Can Companies Legally Capture Your Biodata (Fingerprints, Iris Scan, Facial Image)?

Illinois has one of the strongest biodata laws in the U.S. An individual must consent to the collection of personal biodata (fingerprint, voice sample or retina scan, and more). Collection and storage of biodata without consent can result in criminal liability and civil damages ($1,000 fine for each negligent violation, or actual damages or a $5,000 fine for each reckless violation). The law is called Illinois Biometric Information Privacy Act, or BIPA.

Biodata collection is common in workplaces: Many employers use palm or fingerprints to clock employees in and out work. If an employee consents, it’s not an issue. (A new employment trend is collection of Fitbit data and similar.)

The test case involves—of all places—an amusement park.

Six Flags required Stacy Rosenbach’s 16 year-old son to scan his thumbprint to access a season pass. She alleged she neither consented to nor received information about Six Flags' collection and storage of her son's data, and would have never purchased a pass if she had known the full extent of the company's conduct.

A main issue in a case heading to the Illinois Supreme Court is: What is injury under the law? Rosenbach argues that injury occurs when the fingerprinting occurs without consent. 

Six Flags argues that there is no liability without proof of actual injury.

The one apparent fact they agree on is that consent was not given in this case.

The high court’s ruling could frame the privacy law so broadly that many casual interactions—getting cash from an ATM, scanning your eye for entry to a secured workplace, as examples— will bog down with consent forms (many of which people just check-off without reading), and create liability for companies.

The high court could frame the privacy law so narrowly that its intent to protect people from unknowing data collection is mostly lost. For example, you might consent to collection of Fitbit data-- say, tracking of steps-- but the data collection could go broader (heart rate data) without an employee knowing.

Whether you are an employer or employee, consumer, patient, or simply walking on a public street where a company might be collecting your facial image, the implications are significant.