Biometrics Invasion of Privacy

The Lyon Firm is actively reviewing Biometrics Data Privacy Class Action Lawsuits on behalf of employees nationwide
Nationwide Success

Personal Data Privacy Attorney

INVESTIGATING Workplace Biometrics Invasion of Privacy Claims

With more and more companies using biometric identifiers at the workplace—fingerprint time clocks, facial recognition technology, and iris scans—privacy rights advocates have been quick to question the legality of some employer biometrics data collection methods. While new technology may create a more efficient workplace, data privacy risks must be addressed to protect individuals from potential biometric data misuse, data theft and identity theft incidents.

There are a small number of states that already have biometrics invasion of privacy laws on the books, but a universal biometric data privacy law has thus far eluded federal lawmakers. Many companies have created their own privacy and security standards that have failed to fully protect individuals, but there are legal protections for American workers. The existing biometrics privacy laws include the following protections for consumers and employees:

  • Companies must notify employees or clients if they are collecting biometric data. Consent is required for both employees and customers.
  • Companies must outline an established data collection policy that describes the method of collection, storage or dissemination (sale) of biometric information.
  • Companies have a duty to properly protect sensitive personal biometric data, and create a strong security framework to combat the likelihood of data breach attempts and other cyberattacks.

Do You have a Biometrics Privacy Case?

To be clear, businesses aren’t prohibited from collecting the biometric data of their employees or clients, but they are required to disclose that they collect this data and must make their data collection policies public. Businesses, however, are prohibited from selling your biometric data information without your consent, and must create security systems to keep it secure.

The Lyon Firm is reviewing the following types of cases:

  • Employer Invasion of Privacy: Investigating Biometrics Privacy Violations on behalf of employees nationwide.
  • Collecting Data without Consent: Employers have been collecting and storing Biometric Data at the workplace. This may be violating individuals’ privacy rights.
  • Biometrics Data Theft: Class Action Biometrics Invasion of Privacy Lawsuits have been filed against employers following biometric data theft incidents.

Plaintiffs should know that an organization does not need to be located in that specific state to be subject to their data privacy laws.

You are encouraged to gather evidence of potential privacy violations, and seek legal counsel if you feel your personal data has been compromised. Each case may be unique, and could also be different state by state. In New York, for example, employers may not require employees to provide their fingerprints as a condition of employment, but rather, the employee must consent voluntarily.

Other states have similar protections. A court sided on behalf of a Pittsburgh employee after he was illegally fired for refusing to use the employer’s biometric hand scanner to clock in and out. He was awarded over $500,000 in damages.

  • If you feel like your personal data has been collected without your consent, you may have a case.
  • If you think your personal data has been stored improperly and leaked to any unauthorized individuals, you may be able to seek legal action.
  • If your employer has forced you to use biometric data technology against your will, call The Lyon Firm to discuss your case.

biometrics data privacy lawsuits

Why Do Employers Use Biometric Data?

Employers have flocked to biometric fingerprint time clocks in large numbers in order to run a more efficient business and save money from potential wage theft. But they risk compliance issues if they fail to get proper consent from employees or fail to safeguard the biometrics they collect and store.

One recent poll found 62 percent of companies are currently using biometric authentication, and another 24 percent are planning to use it in the future. American employers utilize employees’ biometric information to monitor working hours, restrict access to secure areas, provide fast system login, or monitor productivity.

The tech industry is moving faster than legislation can be written, but even if specific laws are lacking, companies may still be held liable if they fail to create or follow basic data privacy policies and procedures, and implement related security measures.

An employer should clarify the following in their personal data biometrics privacy policy:

  • The kinds of personal information collected and stored
  • The methods of how personal information is collected and stored
  • The purposes for which personal data is collected and used
  • How an employee may access their own personal data
  • How an individual may file a complaint if the employer breaches their privacy policy or privacy law

Timekeeping Biometric Privacy

When employers use fingerprints and retina scans for security or timekeeping, they must be careful to play by the rules. The Illinois Biometric Information Privacy Act (BIPA) keeps employers in line who use biometric information (palm readers and fingerprint timekeeping software).

In one case, GFL Environmental Services USA, a waste management company, agreed to settle a class action lawsuit filed by employees alleging a biometric privacy violation.

The settlement provided $200,000, and each class member is to receive approximately $1,500. The lawsuit was filed in April 2021 by an employee who alleged the company obtained his palm print for timekeeping, and failed to obtain his consent.

Other companies have been sued for a failure to follow BIPA requirements when collecting timekeeping biometric information.

Other states have implemented biometric privacy laws or are proposing similar bills to protect the privacy of employees.

Data Privacy Risks: Consequences of Biometrics Invasion of Privacy

Beyond the basic idea of living a private life, and keeping certain information to oneself, there are risks associated with having collected data stored on network cloud computing systems. There is always the risk of data breaches or hacks leaking sensitive information to various dark webs or forums, with the potential for fraud or identity theft. Identity theft is a major concern, and if a cybercriminal obtains fingerprints, retina, facial, or voice data, they may pose a serious security threat. You can always change bank account numbers, but you can never change your biometrics.

Some personal information could also be abused by public or private entities for financial gain. Unethical marketers and advertisers also seek personal data to better target consumers.

Types of Biometric Personal Data

Most biometric identifiers used by employers are unique physical characteristics, such as:

  • Fingerprints: Fingerprint scanners have become the most common biometric tools, used by over 50 percent of American companies.
  • Photo and video: Cameras may be used for facial recognition and retinal scans. Some other image-based authentication technology includes hand geometry recognition.
  • Voice Recognition & Signature Scanners: Audio technology has improved in recent years with voice recognition, and digital signature scanners may also be used to authenticate an individual.
  • DNA scans: DNA scans are very seldom used at the moment, but scanning technology may improve in the future and help bring the cost down for more widespread, commercial use.

Why Hire The Lyon Firm?

Contact Joe Lyon to learn more about your privacy rights, and to file a claim following data privacy violations. The Lyon Firm works diligently to identify workplace data privacy violations, and represent plaintiffs in class action biometrics invasion of privacy cases. Joe Lyon works with leading law firms across the country, and engages multi-national corporations in various negligent security cases.

Victims of privacy violations may face a serious risk of identity theft, and may seek compensation from employers or companies who violate their privacy rights. Data Privacy cases often involve hundreds or thousands of individuals and plaintiffs can be rewarded with large settlements.

The Lyon Firm is currently involved in Class Action Data Breach & Data Privacy litigation and offers free, confidential consultations to plaintiffs nationwide. Contact us for an invasion of privacy or data theft case review.

photo of biometrics data privacy attorney Joe Lyon

Reviewing Workplace Data Privacy Violations

Why are Data Privacy Cases important?

Without personal data privacy violation class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty. By holding companies accountable for safely storing your personal information, every consumer will have more control over how their data is used in the future. 


FAQ: Biometrics Data Privacy Lawsuits

What is a Biometric Identifier?

A recent privacy bill in Maryland proposes that a biometric identifier is defined as “data of an individual generated by automated measurements of an individual’s biological characteristics.” This could include fingerprints, voiceprints, DNA, retina or iris image, or any other unique biological characteristic used to uniquely authenticate an individual’s identity.

Who is liable for data privacy violations?

Under current privacy law the firm or organization that is storing user data are responsible for data breaches and will pay any fines or damages that are the result of legal action. The actual data holder—an organization that provides cloud storage—is not usually legally implicated or held responsible in litigation. 

Are Workplace Fingerprint scans an Invasion of privacy?

Biometric systems of clocking in with fingerprints and facial or retinal scans may be legal, but companies are limited on how they can collect and store this kind of data. Businesses need to understand and adhere to privacy laws and establish biometrics privacy policies.

What are some examples of data privacy lawsuits?

The majority of BIPA lawsuits are filed against employers who utilize biometric timekeeping systems with fingerprint or facial recognition scans, and collect the employee biometric data.

Motorola, Clearview AI and Vigilant are facing legal action for allegedly collecting mugshots that were used by law enforcement. Microsoft, Amazon, Alphabet, and FaceFirst Inc. are alleged to have violated privacy laws by collecting photos for facial recognition data from the website, Flickr.

A proposed class action alleges Ring, LLC has failed to protect the privacy of its motion-activated cameras and the personal information of its customers. The complaint alleges Ring’s devices are rife with security vulnerabilities, which may compromise the personal data of existing and future customers.

Cyber criminals may have the potential to hack into Ring devices and home networks. The lawsuit aos brings to light the fact that Ring has shared users’ personal identifying information with third parties without first obtaining prior consent. The complaint says the devices are not well-equipped to deal with potential hacks.

Plaintiffs in the case want Ring to take additional security measures to protect the privacy of user accounts and installed devices, as well as stop sharing personal data without clear and informed consent.

Reports have surfaced that several user accounts and devices were hacked, and plaintiffs argue the company was late in addressing security issues.

Beyond the security issues, Ring permits third parties to track users, raising eyebrows from consumer safety and data privacy advocates.

Octapharma agreed to pay $10 Million to settle a class action lawsuit regarding fingerprint scans of plasma donors, which violated the Illinois biometric privacy law.

Are there biometrics invasion of privacy laws?

Yes, there are laws that protect consumers and employees from blatant cases of data theft, data breach, and data misuse. If any company has collected data without consent, they may be in violation of the law, and a lawsuit may be filed.

Biometric privacy laws and regulations are created so companies and organizations are aware how they should handle and safeguard personal data. Laws detail the specifics of data collection, retention, and destruction of the data in question.

In 2008, Illinois was the first state to pass a law regulating the collection and subsequent use of biometric personal data. Because the Illinois Biometric Information Privacy Act (BIPA) allows for a private right of action, it has been crucial for past data privacy cases.

Is my genetic information protected?

The GIPA (Genetic Information Nondiscrimination Act) is a statute that expands on privacy laws, originally drafted under the Health Insurance Portability and Accountability Act (HIPAA). This act is largely concerned with the privacy of Americans’ genetic information. GIPA includes requirements applicable to genetic testing companies, health care providers, business associates, insurers, and employers.

  • Under GIPA, genetic testing and personal information derived from genetic testing is confidential and may only be released to the individual tested or other persons specifically authorized to receive the information.
  • An insurer may not seek genetic testing information for use in connection with an insurance. Insurers may not use or disclose genetic information for underwriting purposes, determining eligibility for benefits under a plan, coverage, or policy.
  • Companies providing commercial genetic testing are prohibited from sharing any genetic information or other personal information about a consumer with any health or life insurance company.
  • Employers must treat DNA and other genetic information consistent with the requirements of federal law, and in accordance with the GIPA.
  • Employers may not require or purchase genetic testing or genetic information, or administer a genetic test to a person as a condition of employment.
  • Employers cannot use genetic information or genetic testing for workplace wellness programs unless the employee provides written authorization in accordance with the GIPA.

Which states have biometric privacy laws?

Only a few states currently have biometric data privacy laws, though some pending bills are making their way for approval. Illinois, Texas, and Washington currently have biometric privacy laws, with many lawsuits being filed citing violations described in the Illinois statute.

Another biometric privacy bill has been introduced by South Carolina, called the Biometric Data Privacy Act (BDPA). The BDPA incorporates existing biometric privacy statutes along with a broader range of protections. Violations may result in individuals being able to recover $1,000 in statutory damages per negligent violation and $10,000 per intentional or willful violation. The BDPA requires companies to adhere to the following:

  •         Notice must be provided to consumers regarding the use of biometric data at or before the time any biometric data is collected.
  •         Written consent must be obtained from consumers before any biometric data is collected.
  •         Reasonable data security measures must be maintained to protect consumers and employees

The National Biometric Information Privacy Act of (NBIPA) has been pending in the U.S. Senate since August 2020. NBIPA requires informed written consent prior to collecting or capturing biometrics, and also imposes retention, disclosure, and destruction requirements. NBIPA also provides a private right of action for violations, with statutory damages of $1,000 or $5,000.

what is BIPA?

Lawmakers established the Illinois Biometric Information Privacy Act (BIPA) in 2008 in response to the growing use concern of biometric data misuse. The Act seeks to help regulate the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”

According to the BIPA, biometric identifiers may include:

  • Retina or iris scan
  • Fingerprint
  • Voiceprint
  • Scan of hand
  • Face geometry

The BIPA addresses the retention, collection, disclosure, and destruction of personal biometric data. Private entities collecting biometric data must inform subjects of the data collection and provide the specific purpose and the length of the collection term. The subject must provide a written release.

Under the BIPA, any person harmed by a privacy violation has a right of legal action. Plaintiffs may recover damages of $1,000, and for intentional or reckless violations, up to $5,000 in liquidated damages or actual damages, whichever is greater.

Is invasion of privacy a crime?

Privacy law, particularly in the context of biometric invasion of privacy, can be complex, and may require a full review of a company’s privacy policy to determine if they violated any existing statute. Call The Lyon Firm to assist you on your road to justice and rightful compensation.

What is the legal definition of invasion of privacy?

An invasion of privacy is the unjustifiable intrusion into the personal life of another without proper consent. This is a broad definition that includes a variety of privacy matters, including:

Is facial recognition technology legal?

Yes, but consent is required to use a person’s biometrics. 

Meta Platforms, the parent company of Facebook, said it was ending the facial recognition system it used to identify people in posted images. The company is trying to limit a public relations crisis on several fronts and facial recognition has become an increasingly toxic concept .

Meta’s facial recognition tech decision follows Microsoft Corp. and Inc., both of whom restricted the use of their facial recognition by law enforcement agencies. Several municipalities in the U.S. have passed legislation limiting use of facial recognition technology, and privacy attorneys are calling for further restrictions which can easily be abused by private companies.

Last year, Facebook paid $650 million to users whose biometric information had allegedly been compiled without proper consent.

Meta said it is deleting its database of facial profiles but kept its underlying facial recognition algorithm.

What is a voiceprint?

A voiceprint is a unique biometric identifier. Voice recognition technology can identify specific individuals when a voice sample is saved by a company for various reasons. 

Walmart is facing an Illinois biometrics privacy law class action in which the retailer is accused of improperly recording and tracking the “voiceprints” of workers at warehouses.

Walmart, and other large retailers, use voiceprints and voice technology in their fulfillment and distribution centers. Voiceprints, however, are considered biometrics, and subject to the Illinois Biometric Information Privacy Act (BIPA). The collection and storage of voiceprints is the primary issue, and plaintiffs say these ought to be destroyed.

Walmart allegedly violated the BIPA law by failing to obtain written authorization from workers before requiring them to scan their voiceprints.

The lawsuit argues Walmart did not provide necessary notices to workers, such as how the company would use the voice records, or how they would be saved, shared, or ultimately deleted from company systems.

What are some recent settlements?

Illinois residents who appeared in a photograph on the Google Photos app in the last seven years may be eligible for a payment, part of a $100 million class-action privacy settlement.

The privacy lawsuit alleges Google’s face grouping tool, which sorts faces in the app, violates biometric privacy law. The Illinois law requires companies to get user consent.

Illinois residents who appeared in a photograph in Google Photos between May 1, 2015, and the date of the settlement are eligible for payment of between $200 and $400.

The Illinois Biometric Information Privacy Act is among the strictest biometric laws in the U.S. In 2021, Facebook received approval for a landmark $650 million class-action settlement in an Illinois biometric privacy case over its facial tagging feature.

Your Right to Justice
Learn About Class Action Litigation

Filing Class Action lawsuits is a complex and serious legal course and can carry monetary sanctions if proper legal course is not followed. The Lyon Firm is dedicated to assisting injured plaintiffs work toward a financial solution to assist in compensating for privacy violations or other damages sustained.

We work with law firms across the country to provide the most resources possible and to build your data privacy case into a valuable settlement. The current legal environment is favorable for workers and consumers involved in data privacy class actions.