Biometric data, including fingerprints and facial scanning technology, can help companies improve security. A company may require an employee to go through a retina scan to enter a secure location, as one example. They may also require employees to identify themselves with a fingerprint scan on their smartphone before accessing confidential company information online. But where and how that biometric information is stored must be done thoughtfully to avoid liability. States currently have a variety of laws regarding the capture and storage of biometric data.
Failure to comply can lead to liability, as a recent class action lawsuit against Amazon demonstrates. The complaint alleges Amazon stored employee biometric data without consent on a cloud server in violation of Illinois law.
Amazon offers companies the opportunity to store massive amounts of data on the cloud on a pay-as-you-go basis. This service is provided to a variety of industries and companies – including companies that store biometric data such as fingerprints. Amazon Web Services, the subsidiary that offers cloud storage services, generated over $7 billion in income for Amazon in 2018.
Companies that use biometric data benefit from storing complex data on a cloud server. But this lucrative source of revenue for Amazon is not without risk.
Illinois passed the unique Biometric Information Privacy Act (BIPA) into law in 2008. This expansive data protection law imposes certain requirements on companies that store biometric identifiers, defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry."
Importantly, BIPA allows for a private right of action for violations. What's more, the Illinois Supreme Court recently held that there is no requirement to show actual harm in order to obtain that private right of action. In other words, a concrete violation of BIPA can lead to a class action lawsuit, like the one filed in Illinois state court on November 15, even if the affected employees cannot show a demonstrable harm.
While BIPA is uniquely expansive, other states also regulate biometric data. Compliance with this patchwork of regulations can be difficult. But the failure to do so – certainly in Illinois under BIPA – may expose the company that stores that information to liability.
The case is Ragsdale v. Amazon Web Services, Inc.