One of the hotter business trends in the past few years has been the use of biometric information to identify and monitor employees and customers. Among other benefits, fingerprints, facial recognition or retinal scans allow companies to do away with passwords, ensure that employees do not clock into work for one another and personalize customer experiences. However, companies wishing to enter the brave new world of biometrics need to be aware of Illinois’ legal restrictions on the collection and use of this type of data.

On September 28, 2018, an Illinois appellate court issued a ruling allowing Klaudia Sekura to sue the tanning salon she frequented for violations of the Illinois Biometric Information Privacy Act (BIPA). BIPA is a law that requires businesses that collect and store biometric information to notify the employee or customer about the practice before collecting the information, obtain consent from the employee or customer, take reasonable measures to protect any information collected and establish a biometric information destruction schedule. BIPA also prohibits businesses from selling or trading biometric information, or even from transferring biometric information without consent. 

In her lawsuit, Sekura alleged that the tanning salon had not provided a notification about its biometric information collection practices and that it had illegally transferring a scan of her fingerprints to a third-party vendor. The appellate court for Cook County, Illinois ruled that a trial court had correctly denied the tanning salon’s motion to dismiss Sekura’s complaint, holding that even though Sekura did not claim to have sustained any injury from the salon’s practices, the transfer of her biometric information to a third-party vendor was a sufficient adverse action to allow the suit to proceed. In doing so, the appellate court rejected a contrary ruling by another appellate court sitting in another part of Illinois. Sekura will now move forward with her class action lawsuit. Under BIPA, even if Sekura is unable to show any harm aside from the transfer, she may be entitled to a statutory award of $1,000, plus attorneys’ fees. When you multiply that amount by each participant in a class action lawsuit, it is easy to see how damaging even an innocent violation of BIPA can be to your company.

So what’s the takeaway? If you operate a business that wishes to use biometric information from customers or employees, familiarize yourself with BIPA and make sure that your company fully follows all relevant provisions. Under the Sekura ruling, your company will be on the hook even if a customer or employee does not suffer any quantifiable harm. 

Links to the BIPA and the Sekura decision follow:

http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

http://www.illinoiscourts.gov/Opinions/AppellateCourt/2018/1stDistrict/1180175.pdf