A US citizen named Paul Sayas wants to initiate a class-action lawsuit against “Biometric Impressions”, a fingerprint database and biometrics checking service provider. The plaintiff has submitted his lawsuit in the Circuit Court of Cook County, Illinois, and calls for other people who have had their biometric data collected and unlawfully shared by the accused company to support him and join the fight. Mr. Sayas claims that Biometric Impressions has stored his fingerprints without asking for his consent, and then shared it with an unknown number of other entities through their service.
According to the Illinois Biometric Information Privacy Act (BIPA), Biometric Impressions should have given the man a written notification of the fact that they have collected his fingerprint, which they didn’t. Thus, the court will now have to decide whether or not this constitutes a direct violation of BIPA, and how many people have been similarly affected by this practice. Sayas alleges that he has knowledge of numerous other individuals who fell victim to the company’s practices, and that is why he calls for a class action.
Moreover, the BIPA law obliges the firms that are engaged in this field to irreversibly delete/destroy any biometric data after three years from the date of their collection. Sayas states that “Biometric Impressions” has never published data retention and destruction policy, none was made available to him, and there just seems to be no policy of this kind in place. Thus, it is very possible that the company is keeping the biometric data for longer than three years, which constitutes another point of violation of BIPA. Thus, the company is directly accused of negligence and recklessness.
While this is an interesting case that involves privacy protection laws and how biometric data collection firms operate in their context, it is not the only one. Last week, Bed Bath & Beyond was hit by another class-action lawsuit submitted by the company’s own warehouse employees, who accuse the firm of collecting and storing their fingerprints without asking for their consent. Again, the law that underpins this violation is BIPA, as the court that is called to review the case in the U.S. District Court for the Northern District of Illinois. The outcome of these cases will define how firms will manage the data they collect from now on. Sometimes, data collectors need to get punished in order to act lawfully and with the responsibility that corresponds to the sensitivity of biometrics in general.