A former Illinois employee from Lurie Children’s Hospital recently filed a biometric privacy claim against ID.me Inc., the hospital’s identity verification vendor. The suit claimed it stored her and other Illinois users’ facial data twice as long as it was allowed to, before the vendor changed its policies in 2021.

Case background

When the plaintiff created an account with ID.me, the vendor had policies allowing it to store its users’ biometric data for up to 7.5 years after they close their account with the company. This policy violates the Illinois Biometric Information Privacy Act, which limits data retention for up to three years after the individual last interacted with the company.

ID.me denies the allegations, and says they make data privacy, security and control a “top priority.” Currently, their privacy policy says ID.me “will retain an individual's biometric information according to requirements laid out by its third-party partners.” No biometric information, however, will be retained for longer than three years without a warrant, subpoena or other legally authoritative document to justify it.

The plaintiff claims that when she created her account in January 2020, a requirement for employment, the policy allowed the company to retain biometric information for up to 7.5 years. The policy changed on March 24, 2021, which the plaintiff claims “implicitly admits” that the previous policy was not in compliance with Illinois law.

The plaintiff has requested she and the proposed class receive damages of $1,000 for every negligent violation and $5,000 for every willful violation, plus interest, court costs and other fees.

When your employer or a third party vendor violates local, federal or state law, or is otherwise guilty of misconduct or fraud, a whistleblower suit can hold them accountable. A knowledgeable whistleblower attorney at Kardell Law Group can help: call today to discuss your potential claim.