Skip to main content
Close up of woman's eye with biometric measurements

Illinois Supreme Court Finds Against Employers in BIPA Cases

By Sonal Shah, JD, Assistant Director, Employment Law Services
Published March 14, 2023

The Illinois Supreme Court recently opined on two important Biometric Information Privacy Act (BIPA) cases. In the first one, decided on Feb. 2, 2023, the Court held that a five-year limitations period applies to all claims under BIPA. Previously, the Illinois Appellate Court held that BIPA claims could be subject to either a one-year or five-year statute of limitations depending on the applicable section of the law. This ruling expands the BIPA limitations period to the maximum possible length, which of course, will likely increase liability for BIPA violations.

Then, on February 17, 2023, the Illinois Supreme Court ruled that claims under BIPA accrue each time data is unlawfully collected and disclosed rather than simply the first time such action is taken. This means the penalties for employers violating the Act are much higher. Indeed, the Court even acknowledged that treating each scan as a separate violation may lead to massive statutory damages awards (the law provides for a $1,000 penalty per negligent violation and a $5,000 penalty per intentional violation). 1

BIPA, which was enacted in 2008, regulates the collection and use of certain “biometric identifiers” (retina and iris scans, fingerprints, voiceprints, and scans of hand or face geometry), as well as information based on an individual’s biometric identifier used to identify that individual (“biometric information”). Under the law, a private entity must obtain explicit written consent from everyone from whom it collects biometric identifiers or information after providing the individuals with notices informing them:

  • That biometric identifiers or information is being collected or stored.
  • The specific purpose for the collection, storage, and use of the biometric identifiers or information. 
  • The length of time for the collection, storage, and use of the biometric identifiers or information.

In addition, such entities must have a written policy, which is made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers or information.

Now more than ever, organizations with operations in Illinois need to be aware of and take steps to comply with BIPA if they use biometric identifiers or information as described here. HR Source members can contact us for a sample BIPA policy and consent form. Reach us through the HR Hotline online or at 800-448-4584.

White Castle, which was the plaintiff in this case, estimated its total potential liability to an alleged class of 9,500 current and former employees would exceed $17 billion.