Small businesses with employees who clock in and out using fingerprint scans or facial recognition need to be aware of a stringent Illinois law, the Biometric Information Privacy Act (BIPA), which applies to all entities operating in Illinois. This law was relatively unnoticed when the Illinois legislature passed it in 2008. However, starting in 2019, lawsuits began to proliferate: at least 130 cases each year until 2023. And these cases can be expensive for employers: one jury verdict awarded plaintiffs $228 million in damages. While the courts later vacated that award, it highlighted an opportunity for plaintiffs’ attorneys to file class action lawsuits and force businesses to settle, often for at least tens of thousands of dollars.

Luckily, businesses can take certain steps to comply with the Biometric Information Privacy Act and avoid these potentially expensive (and certainly energy-sucking) class-action lawsuits.

Read on for more information about BIPA; how to determine whether your business collects biometric information; and, if it does, what you should do to comply with BIPA and avoid lawsuits.

What is the Biometric Information Privacy Act (BIPA)?

BIPA is an Illinois privacy law that passed in 2008 but flew under the radar until 2023, when an Illinois Supreme Court decision turned BIPA into a hammer that could be wielded against employers through class action lawsuits. That hammer has since been weakened, but many business owners are still at risk for these lawsuits.

So let’s get into it.  The Biometric Information Privacy Act (BIPA) regulates the collection, storage, and use of biometric information. “Biometric Information” includes fingerprints, retina or iris scans, handprints, facial scans, and voiceprints. Specifically, BIPA:

  • Prohibits entities, including employers, from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s or a customer’s biometric identifier or biometric information without informed written consent.
  • Prohibits entities from selling, leasing, trading, or otherwise profiting from biometric identifiers or information in its possession.
  • Prohibits entities from disclosing, transmitting, or otherwise sharing biometric information with any other party except in very limited circumstances.
  • Requires anyone collecting, storing, or using such information to have policies and procedures that meet strict requirements for the storage, safeguarding, and deletion or disposal of the information.
  • Requires that any entity in possession of biometric information have a written policy available to the public with guidelines and procedures for permanently destroying the information when its purpose has been satisfied or within 3 years of collection (See 740 ILCS 14/1-14/25)

Why do employers and small business owners care about BIPA?

As technology advances and becomes less expensive and more convenient for small business owners to use, business owners may not be aware of certain risks that come with using new tech tools. Fingerprint scanning clocks, cameras in the workplace, and other recording-type devices may collect biometric information, and therefore fall under the BIPA requirements. Unless a business owner has In-House or Outside General Counsel, they may never have their policies and procedures reviewed for legal compliance. There are a ton of national and state-level laws out there designed to protect employees and the public. This means that many employers using fingerprint or facial scanning timeclocks, workplace cameras, or similar devices don’t have the required BIPA policies and consents and are violating BIPA, opening them up to lawsuits.

Why is BIPA so popular right now?

Everything changed in 2023, when the Supreme Court of Illinois delivered some landmark decisions. Before these decisions, the “statute of limitations”, or the amount of time individuals had to file BIPA lawsuits after a violation, was left to the courts to decide. Some picked a relatively short statute of limitations, like 1 year. But two Illinois Supreme Court decisions made these lawsuits much more lucrative.

First, they set a 5-year statute of limitations across the board. Second, they ruled that every scan/collection of biometric information instituted a separate violation for the purpose of counting damages. (see Tims v. Black Horse Carriers, Inc., 2023 IL 127801 (Ill. Feb. 2, 2023) and Cothron v. White Castle Systems, Inc., 2023 IL 128004 (Ill. Feb. 17, 2023).) The second decision, in a suit against White Castle, meant it could have been ordered to pay up to 17 million dollars in damages. Ultimately, White Castle appears to have settled with the plaintiffs in the class action suit for just under 10 million dollars.

But that’s White Castle. Looking at a smaller business – one with, say, 10 employees – might be a more helpful example. If 10 employees have been with the employer for 5 years, they can sue for every clock-in and clock-out that collects biometric information over those 5 years. Assuming they take a week off each year, that’s 25,500 scans. They could be looking at a judgment of 25.5-127.5 million dollars in statutory damages (depending on whether a court decides they negligently or intentionally violated BIPA) plus attorney’s fees and costs.

These two rulings by the Supreme Court of Illinois made lawsuits far more attractive to class action lawyers and disgruntled former employees in particular, given the potential for a large payout.

Where does BIPA stand for future lawsuits?

We do have some good news for small business owners and other employers. Illinois enacted an amendment to the Biometric Information Privacy Act on August 2, 2024, that changed the damages from “per scan” to “per person”. This will greatly reduce the potential liability for employers going forward. However, the amendment did not explicitly make the change retroactive, so lawsuits for violations pre-August 2, 2024 may still use the “per scan” measurement. (There is currently a split in the Illinois courts on whether the rule can be applied retroactively and the Illinois Supreme Court has not weighed in yet.) And employers that do not have informed written consent and the right policies and procedures for collecting, using, and storing biometric information could still have significant exposure even under the “per person” rule depending on how many employees they have in any given 5-year period.

What do can employers do to avoid BIPA lawsuits?

To help small business owners protect themselves from the looming threat of BIPA, our attorneys compiled this compliance checklist.

  1. Have a BIPA-Compliant Consent Form. If you’re using a time system or other equipment that uses biometric information, review your current employee documents. If you do not have a release that meets the BIPA requirements, contact an attorney to get a release form drafted for your business. A BIPA compliant release must include specific disclosures to and consents from the employee and provide valid opportunities for the employee to decline to consent and to revoke consent.
  2. Have BIPA-Compliant Policies. Review your policies and procedures to make sure they are BIPA-compliant. This means you need written policies for how the information is collected and stored, who has access to the information, when the information will be destroyed, and other security measures, as well as some other compliance requirements based on how you are collecting biometric information. If you aren’t sure if your policies and procedures are compliant, you should talk to an attorney.
  3. Post your BIPA-Compliant Policies. If a company is required to have BIPA-Compliant Policies under BIPA, they are also required to post them publicly.

We have experience drafting these documents, in addition to our suite of employment solutions, and are happy to do so for you as well!

The bottom line

Employers can take advantage of the convenience of new technology, even if it collects biometric information, as long as they have the proper policies and procedures in place. Take a look at our Checklist above for more specifics on that.

If you use any technology that may collect biometric information, or if you plan to start using it in the future, come talk to your friendly neighborhood business lawyer. We believe that preparation is the best defense. When the ambiguity of the legal landscape makes certainty impossible, being confident in your own standing situates you to better weather whatever comes.