Enacted in 2008, the Illinois Biometric Information Privacy Act (“BIPA”), went largely unnoticed until a few years ago when a handful of cases sparked a flood of class action litigation over the collection, use, storage, and disclosure of biometric information.

What is BIPA?

BIPA’s purpose is to protect individuals' privacy rights in their biometric information, including retina or iris scans, fingerprint, voiceprint, hand scans, facial geometry, DNA and other unique, identifying biological information.

Employers may collect and store this information only if they:

Employers may not disclose this information to third parties without the individual's written consent.

A wave of lawsuits followed BIPA's passage. Most were brought by former or current employees whose employers used fingerprints or handprints for timekeeping. For instance, a jury in the first ever BIPA trial (October 2022) found that defendant BNSF Railway Company recklessly or intentionally violated BIPA 45,600 times (once per class member) when it required drivers to register and provide fingerprints each time they used an automated gate system to enter the railyard. The verdict resulted in a $228 million award for the plaintiffs.

Two recent rulings by the Illinois Supreme Court have increased BIPA exposure. First, the Court found a five-year statute of limitations period applies to BIPA claims, rather than a one-year period. Second, the Court found a BIPA claim accrues each time an entity scans or transmits an individual's biometric identifier or information, instead of a single violation when biometric information is first collected.

What Employers Should Do to Limit Liability?

Before employers obtain any biometric data, we recommend they have all employees provide written authorization: