For Schaumburg employers using biometric technology like fingerprint scanners or facial recognition timeclocks, compliance with Illinois’s Biometric Information Privacy Act (BIPA) is a direct requirement of doing business.
The core obligations involve providing written notice, obtaining informed written consent before collecting any data, publishing a data retention and destruction policy, and securely storing the information, all of which fall squarely under business law requirements that employers must follow to avoid liability.
The landscape of BIPA litigation changed significantly in August 2024 with an amendment that limits damages, but businesses remain exposed to costly lawsuits, particularly for past practices.
If you have a question about implementing a BIPA-compliant policy or are facing a demand letter, call our office for a confidential review of your situation.
Contact M&A Trial Lawyers at (847) 786-8999.
Key Takeaways for BIPA Compliance
- Consent must be obtained in writing before the first scan. This is the single most common and costly mistake employers make, and it is the primary driver of BIPA class-action lawsuits.
- The 2024 BIPA amendment caps future damages. The law now limits liability to one violation per person for the same collection method, but your business may still face litigation for past conduct under the old “per-scan” damage calculation.
- A public written policy is a mandatory requirement. You must create and publish a document that clearly explains what biometric data you collect, the specific purpose for collecting it, and your schedule for its permanent destruction.
The BIPA Landscape Has Changed: What the August 2024 Amendment Means for Your Business
Before 2024, the Illinois Supreme Court’s ruling in Cothron v. White Castle created immense financial risk for employers, attorney can help businesses understand. The court decided that a BIPA violation occurred with every single scan of a fingerprint or face made without prior consent. For a company with 100 employees clocking in and out twice a day, this meant 400 potential violations daily, with damages calculated at $1,000 to $5,000 per violation. This led to potential liability reaching into the millions or even billions of dollars.
This “per-scan” model created a wave of class-action lawsuits that threatened the financial stability of many Illinois businesses, including those in the manufacturing and retail sectors common in Northwest Cook County. The uncertainty made it nearly impossible to calculate true legal risk.
The Change
In August 2024, the Illinois legislature amended BIPA to cap damages. Now, under the new law, an employer is liable for only one violation per employee for the repeated collection of the same biometric data, not for every scan. This significantly reduces future exposure. However, a new challenge has emerged from this legislative solution.
The amendment’s biggest unresolved issue is whether this cap applies to conduct that occurred before August 2024. Courts are currently working to resolve this legal gray area, which means your business could still face a lawsuit based on the old, more dangerous “per-scan” calculation for past non-compliance. Our firm is actively monitoring these developments.
Do You Use “Biometric Information”? A Plain-English Guide for Schaumburg Employers
BIPA applies to businesses that collect, store, or use “biometric identifiers” or “biometric information.” You might be doing this without realizing the legal implications.
What Is a “Biometric Identifier”?
It is a scan of a unique physical human characteristic. The law specifically names: a retina or iris scan, a fingerprint, a voiceprint, or a scan of hand or face geometry. For businesses in Schaumburg’s industrial parks or the Woodfield Mall area, the most common examples are fingerprint scanners on timeclocks and facial recognition systems used for employee access or timekeeping.
Is a Photograph a Biometric Identifier?
No, a simple photograph is not considered a biometric identifier under the law. However, if your timeclock system takes a photo and then uses software to create a mathematical map of the face (a “faceprint”) to verify identity, that map is considered biometric information, and BIPA rules apply.
What Is Not Covered?
PIN numbers, ID cards, and keys are not considered biometric identifiers. The law also excludes writing samples, physical descriptions like height and hair color, and demographic data.
A Practical Roadmap to BIPA Compliance
Achieving BIPA compliance involves five straightforward, documentable steps. Taking these actions proactively is the most effective way to prevent a lawsuit, and hiring an attorney early helps ensure these policies are implemented correctly and defensibly. Our firm helps businesses implement these policies.
As part of our work with clients, we provide template BIPA policy and consent forms tailored to their industry.
1. Create and Publish a Written Policy
This is a public document explaining your procedures for biometric data. It must include:
- A clear statement that you are collecting biometric data.
- The specific purpose of the collection (e.g., “for employee timekeeping and building access”).
- A “retention schedule” detailing how long you will keep the data. BIPA requires that data be destroyed when the initial purpose for collecting it is satisfied or within 3 years of your last interaction with the individual, whichever comes first.
- Guidelines for how you will permanently destroy the data once it’s no longer needed.
2. Get Informed, Written Consent Before the First Scan
This is the most common point of failure for employers and the source of most BIPA litigation. You must complete three actions before an employee’s first fingerprint or facial scan:
- Inform the employee in writing that you are collecting their biometric data.
- Explain in writing the purpose and the length of time you’ll be storing and using it.
- Receive a written release (a signed consent form) from the employee.
A key update in the 2024 amendment explicitly confirms that an electronic signature is a valid form of written consent, which helps simplify the employee onboarding process.
3. Uphold a Standard of Reasonable Care
You must protect the collected biometric data with the same level of security that you would for other confidential and sensitive information, like financial records or Social Security numbers. This means taking reasonable steps to prevent data breaches.
4. Do Not Sell or Profit From Employee Data
BIPA strictly forbids selling, leasing, trading, or otherwise profiting from an employee’s biometric information. This is a hard-and-fast rule with very few exceptions.
5. Manage Your Vendors
If you use a third-party timeclock provider (such as Kronos, UKG, or Paychex), you are still liable for their BIPA compliance failures. It is your responsibility to ensure they handle your employees’ data correctly, and proving your case often depends on showing that your contracts required full compliance with all BIPA rules. Your contract with them should require that they adhere to all of BIPA’s rules.
You’ve Received a BIPA Demand Letter. What Happens Now?
How you respond in the first few days sets the tone for the entire case.
First, Do Not Ignore It
These letters come with deadlines. Missing them leads to a default judgment being entered against your company. The problem will not resolve itself by being set aside.
Second, Preserve All Relevant Information
You must issue a “litigation hold.” This is a formal directive to your IT and HR departments to not delete any potentially relevant documents. This includes timekeeping records, employee files, any consent forms that might exist, and all communications with your timeclock vendor.
Third, Review Your Insurance Policies
Contact your business insurance broker immediately. Some Commercial General Liability (CGL) or Employment Practices Liability (EPLI) policies may provide coverage for defense costs in a BIPA lawsuit. This is particularly true for older policies that were written before insurers began adding specific exclusions for biometric-related claims.
Fourth, Begin Building a Defense Strategy
An attorney analyzes the specifics of your situation to identify potential defenses. At M&A Trial Lawyers, our BIPA practice focuses on investigating all available defenses, which may include:
- The Statute of Limitations: In the case of Tims v. Black Horse Carriers, Inc., the Illinois Supreme Court established that BIPA claims have a five-year statute of limitations. We will analyze the timeline of the claims against you.
- Union Preemption: If your employees are part of a union, your collective bargaining agreement (CBA) could be your strongest defense. The Illinois Supreme Court has held that if a CBA covers timekeeping procedures or has a broad management rights clause, a BIPA claim might be preempted by federal labor law under the Labor Management Relations Act (LMRA).
- Procedural Defenses: We will analyze the plaintiff’s claims for any technical or legal deficiencies that could lead to a motion to dismiss the case.
How Are BIPA Violation Damages Calculated Today?
BIPA provides for “liquidated damages,” which means the amounts are set by the law itself. A plaintiff does not need to prove they suffered any actual financial harm to be entitled to recovery.
The potential damages are:
- $1,000 per violation for a negligent violation. An example of negligence is an employer who was simply unaware of their BIPA duties and, as a result, failed to get consent.
- $5,000 per violation for an intentional or reckless violation. An example of recklessness might be an employer who knew about BIPA’s requirements but made a deliberate choice to ignore them.
As mentioned, the 2024 amendment clarifies that these damages are now calculated per employee, not per scan. If you failed to get proper consent from 50 employees indicating how the process in Illinois applies, your statutory risk is now calculated based on those 50 people, providing a much clearer picture of your potential financial exposure for any ongoing or future conduct.
BIPA Compliance FAQs for Schaumburg Businesses
We’ve been using fingerprint scanners for years without a written policy. Is it too late to become compliant?
It is never too late to adopt compliant practices. Doing so now limits future liability and demonstrates good faith should a claim arise.
However, implementing a proper policy today does not erase potential liability for past actions, which may still be subject to the five-year statute of limitations.
Do we have to follow BIPA if our timeclock vendor is based out-of-state?
Yes. BIPA applies to any private entity that collects biometric data from Illinois residents while operating in Illinois. The physical location of your vendor’s headquarters does not change your legal responsibilities here.
Can an employee refuse to provide their fingerprint?
This is a complicated issue. While you must have consent to collect the data, you may be able to provide a non-biometric alternative (like a PIN or keycard) and make the use of the biometric system a condition of employment. This is only permissible if you first follow all of BIPA’s notice and consent requirements.
We advise consulting with legal counsel before implementing such a policy.
We are a small business in Schaumburg with only 15 employees. Does BIPA still apply to us?
Yes. BIPA does not have an exemption based on the number of employees or the size of the business. It applies to all private entities in Illinois, regardless of size.
What is the most common BIPA mistake you see employers make?
The most frequent and costly mistake is failing to obtain informed, written consent before the very first biometric scan. Many employers either collect a signature after the fact, use a vague consent form that does not meet the law’s requirements, or fail to get a signature at all.
Focus on Your Business, Not on Difficult Legal Issues
Worrying about a BIPA lawsuit should not distract you from running your company. Whether you are proactively seeking compliance to prevent a future problem or you have already been contacted by a plaintiff’s attorney, the path forward requires a clear and informed strategy. You do not have to figure this out alone.
Let us handle the legal details so you can get back to business. For a confidential consultation about your company’s BIPA compliance or defense, call M&A Trial Lawyers today at (847) 786-8999.
