Businesses and organizations operating in Illinois – including any business with an online presence accessible to residents of Illinois – should remain vigilant of the ever-changing set of pitfalls stemming from the Illinois Biometric Information Privacy Act (BIPA). As a reminder, BIPA regulates how private entities collect, handle, and use biometric data, and provides a private right of action to any person aggrieved by a violation of the statute.
Those who fail to properly plan, they may sleepwalk into potentially harsh penalties for technical violations of the statute. Moreover, a series of recent court decisions are only increasing the risks created by the statute. In the latest development, one Illinois court handed down a ruling that effectively creates strict liability (meaning that the company’s intentions aren’t taken into account in determining whether or not the law was violated) for organizations collecting biometric information without having a publicly available written policy in place at the time of the initial collection.
In that case, Mora v. J&M Plating, Inc., the Illinois appellate court determined that as soon as a private entity begins possessing biometric data, BIPA Section 15(a) kicks in, which effectively obligates the entity to have already developed and published a written policy for the handling of biometric information before the organization ever handles the biometric information in the first place.
Such a policy must include a data-retention schedule and guidelines for how and when the biometric data is destroyed. This obligation to develop and publicize a policy, the court emphasized, layers on top of BIPA Section 15(b)’s requirement that the entity obtain informed written consent from those whose biometric information it seeks to gather and possess.
In other words: if an entity has no retention-and-destruction policy in place before it first collects biometric information, the entity opens itself up to potentially significant liability under BIPA’s uncapped statutory damages provision, which provides for $1,000 per negligent violation and $5,000 per intentional or reckless violation.
The risk may be even more significant if the entity begins collecting biometric information without the individual’s informed written consent. Taking a generous reading of the opinion, the court’s holding would leave organizations with no way to mitigate this liability by adopting a written policy at a later date. Either an organization has a policy at the time of the initial collection or it does not, and if it does not, there is no escaping liability under Section 15(a).
In light of the Mora opinion, businesses and organizations with even the remote possibility of collecting biometric information as part of their operations in Illinois should draft and implement a policy – even if such a policy does not currently seem necessary. If your business or organization operates in Illinois but does not currently have a biometric data retention-and-destruction policy in place, think about developing one, in consultation with counsel.