Earlier this year, we published the below summary of the Illinois Biometric Information Privacy Act (“BIPA”). Because of increased litigation in this area over the last couple of months, we are publishing the information again and urging companies to evaluate their use of employee fingerprints, hand scans, retina scans or facial recognition technology anywhere in the workplace. Failing to obtain an employee's written consent prior to using, collecting or retaining their biometric information is resulting in class action litigation that may not be covered by the company's insurance program.

Companies are increasingly using employee fingerprints, hand scans, retina scans or facial recognition technology for timekeeping, as well as building, computer and smartphone access. In 2008, the Illinois Biometric Information Privacy Act (“BIPA”) was enacted to regulate the use, collection, storage, safeguarding, handling, retention and destruction of an individual's fingerprints and identifying information from hand, retina and facial scans.  BIPA defines these biologically unique traits as biometric identifiers. The individuals covered by BIPA include employees at companies using scanning devices.

In 2019, the Illinois Supreme Court held that employees do not need to demonstrate any actual harm to establish that they were “aggrieved” by their employer's violations of BIPA.  In short, a simple failure to follow BIPA's requirements is enough to establish an employee's “harm.” The Court's decision has resulted in numerous class action lawsuits being filed in Illinois' courts alleging violations of BIPA. Because BIPA permits monetary recovery for negligent and intentional violations of the Act and for reasonable attorneys' fees and costs, many plaintiffs' attorneys are now focused on this statute.      

Every company with employees in Illinois (regardless of whether the company is Illinois-based) should (1) determine if any of its timekeeping, building access, computer access, smartphone access, or any other systems use, collect, or store biometric identifiers and (2) take immediate risk reduction and compliance measures to comply with BIPA's specific requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.