On January 25, 2019, The Illinois Supreme Court ruled that violations of the Illinois Biometric Information Privacy Act (“BIPA”), the toughest privacy law in the nation, did not require actual damages to be shown by workers or customers, but that very serious damages were presumed where violations occur, up to $1,000/$5,000 per person per incident. Under the BIPA, collection of biometric information, often in the form of fingerprints, retina, hand scans, facial geometry, voiceprint or handprint scans, are strictly regulated. Companies cannot collect biometric information unless the person agrees to have it taken and stored, they are fully informed of the purpose of collection and they have signed a document stating that they understand the concept and risks.
Companies should eliminate unnecessary collection of biometric information and/or consider alternatives, and then adopt policies that set forth the purpose for which biometric information is being collected; where applicable, disclose where biometric information will be shared with service providers or other third parties; and adopt a biometric information retention schedule and guidelines for permanently destroying such information. Companies should also make this policy publicly available, such as in a privacy policy or a biometric information policy on their websites. A number of class actions are pending in Cook County, and will be spreading to other counties and increasing exponentially after this ruling. The floodgates are opening.
If you have questions on how to address these new developments, let us know.