The Alabama IVF court ruling and the move for a national abortion ban highlight the rising threat to reproductive freedom. Another battle over bodily autonomy is taking place in the corporate world. It revolves around the question of whether companies have the right to gather biometric information about employees or customers without their full consent.
Collection of fingerprints and voiceprints is not as oppressive as restricting the right to terminate a pregnancy, but it raises a legitimate privacy concern nonetheless. This is especially true as more companies embrace facial recognition, iris scanning and the like.
Disputes over biometric data collection frequently end up in court, where plaintiff lawyers bring class action claims and often win substantial settlements. For example, the Presence Health Network in Illinois just agreed to pay $2.6 million to settle litigation alleging that the privacy rights of employees were violated by requiring them to scan their fingerprints for timekeeping without first obtaining consent.
Violation Tracker documents 30 similar fully resolved lawsuits with total settlements of $1 billion. These cases are typically brought under the Illinois Biometric Information Privacy Act, a 2008 law that is the strictest in the nation. BIPA cases can be brought in state court in Illinois, but in certain circumstances they can be filed in federal court.
Some of the biggest settlements have come in federal cases. The largest of all is the $650 million payment by Facebook in 2021 to resolve claims that its collection of facial data from users violated BIPA. The following year TikTok paid out $92 million in a similar case.
The largest state court settlement was the $100 million paid by Google in connection with facial data collected by its photo service. In another state case, Six Flags agreed to pay $36 million to resolve claims it improperly collected fingerprint data from pass-holders.
Large employers which have entered into biometric settlements include Walmart, which paid $10 million to resolve claims it improperly collected worker handprints, and the Little Caesar pizza chain, which agreed to pay nearly $7 million to settle litigation alleging it violated BIPA by using a fingerprint-based timekeeping system without getting informed consent from employees.
BIPA lawsuits rarely go to trial. The risks for companies of refusing to settle are illustrated by a case brought against BNSF by a class of 44,000 truck drivers who claimed the railway company improperly collected their fingerprints. In 2022 a federal jury found in favor of the plaintiffs and awarded up to $228 million in damages. That award was thrown out for technical reasons, but the company recently agreed to settle the matter for $75 million.
Cases arising out of BIPA have prompted other states to consider adopting their own biometric privacy legislation, yet none have begun to match the Illinois law. Efforts in Congress to pass a national law have also made little progress.
For now, BIPA class actions are the main thing standing in the way of the corporate effort to turn us all into human bar codes.