Employers in Illinois who collect, use, or retain their employees’ biometric data—personal information such as fingerprints or facial or voice recognition—need to be aware of a recent legal development.

As we have explained before, Illinois was the first state to enact a law restricting the collection and storage of biometrics, and it remains the frontline for advancement of jurisprudence on the subject. The Illinois Biometric Information Privacy Act (BIPA) requires entities, including employers, that collect biometric data to follow a number of protocols, including maintaining a written policy about the collection and storage of biometric data, providing owners of biometric information (in this case employees) with written notice of such practices, and obtaining informed consent from individuals subject to biometric data collection. Since its enactment in 2008, BIPA has given rise to a lot of litigation, including many employment class action suits.

The Illinois Supreme Court’s Interpretation of BIPA Favors Plaintiffs

One such class action was the subject of an important decision issued on February 3, 2022, by the Illinois Supreme Court. In McDonald v. Symphony Bronzeville Park LLC, et al. (2022 IL 126511), the state’s highest court issued a unanimous opinion that effectively eliminated an entire defense in BIPA lawsuits. The lawsuit was a putative class action brought by an employee against her health care facility employer. As part of its security and timekeeping systems, the employer scanned employee fingerprints. In an amended complaint, the employee alleged that she was never provided the opportunity to give informed, written consent to the storage of her biometric data. This amendment is significant because the original complaint included allegations of mental anguish, as noted in a brief concurring opinion penned by Justice Michael J. Burke. Those alleged workplace injuries would have precluded the employee from her action under BIPA, pursuant to the Illinois Workers’ Compensation Act’s (IWCA) exclusive remedy provision. Whether IWCA’s exclusive remedy provision provided the employer with a defense by precluding the employee from seeking only statutory damages under BIPA was the question before the Illinois Supreme Court. The court said no, yet it remains an open question if the IWCA would bar claims for damages that were non-statutory, i.e., those for emotional distress.

What Does This Mean for Employers?

McDonald is further evidence of the court’s position that BIPA should be liberally construed, as was made clear in a prior case, Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186. In that case, the Illinois Supreme Court also unanimously held that plaintiffs do not need to suffer an actual injury beyond a violation of rights provided for by BIPA in order to state a claim under that statute. With Rosenbach, the Illinois Supreme Court established its position that a technical violation of BIPA creates a “real and significant injury” in and of itself.

BIPA is one of only a few laws nationwide that afford a private right of action to the owners of biometric data. This in itself constitutes a risk for businesses that use biometric technology for any purpose. Lawsuits can come from aggrieved individuals as well in the form of collective classes that allege violations of BIPA, even if those purported violations caused no actual harm to the plaintiffs, and even if the plaintiffs are not just employees, but customers, visitors, or anyone else from whom any biometric data is collected. The Illinois Supreme Court has been consistent in construing BIPA liberally, and the McDonald decision, which provides a roadmap for plaintiffs seeking statutory damages, further cements BIPA as a potential minefield for employers that fail to heed its requirements.

The best litigation strategy is to avoid litigation in the first place through compliance. Violations of BIPA can be very costly, with statutory damages of at least $1,000 per violation ($5,000 if the violations are deemed intentional or reckless), plus attorneys’ fees and costs. BIPA is an attractive vehicle for the Illinois plaintiffs’ bar and, as such, a substantial risk for businesses.

The Risk Isn’t Limited to Illinois Businesses

While it is obvious that BIPA presents a significant challenge to employers doing business in Illinois, it is important to note that biometric privacy laws have been enacted elsewhere, including Texas, Washington State, and New York City. Other states or localities are likely to follow suit, and developments in Illinois set the trend. Thus, what applies to employers in the Land of Lincoln today may well be widely applicable within the next few years.

What Illinois Employers (and Others) Should Do Right Now

  • Assess: Review all company practices surrounding the collection, usage, storage, or transmission of any biometric information covered by BIPA or other state and local laws like it. This might be as seemingly benign as issuing employees devices, such as smartphones with built-in thumbprint or facial recognition technology, or providing time clocks or security measures with those features.
  • Write: Be sure that your company has clear written policies that address the procedures for collection, storage, use, transmission, and destruction of biometric data, including specific timeframes.
  • Communicate: Be sure to notify all individuals—employee or otherwise—about your biometric data policy, including information about how such data will be secured to protect individual privacy interests.
  • Obtain Consent: BIPA and certain other laws require that individuals whose biometric data may be collected, stored, or used in any way provide informed consent to such collection, storage, and usage. Be sure to inform those individuals and to get their consent in a format that can be stored and, if necessary, produced as evidence of compliance with BIPA in the event of litigation.
  • Consult: Counsel is available to assist with risk assessment, policy development, and training to ensure compliance with this important law.


For more information about this Insight, please contact:

Adam S. Forman
Nathaniel M. Glasser
Washington, DC
Matthew Savage Aibel
New York
Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.