justice scale justice scale justice scale

McKenna Minutes

“The life of the law has not been logic; it has been experience.”

-Oliver Wendell Holmes, Jr.

Recent Litigation Highlights The Need to Understand the Illinois Biometric Privacy Act (BIPA) Requirements

Recent Litigation Highlights The Need to Understand the Illinois Biometric Privacy Act (BIPA) Requirements

To avoid what is becoming a common lawsuit, businesses need to be aware of the Illinois Biometric Information Privacy Act (BIPA) requirements. Two class action lawsuits were recently filed in Cook County Circuit Court by employees alleging violations of the BIPA by their respective employers. Using biometric data is beneficial for businesses, and specifically for employers, but it is important that these businesses understand what is required of them under the existing law to protect their employees and customers, and to avoid costly litigation.


On July 30, 2018, lead plaintiff, Fallon White, filed a complaint (Case No. 18-CH-09599), against her employer, Hagewisch Development Corp., alleging violations of the BIPA. Specifically, the lawsuit claims that defendants did not inform class members in writing of the purpose and length of time that their fingerprints were collected, stored, disseminated and used, or inform them of a schedule for permanent destruction of the data. The lawsuit further claims that defendants shared the data with third parties, and did not obtain written authorization from employees before collecting the data. On August 6, 2018, a similar lawsuit (Case No. 18-CH-09968) was filed by lead plaintiff, Latham Cacy, against her employer, AGCO Corp. The lawsuit alleged similar violations of the BIPA as were alleged in the Fallon White class action.


The BIPA requlates the collection, use, safeguarding, handling, storage, retention, and destruction of biometrical identifiers and biometric information (biometric data), such as a retina or iris scan, fingerprint scan, voiceprint or scan of hand or face geometry. The BIPA applies to all entities except state or local government agencies, and courts or clerks of court. Once applicability is established, the BIPA imposes five requirements on private entities.

1) Written Policy
A private entity in possession of biometric data must develop a written policy establishing a retention schedule along with guidelines for permanently destroying that data when the initial purpose of collecting that data has been satisfied, or within three years of the individuals last interaction with the entity. This policy must be available to the public.

2) Informed Consent
A private entity may not obtain a person’s biometric data unless it informs the subject in writing that biometric data is being collected, informs the subject in writing the length of time that biometric data is being collected, stored or used, and receives a written release from the subject.

3) Prohibition on Profit
No private entity in possession of biometric data may sell, lease, trade, or otherwise profit from a person’s biometric data.

4) Prohibition on Disclosuret
No private entity in possession of biometric data may disclose, redisclose, or otherwise disseminate a person’s biometric data unless the subject consents to disclosure, the disclosure completes a financial transaction authorized by the subject, the disclosure is required by law, or the disclosure is required pursuant to a valid warrant or subpoena.

5) Protection of Data
A private entity in possession of biometric data must store, transmit, and protect from disclosure all biometric data using a reasonable standard of care, and in a manner that is the same or more protective than the manner in which the entity stores, transmits, and protects other confidential and sensitive data.

As we have already seen the BIPA provides a private right of action for violations of the statute. An entity found in violation of the statute may be liable for actual damages or liquidated damages of either $1,000 or $5,000, along with attorneys’ fees and costs.

BIPA is Fertile Ground for Litigation

The BIPA is currently a fertile ground for litigation. As the ability to collect and retain biometric data becomes more available, and is more regularly used by businesses to collect and retain biometric data about their customers and employees, it is probable that the amount of litigation in this area will increase. Despite this risk of litigation, businesses should not hesitate to collect and retain biometric data, but should simply work to understand and comply with the requirements of the BIPA.

You may like to read our previous blog on other BIPA related cases and court decisions in Illinois.

If you have questions regarding litigation or compliance under Illinois’ Biometric Information Privacy Act, or questions regarding privacy and data security generally, contact Tim Hayes at McKenna Storer.

Categories Privacy and Data Security Litigation

Leave a Reply

You must be logged in to post a comment.

Here to help with whatever your legal issues may be, schedule your no-obligation consultation or Simply Call us at.
Chicago: (312) 558-3900 or Woodstock: (815) 334-9694

  • Hidden
  • Hidden

Please do not send confidential information via email. The sending of information by you, and the receipt of it by McKenna Storer, is not intended to, and does not create a lawyer-client relationship.

Privacy Policy | Sitemap © 2021 McKenna Storer
Show Buttons
Hide Buttons