children throughout the nation—“use Google’s ‘G Suite for Education’ platform on [Google’s] ChromeBook laptops at school, Google creates, collects, stores and uses their ‘face templates’ (or ‘scans of face geometry’) and ‘voiceprints’ —highly sensitive and immutable biometric data—as well as various other forms of personally identifying information pertaining to these children.”
Although the lawsuit does not specifically equate the recent influx of remote learning and increased use of Google’s G Suite for Education to Covid-19, it is undeniable that the use of remote learning features has increased in the wake of the pandemic. According to Cnet.com, downloads of Google Classroom have increased to 50 million over the past few weeks.
This filing in California also highlights the extraterritorial impact of BIPA despite the fact that it is an Illinois statute. Facebook was on the forefront of extraterritorial BIPA litigation when the Ninth Circuit affirmed class certification standing last year in a BIPA suit brought against them in California. The social media giant eventually settled the case for a whopping $550 million.
On the employment side, in an effort to protect their employees from surface contact during the Covid-19 pandemic, some employers are replacing timeclocks that require physical contact with technology that uses touchless facial recognition or retina scans to clock in and out of work. Similar technology is being employed to permit employees to enter company facilities.
Interestingly, as the use of face masks is becoming more prevalent and mandatory in many areas, manufacturers of such technology are adapting facial recognition software to identify the user while he or she is wearing a mask. Some employers have also distributed readily available “plug and play” finger readers to employees to ensure that while working remotely, the employee is the only person who can access a company laptop.
Prior to taking any such action, employers should ensure they are in compliance with BIPA to avoid the sizable potential statutory damages that BIPA provides.
Awareness of the requirements of BIPA is critical for any company with operations in or with a connection to Illinois, particularly as the need for remote work and e-learning persists and employers and schools are presented with unprecedented challenges amidst the continually developing Covid-19 crisis.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Kenneth D. Walsh is an associate in the Chicago office of Lewis Brisbois and a member of the Labor & Employment Practice. He represents employers in a wide array of labor and employment matters, including wage and hour claims, employment discrimination claims, and claims arising under BIPA.
Mary Smigielski is a partner in the Chicago office of Lewis Brisbois, a member of the Labor & Employment Practice, and co-chair of the firm’s Illinois Biometric Information Privacy Act (BIPA) practice group. She has been on the cutting-edge of the defense of class action litigation brought against employers and others under BIPA, working closely with national insurance carriers and private clients for defense, compliance, and mitigation of risk related to the privacy law.