The Illinois Supreme Court found that claims under the Illinois Biometric Information Privacy Act (BIPA) accrue at each alleged violation, not just at the first unlawful scan or transmission. The decision was made on February 17, 2023.
Private Right of Action
Illinois adopted BIPA in 2008 to regulate the use and storage of biometric identifiers. BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
BIPA allows any person “aggrieved” by a BIPA violation to sue “offending parties.” In its ruling, the Illinois Supreme Court held that a separate claim accrues under BIPA each time a private entity scans or transmits an individual’s biometric identifier or information without prior informed consent because each claim is “no less true with each subsequent scan or collection.”
The defendants argued that allowing a claim for each violation instead of just an initial violation would “result in punitive and ‘astronomical’ damage awards that would constitute ‘annihilative liability’ not contemplated by the legislature and possibly be unconstitutional.” However, the court found that “where statutory language is clear, it must be given effect, ‘even though the consequences may be harsh, unjust, absurd or unwise.’”
What does this mean for employers?
Given the increased possibility of BIPA violation claims, this court decision is a clear warning that private entities—including employers that use fingerprint time clocks or other employee biometric access procedures—should evaluate their compliance with BIPA.
In addition, private entities should update their policies and procedures as necessary to ensure informed consent is obtained prior to collecting, storing, transmitting or using biometric identifiers.
Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.