Illinois’s Biometric Law Damages Are Ballooning: How Do Employers Become and Stay Compliant?

27 March 2023 Labor & Employment Law Perspectives Blog
Author(s): Patrick J. McMahon

One of the more significant Illinois legal developments in the past month were two Illinois Supreme Court orders interpreting the state’s onerous Biometric Information Protection Act (BIPA). We recently examined how these rulings: (1) expanded the applicable statute of limitations to five years from the first violation; and (2) interpreted BIPA violations to “accrue” not only in the first instance, but also in every subsequent instance where biometric information is collected.

With potential liability now reaching the billions of dollars, how can employers minimize their risk and comply with BIPA’s exacting requirements?

Despite the daunting liability figures, compliance with BIPA does not need to be an insurmountable task. BIPA’s requirements are described in Sections 15(a)-(e) in some detail, but can general be broken down into the following obligations:

  • Employers must maintain a written, publicly available policy addressing how the organization uses biometrics, including specific details about collection, retention, and destruction;
  • Employers must obtain written consent before collection of biometrics with an executed release from any individuals that will be providing their biometrics, including the purpose and time period the biometric will be retained;
  • Employers cannot profit from the use of individuals’ biometric information;
  • Absent informed consent, employers cannot disclose third parties’ biometrics without written consent; and
  • Employers must store, transmit, and protect all biometrics in a manner commensurate with the sensitive and confidential nature of biometric information.

Broken down into these pieces, creating a policy that fits your organization is far more manageable. Specificity should be included for particular uses, which requires a thorough understanding of how your biometric system works. For example, does the system store any biometric information locally? Does the system transmit biometrics to third parties, like vendors who supply or maintain the system? Does the system delete biometrics automatically after a certain period? These and several other questions are important to consider when drafting BIPA-compliant policies.

Of course, not all employers use biometric systems in their organizations. However, if an employer operates in Illinois and there is a chance the organization may adopt biometric technology in the future, we still recommend implementing a generic biometric policy to cover this possibility. All too often, one part of the organization may not be looped in when another division decides a biometric system would be useful. Though a generic policy will need to be further tailored once a system is chosen, a generic policy at least provides a backstop in the event biometric use slips in under the radar.

If your business or organization operates in Illinois but does not currently have a biometric data collection and use policy in place, think about developing one, in consultation with experienced counsel.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.