The Illinois Supreme Court recently rendered an opinion that could ultimately affect the entire security industry. The case involved the Illinois Biometric Information Privacy Act (BIPA).

The plaintiff in the action claimed that its employer violated the BIPA as it collected biometric information without prior informed consent.

The court referred to a decision by the United States Court of Appeals for the Seventh Circuit, which certified the following question of law to the court: Do Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?

Section 15(b) of the BIPA provides, “No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first;

Informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;

Informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

Receives a written release executed by the subjects of the biometric identifier or biometric information or the subject’s legally authorized representative.”

Section 15(d) of the Act provides, in relevant part, that, “No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless the subject of the biometric identifier or biometric information or the subject’s legally authorized representative consents to the disclosure or redisclosure.”

The plaintiff was a manager of a restaurant in Illinois. Shortly after her employment began the restaurant introduced a system that required its employees to scan their fingerprints to access their pay stubs and computers. A third-party vendor then verified each scan and authorized the employee’s access.

The plaintiff alleged that the restaurant implemented the biometric-collection system without obtaining her consent in violation of the act.

The court agreed with the plaintiff that the plain language of the statute supports her interpretation. “Collect” means to “receive, gather, or exact from a number of persons or other sources.” “Capture” means “to take, seize, or catch.”

The court indicated that the act operates to codify an individual’s right to privacy in and control over their biometric identifiers and information. In citing a previous case, the court indicated that a person is “aggrieved” or injured under the act “when a private entity fails to comply with one of Section 15’s requirements.”

Again focusing on the previous case, the court determined that “when a private entity fails to comply with one of Section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.”

The act provides for statutory damages of $1,000 or $5,000 for each violation of the statute.

The court pointed out that they were not being asked to render a decision on the damages in the case, rather they were being asked to determine the legislative intent by considering the consequences of construing the statute. The majority of the court then went on to conclude that the plain language of Section 15(b) and 15(d) shows that a claim accrues under the act with every scan or transmission of biometric identifiers or biometric information without prior informed consent.

The court did clarify that “the active verbs used in Section 15(b), collect, capture, purchase, receive and obtain — all means to control.” So if companies do not gain control, they should not be liable under this decision.

Although the decision was in the state of Illinois, it should be considered by any company requiring and disseminating biometric information. Many jurisdictions throughout the country are considering privacy legislation as well as restrictions on the use of biometrics. It could create catastrophic exposure to any company.