Considering Using Biometric Information? Adopt a Biometric Policy Now

12 December 2022 Labor & Employment Law Perspectives Blog
Author(s): Mike H. Holland Patrick J. McMahon

Businesses and organizations operating in Illinois – including any business with an online presence accessible to residents of Illinois – should remain vigilant of the ever-changing set of pitfalls stemming from the Illinois Biometric Information Privacy Act (BIPA). As a reminder, BIPA regulates how private entities collect, handle, and use biometric data, and provides a private right of action to any person aggrieved by a violation of the statute.

Those who fail to properly plan, they may sleepwalk into potentially harsh penalties for technical violations of the statute. Moreover, a series of recent court decisions are only increasing the risks created by the statute. In the latest development, one Illinois court handed down a ruling that effectively creates strict liability (meaning that the company’s intentions aren’t taken into account in determining whether or not the law was violated) for organizations collecting biometric information without having a publicly available written policy in place at the time of the initial collection.

In that case, Mora v. J&M Plating, Inc., the Illinois appellate court determined that as soon as a private entity begins possessing biometric data, BIPA Section 15(a) kicks in, which effectively obligates the entity to have already developed and published a written policy for the handling of biometric information before the organization ever handles the biometric information in the first place. 

Such a policy must include a data-retention schedule and guidelines for how and when the biometric data is destroyed. This obligation to develop and publicize a policy, the court emphasized, layers on top of BIPA Section 15(b)’s requirement that the entity obtain informed written consent from those whose biometric information it seeks to gather and possess.

In other words: if an entity has no retention-and-destruction policy in place before it first collects biometric information, the entity opens itself up to potentially significant liability under BIPA’s uncapped statutory damages provision, which provides for $1,000 per negligent violation and $5,000 per intentional or reckless violation.

The risk may be even more significant if the entity begins collecting biometric information without the individual’s informed written consent. Taking a generous reading of the opinion, the court’s holding would leave organizations with no way to mitigate this liability by adopting a written policy at a later date. Either an organization has a policy at the time of the initial collection or it does not, and if it does not, there is no escaping liability under Section 15(a).

In light of the Mora opinion, businesses and organizations with even the remote possibility of collecting biometric information as part of their operations in Illinois should draft and implement a policy – even if such a policy does not currently seem necessary. If your business or organization operates in Illinois but does not currently have a biometric data retention-and-destruction policy in place, think about developing one, in consultation with counsel.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.