Illinois’s Biometric Law Damages Are Ballooning: How Do Employers Become and Stay Compliant?

One of the more significant Illinois legal developments in the past month were two Illinois Supreme Court orders interpreting the state’s onerous Biometric Information Protection Act (BIPA). We recently examined how these rulings: (1) expanded the applicable statute of limitations to five years from the first violation; and (2) interpreted BIPA violations to “accrue” not only in the first instance, but also in every subsequent instance where biometric information is collected.

With potential liability now reaching the billions of dollars, how can employers minimize their risk and comply with BIPA’s exacting requirements?

Despite the daunting liability figures, compliance with BIPA does not need to be an insurmountable task. BIPA’s requirements are described in Sections 15(a)-(e) in some detail, but can general be broken down into the following obligations:

• Employers must maintain a written, publicly available policy addressing how the organization uses biometrics, including specific details about collection, retention, and destruction;
• Employers must obtain written consent before collection of biometrics with an executed release from any individuals that will be providing their biometrics, including the purpose and time period the biometric will be retained;
• Employers cannot profit from the use of individuals’ biometric information;
• Absent informed consent, employers cannot disclose third parties’ biometrics without written consent; and
• Employers must store, transmit, and protect all biometrics in a manner commensurate with the sensitive and confidential nature of biometric information.

Broken down into these pieces, creating a policy that fits your organization is far more manageable. Specificity should be included for particular uses, which requires a thorough understanding of how your biometric system works. For example, does the system store any biometric information locally? Does the system transmit biometrics to third parties, like vendors who supply or maintain the system? Does the system delete biometrics automatically after a certain period? These and several other questions are important to consider when drafting BIPA-compliant policies.

Of course, not all employers use biometric systems in their organizations. However, if an employer operates in Illinois and there is a chance the organization may adopt biometric technology in the future, we still recommend implementing a generic biometric policy to cover this possibility. All too often, one part of the organization may not be looped in when another division decides a biometric system would be useful. Though a generic policy will need to be further tailored once a system is chosen, a generic policy at least provides a backstop in the event biometric use slips in under the radar.

If your business or organization operates in Illinois but does not currently have a biometric data collection and use policy in place, think about developing one, in consultation with experienced counsel.