What is BIPA and how best to comply with the law?

SCHAUMBURG—Fingerprints, retina scans, voice, and facial recognition are all available and easily accessible in the mid-2020s. More and more, small and mid-sized Illinois businesses are tapping into quickly developing biometric technology to provide accurate payroll and benefit accounting for their employees.

Along with this biometric technology comes a new, unchartered territory of privacy, security, and rights being tested in state and federal courts.

Illinois was the first state in the nation to set into statutes guidelines for protecting biometric data privacy. In 2008, then-Governor Rod Blagojevich signed the Biometric Information Privacy Act (BIPA) into law after passing the General Assembly with little opposition.

The Biometric Information Protection Act prohibits the unauthorized collection, use, or storage of biometric data and provides private legal action for those that believe certain data collection has threatened their privacy. Data collectors must notify the person whose information is being gathered of the intended collection, the reason for that data collection, and acquire written consent of the person whose information is being gathered.

Although well-intentioned to protect privacy, no plaintiffs tested the law until 2016. When state lawmakers attempted to smooth the law’s application after that attempt, the suits diminished until they re-appeared in 2019. When the fines began growing into the billions, the appealed cases made their way up to the Illinois Supreme Court level, where a decision rendered in 2023. That decision the Supreme Court tossed back to the Illinois General Assembly with a plea to clarify BIPA’s legislative intent on a couple of what they determined were vague points.

While large corporations tap into their legal and HR departments to address such confusing situations, members of the Technology & Manufacturing Association, (which employs less than 500 per company) are compelled to hire legal and HR experts on a per-hour basis to deal with the issues.

TMA Addresses BIPA Compliance 

With that defining reality in mind, TMA organized an information meeting to help their members comply with BIPA policy. HR attorney Jeralyn Baran shared a form she constructed, “Best Employment Practices for BIPA Compliance,” with attendees.

TMA state capitol lobbyist David Curtin updated the TMA members on the latest General Assembly movements on BIPA, and Phil Melin, executive director of CALA-IL, provided a background on the law.

Best Employment Practices for BIPA Compliance

What is BIPA?

Enacted in the state of Illinois in 2008, the Biometric Information Privacy Act (BIPA) regulates the collection, use, and storage of biometric information – such as fingerprints, iris scans, and facial recognition data. The law requires employers to obtain informed written consent from employees before collecting their biometric data and to provide certain disclosures about how the data will be used and stored.

Best Compliance Practices for Illinois Manufacturers:

  • Determine whether you are collecting biometric identifiers or biometric information.
  • Develop a written publicly available BIPA Policy, establishing a retention schedule and guidelines for permanently destroying data; publish on website.
  • Prepare a BIPA notice and provide to employees before first collection.
  • Obtain written release from each employee.
  • Limit access to and safeguard collected data.
  • Do not sell or profit from collected data.
  • Audit notification, collection, storage, and destruction processes.
  • If engaging temporary staffing companies or payroll vendors, review contracts for indemnification provisions.
  • Review insurance policies for BIPA coverage.
  • Retain data for no more than 3 years from last collection or from when the purpose of initial collection has been satisfied, whichever is sooner; securely and permanently destroy the collected data.

For more information about BIPA and how to comply with the law, contact Jeri Baran at jbaran@ktslaw.com 

The Technology & Manufacturing Association has actively pursued clarification concerning the Biometric Information Protection Act for our members since TMA first learned about members who were being sued by their employees – and learning that those employees had been pursued by trial attorneys to represent them in the cases. 

For how TMA has been involved, see the following stories found HERE: https://tmanews.com/?s=BIPA