Illinois Privacy Law Attorneys

Illinois Biometric Privacy Law Overview

Illinois enacted the Biometric Information Privacy Act (BIPA) in 2008, creating the nation's strictest and most comprehensive biometric privacy law. BIPA has become one of the most litigated privacy laws in the United States, with billions of dollars in settlements and ongoing litigation against major technology companies and employers.

Unlike most privacy laws that rely on government enforcement, BIPA grants Illinois residents a powerful private right of action, allowing individuals to sue companies directly for violations. This has made BIPA an exceptionally potent tool for protecting biometric privacy rights and has inspired similar legislation in other states.

Key Illinois Privacy Legislation

Biometric Information Privacy Act (BIPA)

BIPA was enacted on October 3, 2008, becoming the first state law to comprehensively regulate the collection, use, and storage of biometric identifiers and biometric information.

What Constitutes Biometric Information?

BIPA defines biometric identifiers and biometric information broadly:

Important Exclusions: BIPA does not cover photographs, demographic data, physical descriptions (height, weight, hair/eye color), medical information collected under HIPAA, or information captured from patients for treatment purposes.

Other Illinois Privacy Laws

• Personal Information Protection Act (PIPA): Data breach notification requirements
• Right to Privacy in the Workplace Act: Restricts employer monitoring and social media access
• Genetic Information Privacy Act (GIPA): Protects genetic testing information
• Mental Health and Developmental Disabilities Confidentiality Act: Strong mental health privacy protections

Who BIPA Applies To

BIPA applies to any "private entity" - a term broadly interpreted to include:

• Employers using biometric time clocks or access systems
• Technology companies with facial recognition features
• Social media platforms using face-tagging technology
• Retailers using biometric payment or security systems
• Healthcare providers collecting biometric data (outside HIPAA-covered treatment)
• Property management companies using biometric building access
• Fitness centers and gyms using fingerprint check-in
• Financial institutions using biometric authentication
• Any business collecting biometric data from Illinois residents

Jurisdictional Reach: BIPA applies when biometric data is collected from Illinois residents, regardless of where the collecting company is located. Out-of-state companies can be sued in Illinois courts for BIPA violations.

BIPA Requirements and Obligations

1. Written Policy Requirement

Before collecting biometric data, entities must:

• Establish and make publicly available a written policy
• Specify retention schedule and destruction guidelines
• State the purpose and length of time biometric data will be stored

2. Written Consent Requirement

The most critical BIPA requirement - entities must obtain:

• Written release: Signed document from the individual (electronic signatures accepted)
• Informed consent: Person must be informed in writing of specific purpose and length of collection
• Prior to collection: Consent must be obtained before collecting any biometric data
• Opt-in only: Silence or inaction does not constitute consent

3. Notice and Disclosure Requirements

Before collecting biometric data, entities must inform subjects in writing of:

• The specific purpose for collection or storage
• The specific length of time data will be collected, stored, and used
• That biometric data is being collected or stored

4. Prohibition on Sale, Lease, or Trade

BIPA strictly prohibits private entities from:

• Selling biometric identifiers or information
• Leasing biometric data to third parties
• Trading or otherwise profiting from biometric information
• Limited exception: Disclosure pursuant to valid warrant or subpoena

5. Standard of Care Requirement

Entities possessing biometric data must:

• Store, transmit, and protect data using reasonable standard of care
• Use care at least equal to how entity protects other confidential information
• Use care that equals or exceeds industry standards
• Protect against unauthorized access, disclosure, or use

6. Retention and Destruction Requirements

Entities must permanently destroy biometric data when:

• The initial purpose for collection has been satisfied
• Within 3 years of the individual's last interaction with the entity (whichever occurs first)

Common BIPA Violations

Employment Context

• Biometric time clocks: Fingerprint or palm scanners used without proper consent
• Facility access systems: Fingerprint or facial recognition building entry
• Employee monitoring: Voice or facial recognition systems tracking workers
• Vendor-provided systems: Third-party timekeeping systems collecting biometrics

Technology and Social Media

• Photo tagging: Facial recognition to suggest tags in photos (Facebook/Meta settlements)
• Face filters and effects: Apps using facial geometry for filters or effects
• Virtual try-on features: AR features scanning facial geometry
• Video conferencing: Background replacement using facial scans

Consumer Applications

• Retail biometric payment: Fingerprint or palm payment systems
• Gym check-in systems: Fingerprint scanning at fitness centers
• Building access: Residential or commercial biometric entry
• Mobile apps: Apps collecting face or fingerprint data beyond device authentication

Damages and Penalties

Statutory Damages

BIPA provides liquidated damages without requiring proof of actual harm:

• Negligent violations: $1,000 per violation
• Intentional or reckless violations: $5,000 per violation
• No harm required: Technical violations alone support damages

What Constitutes a "Violation"?

Critical question for damages calculation. Courts have held:

• Per scan vs. per person: Recent rulings suggest violations occur per person, not per scan
• Multiple violations: Failure to obtain consent, failure to publish policy, and improper retention may be separate violations
• Continuing violations: Some courts allow damages to accrue over time

Additional Remedies

• Injunctive relief: Court orders to cease violations and implement compliance
• Attorney's fees: Prevailing plaintiffs can recover reasonable attorney's fees
• Costs: Litigation costs and expenses
• Actual damages: Where applicable, in addition to statutory damages

Statute of Limitations

Illinois courts have interpreted BIPA's statute of limitations as:

• 5-year statute: Most violations subject to 5-year limitations period
• Accrual: Claim accrues when violation first occurs
• Discovery rule: Limited application to BIPA claims

Major BIPA Settlements and Cases

Landmark Settlements

• Facebook/Meta (2021): $650 million settlement - largest BIPA settlement, covering facial recognition photo tagging
• Google (2022): $100 million settlement - Google Photos facial grouping feature
• Snapchat (2024): $35 million settlement - facial filters and lenses
• TikTok (2021): $92 million settlement - facial recognition and biometric data collection
• Clearview AI (2022): Settlement requiring restrictions on Illinois sales and compliance measures

Employment BIPA Cases

• Multiple employers: Hundreds of class actions against employers using fingerprint time clocks
• Typical settlements: Range from hundreds of thousands to tens of millions depending on class size
• Common defendants: Retailers, manufacturers, healthcare facilities, and logistics companies

Key Court Rulings

• Rosenbach v. Six Flags (2019): Illinois Supreme Court held no actual harm required to bring BIPA claim
• Cothron v. White Castle (2023): Illinois Supreme Court held each scan can constitute separate violation (later legislatively amended)
• Tims v. Black Horse Carriers (2021): Illinois Supreme Court ruled 5-year statute of limitations applies

Recent Developments and Legislative Changes

2024 BIPA Amendments

Illinois enacted amendments to BIPA addressing several key issues:

• One claim per person: Clarified that violations accrue once per person, not per scan (retroactive)
• Consent in employment: Specific provisions for employment context
• Retention schedules: Clarifications on destruction requirements
• Litigation procedures: New requirements for class certification

Pending Legislation and Proposals

• Scope clarifications: Proposals to clarify coverage of certain technologies
• Healthcare exemptions: Potential expansions for medical uses
• Small business relief: Discussions about simplified compliance for small entities

Enforcement Trends

• Class action focus: BIPA remains one of most active areas for privacy class actions
• New technologies: Litigation expanding to AI, deepfakes, and emerging biometric applications
• Workplace monitoring: Increasing scrutiny of employee biometric surveillance
• Third-party vendors: More litigation against technology vendors, not just end users

Compliance Best Practices

For Businesses Operating in Illinois

• Conduct BIPA audit: Identify all biometric data collection activities
• Draft written policies: Create and publish retention and destruction schedules
• Implement consent procedures: Develop compliant written consent forms
• Update privacy notices: Ensure notices contain all required BIPA disclosures
• Review vendor contracts: Ensure third-party providers comply with BIPA
• Assess necessity: Determine if biometric collection is truly necessary
• Consider alternatives: Explore non-biometric options (badges, PINs, passwords)
• Implement data security: Ensure biometric data receives heightened protection
• Train employees: Educate staff on BIPA requirements and procedures
• Document compliance: Maintain records of consent, policies, and data destruction

Key Compliance Documents

• Written biometric data retention and destruction policy (publicly available)
• Written informed consent forms (signed by each individual)
• Privacy notices containing BIPA-required disclosures
• Data security policies and procedures
• Vendor contracts with BIPA compliance provisions
• Data destruction logs and certifications

How Illinois Privacy Attorneys Can Help

For Businesses:

• BIPA compliance audits: Comprehensive review of biometric data practices
• Policy development: Draft retention, destruction, and security policies
• Consent form creation: Develop legally compliant written consent documents
• Vendor contract review: Ensure third-party agreements include BIPA protections
• Risk assessments: Evaluate BIPA exposure and litigation risk
• Alternative solutions: Advise on non-biometric alternatives to reduce risk
• Class action defense: Represent businesses in BIPA litigation
• Settlement negotiation: Negotiate favorable resolution of BIPA claims
• Regulatory guidance: Navigate Illinois Attorney General inquiries
• Training programs: Educate employees and management on BIPA compliance

For Individuals:

• BIPA violation claims: File lawsuits against non-compliant businesses
• Class action representation: Join or initiate class actions for widespread violations
• Settlement recovery: Pursue compensation under BIPA's damages provisions
• Workplace violations: Challenge employer biometric practices
• Consumer app violations: Sue apps and platforms collecting biometrics improperly
• Demand data deletion: Compel businesses to destroy biometric data
• Injunctive relief: Stop ongoing biometric data collection violations

Specialized BIPA Services:

• Multi-state biometric privacy compliance (coordinating BIPA with other state laws)
• Technology licensing and biometric data agreements
• Healthcare biometric privacy (navigating HIPAA and BIPA overlap)
• AI and facial recognition compliance
• Workplace biometric monitoring assessments
• Consumer biometric applications counseling
• Genetic privacy coordination (BIPA and GIPA compliance)