Your compass for long-term success


Newsflash! Employers Beware: You Can’t Touch This, at least not without a written release

Authors: John W. Campbell, Esquire, Alex W. Norlander, Esquire & Savannah R. Rountree

Does your company collect biometric data? Biometric data includes retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. As companies begin to employ the use of biometric data of their employees (including on company-owned devices), it becomes necessary to create policies around the retention, storage, and disclosure of such data. Our firm has recently been engaged in creating several such policies. With the Biometric Information Privacy Act (“BIPA”) in place, Illinois is one of three states that has passed a law governing the collection, use, disclosure, or destruction of biometric information. This type of legislation is on the rise with other states currently considering proposals.

Quickly, BIPA was introduced in 2008 and has some of the strictest requirements of any biometric data law. Before an employer can collect biometric data from an employee under BIPA, they must provide written notice to each employee that includes the reason for the collection and the length of time that the employer will use or retain the information. The employer must also receive the employee’s signed written release and develop a publicly available policy that includes a retention schedule and destruction procedures. Employers must protect biometric data in the same way that other confidential information is protected, and BIPA further prohibits selling, leasing, or otherwise profiting from the biometric data. Disclosure of such information is prohibited, except in certain limited situations.

There has been a recent spate of class action lawsuits brought under BIPA because Illinois is the only state whose biometric data statute contains a private right of action. For each violation under BIPA, an “aggrieved person” can recover the greater of $1,000 or actual damages. For each intentional violation, such amount is increased to $5,000 or actual damages, plus attorney’s fees and costs. Until a recent ruling, previous cases had held that individuals must suffer actual harm in connection with a violation of BIPA.  However, last month an Illinois appellate court ruled a specific injury is not required to be shown in order to recover under the statute.

To reduce the risks of any claims based on BIPA, employers should be aware of whether or not they are collecting biometric data.  If such data is being collected, employers should ensure that they have policies in place regarding the collection, storage, use, transmission, and destruction of that information as required by law.

For more information, please contact John W. Campbell, Esquire at or Robert D. Tepper, Esquire at

Gavels (00433755xC5BD8).JPG

Attorney Advertising Notice

Viewing this site or contacting SATC Law does not create an attorney-client relationship. This is intended as a general comment on certain recent developments in law. It does not contain a complete legal analysis or constitute an opinion of SATC Law or any member of the firm on the legal issues herein described. This site contains timely information that may eventually be modified or rendered incorrect by future legislative or judicial developments. It is recommended that readers not rely on this general guide in structuring or analyzing individual transactions or matters but that professional advice be sought in connection with any such transaction or matter.

It is possible that under the laws, rules or regulations of certain jurisdictions, this may be construed as an advertisement or solicitation.

All Rights Reserved

Jessica Evans