BIPA Law: Your Private Biometric Data, Your Employer’s Access to It, and Your Rights

In today’s tech-driven world, biometric data is increasingly being used by businesses—from fingerprint scanners to facial recognition software. You may have submitted your own data to your employer without much thought about any privacy implications, but offering up this type of biometric data can open you up to a world of serious risks, should your private information be mishandled.

The widespread use of biometric data has sparked concerns regarding privacy, data security, and potential misuse. Illinois, in particular, has led the charge in regulating this technology with its groundbreaking Biometric Information Privacy Act (BIPA).

What Is the Illinois Biometric Information Privacy Act (BIPA)?

Enacted in 2008, Illinois' BIPA is one of the most stringent and comprehensive laws in the United States concerning biometric data. It governs how businesses collect, store, and use biometric identifiers such as fingerprints, facial scans, voiceprints, and retinal scans. BIPA's primary goal is to protect individuals from the unauthorized use of their biometric data, recognizing that this information is unique, irreplaceable, and highly sensitive.

The significance of BIPA lies in its strict requirements and enforcement mechanisms, which allow private citizens to sue companies directly for violations. Unlike other privacy laws, BIPA includes a private right of action, enabling individuals to take legal action against companies that breach the law, even if no actual harm is done. This has led to a surge of litigation and costly settlements for businesses that fail to comply.

BIPA’s Rulebook: Your Employer’s Duty

BIPA outlines several key obligations that businesses must follow when handling biometric data:

Informed Consent: Before collecting or using biometric data, companies must inform individuals in writing about the specific purpose and duration of the data collection. Written consent from the individual is required before the collection can proceed.

Data Retention and Destruction Policies: Companies must establish a written policy outlining the retention schedule and guidelines for permanently destroying biometric data when it is no longer needed. BIPA mandates that biometric data should be destroyed when the initial purpose for collection has been satisfied or within three years of the individual’s last interaction with the business, whichever comes first.

Disclosure and Sale Restrictions: Businesses are prohibited from selling, leasing, or trading biometric data. Disclosure of this data is only allowed with the individual’s consent or under specific circumstances, such as legal obligations or contractual necessity.

Data Protection Requirements: Companies must use a reasonable standard of care to protect stored biometric data and ensure that the data is safeguarded at least as securely as other sensitive information in their possession.

One of the most contentious aspects of BIPA pertains to the retention and use of employee biometric data. In many industries, companies use biometric systems to track employee attendance, manage access control, or secure confidential areas. However, the collection and storage of such data must be handled with extreme caution under BIPA’s guidelines.

Employers in Illinois are required to comply with BIPA’s requirements when using biometric data for workplace purposes. This includes obtaining informed consent, clearly communicating the purpose of data collection, and adhering to the law’s retention and destruction policies.

Employers must provide employees with clear and written notice that their biometric data is being collected, stored, and used, specifying the purpose and length of time for which the data will be retained. Consent must be given before any biometric data is collected, and it should be a freely given, informed, and documented agreement.

Employers must also have a formal, publicly available policy detailing how long biometric data will be retained and the timeline for its destruction. BIPA mandates that biometric data be destroyed either when the purpose for its collection has been fulfilled or within three years of the employee’s last interaction with the employer.

The stakes for employers who fail to comply with BIPA are very high. Under BIPA, any individual can file a lawsuit if they believe their biometric data has been mishandled. Employers face the risk of costly class-action lawsuits if they neglect these obligations. Even technical violations, such as failing to implement a written policy or obtain explicit consent, can result in significant financial penalties.

Conclusion: BIPA’s Lasting Impact on Biometric Privacy

The Illinois Biometric Information Privacy Act (BIPA) has set a precedent for how biometric data should be handled in the digital age. With its strict requirements and strong enforcement mechanisms, BIPA underscores the importance of transparency, consent, and responsible data management. For businesses in Illinois, compliance is not optional—it’s a legal obligation with serious consequences for those who fail to meet it.

For employees and consumers, BIPA serves as a safeguard, ensuring that their most sensitive and unique data is protected. As more states look to implement similar laws, the future of biometric privacy will likely be shaped by the lessons learned from Illinois’ pioneering approach. 

At Morgan & Morgan, we are committed to fighting for the rights of individuals affected by BIPA violations and ensuring that businesses are held accountable when they fail to uphold these standards.

If you believe your biometric data has been mishandled, our team of experienced attorneys is here to help. For over 35 years, Morgan & Morgan has fought For the People, and we’ve recovered over $20 billion for our clients in the process. Our data privacy attorneys are ready to stand by your side. Contact Morgan & Morgan today for a free case evaluation and learn how we can assist you in protecting your privacy rights.