The Illinois privacy law covering "biometric" information has been a subject of intense litigation between employees and employers for several years. A pending case may offer some guidance to employers on how their compliance and consent plans should be structured.
At issue is a fingerprint scan system, commonly used by employers for either timekeeping or workplace access. One issue currently before the court is whether the employer violated an employee's privacy rights by not getting her consent every time she scanned (rather than only getting it before her first scan).
Why It Matters
Any employer with a fingerprint or retinal scan system is likely to view a "consent every time" requirement as extremely burdensome for a technology that is supposed to make certain administrative procedures more routine and efficient. Although any ruling on the issue will affect only employers with employees in Illinois, the precedent of "consent every time" would be a troublesome one in the privacy setting; after all, most websites do not operate that way. (Think of the cookie banners that let you accept or reject cookies, which banners you never see after your first visit to a site.) In addition, many states now have privacy laws on the books, and more are expected. If one state adopts a "consent every time" model regarding either employee data or biometric data, other states may reasonably be expected to copycat that standard. For employers especially, this could mean big compliance hurdles in certain states as they roll out employee authentication systems.