In tanning salons, the use of automatic I.D. verification methods has been increasing and can significantly streamline processing of guest memberships. Long gone are the days of initialing an index card that goes into a file box. If you saw Tom Cruise in Minority Report you’ll probably remember several scenes that depicted retinal scans as a means of identification. This concept may be in the future, but it also goes back in time. There is research to support a theory that the ancient Chinese used unique fingerprints on clay pots to identify individuals.
Many salons have already employed membership swipe-cards or key-fobs to simplify the check-in/customer I.D. process. A couple of months ago, a state court reached a $1.5 million settlement in a class action lawsuit against an Illinois tanning salon chain in a case that alleged violation of the Illinois Biometric Information Privacy Act (BIPA). The complaint alleged that salon members’ fingerprints were collected for verification during check-in without complying with BIPA’s notice and consent requirements.
So, what’s the big deal? Many businesses use bioscan programs for customer I.D. purposes. Apparently, under Illinois’ BIPA, entities cannot collect, capture, purchase, or otherwise obtain a person’s “biometrics without:
- Informing the subject in writing that a biometric identifier is being collected;
- Informing the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored and used; and
- Receiving a written release executed by the subject.”
Although the salon chain operator presumably wanted to simplify the check-in process for guests and make it easier for them to use any of the company’s multiple Chicago-area facilities, the complaint alleged that they also disclosed the fingerprints to an out-of-state third party without obtaining member consent – which is a “no-no.” There also must a provision that discloses guidelines for permanently destroying the fingerprints when the initial reason for collecting them is no longer relevant. In the case of this salon chain, that disclosure was not made.
What’s the take-away here? If you are contemplating the implementation of this form of customer I.D. verification in your salon, perform your due diligence and check with your specific state rules prior to selecting a biometric provider. Then, cross-check state laws and regulations with the specific provider and if you have questions, get the answers in writing.
