BIPA in Illinois: Navigating Compliance with Workforce Management Technology

The Foundation and Framework of BIPA

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, is the most formidable biometric privacy law in the United States. For Illinois businesses, especially those using modern workforce management technology like biometric timeclocks, understanding BIPA is not just good practice—it's a critical defense against devastating financial liability. Its stringent rules and a powerful private right of action mean that even simple technical mistakes can trigger costly lawsuits.

The Genesis and Intent of BIPA

BIPA was born from a real-world threat. The Illinois General Assembly passed the Act in response to the bankruptcy of a company called Pay By Touch, which used fingerprints for payment authentication. Its failure sparked fears that its massive database of biometric data—which, unlike a password, can never be changed—could be sold off as a simple asset. This event highlighted that biometric data is unique and permanent. Once compromised, an individual is at a perpetual risk of identity theft.

The law's intent was not to ban biometric technology but to ensure individuals remain in control of their unique data. What makes BIPA so potent is its private right of action. Any person "aggrieved" by a violation can file a lawsuit for statutory damages, and courts have affirmed that a plaintiff doesn't need to prove actual harm like financial loss. The mere violation of the law is the injury, creating fertile ground for class-action lawsuits.

Deconstructing BIPA's Core Mandates (Section 15)

Section 15 of BIPA is the operational heart of the law, outlining the non-negotiable duties for any private entity handling biometric data. Compliance starts with understanding what "biometric data" is. The law defines a "biometric identifier" as a retina or iris scan, fingerprint, voiceprint, or a scan of hand or face geometry. "Biometric information" is any information based on an identifier that's used to identify someone—like the encrypted data template created from a facial scan.

Here are the core pillars of BIPA compliance:

• Publicly Available Written Policy (Sec. 15(a)): You must develop and publicly post (e.g., on your website) a written policy outlining your retention schedule and guidelines for permanently destroying biometric data.
• Data Retention and Destruction (Sec. 15(a)): You cannot keep biometric data forever. It must be destroyed when the initial purpose for collection is fulfilled (e.g., an employee is terminated) or within 3 years of the individual's last interaction with your company—whichever comes first.
• Informed Consent Before Collection (Sec. 15(b)): Before you collect any biometric data, you must:
  1. Inform the person in writing that their data is being collected.
  2. State the specific purpose and length of term for the collection and use.
  3. Obtain a written release (which, thanks to the 2024 amendment, now explicitly includes electronic signatures) from the person.
• Prohibition on Profiting (Sec. 15(c)): You cannot sell, lease, trade, or otherwise profit from an individual's biometric data.
• Restrictions on Disclosure (Sec. 15(d)): You cannot disclose biometric data to third parties unless you have consent for that specific disclosure or meet one of a few narrow exceptions (e.g., required by law). This is crucial when using a third-party vendor like a timeclock provider.
• Data Security (Sec. 15(e)): You must use a "reasonable standard of care" to store, transmit, and protect biometric data from disclosure, applying security measures at least as protective as those you use for other sensitive data like Social Security numbers.

The High-Stakes World of BIPA Litigation

For years, BIPA was a little-known law. That changed dramatically with a series of Illinois Supreme Court rulings that expanded its power and created a tidal wave of class-action lawsuits against businesses.

Key Rulings That Defined a Decade of Risk

• Rosenbach v. Six Flags (2019): The court ruled that a plaintiff does not need to show actual harm (like identity theft) to sue. A simple procedural violation—like collecting a fingerprint without proper consent—is the injury. This decision opened the floodgates for litigation.
• McDonald v. Symphony Bronzeville Park (2022): The court decided that BIPA claims are not barred by the Illinois Workers' Compensation Act. This eliminated a key defense for employers, confirming they could be sued directly by their employees for BIPA violations.
• Tims v. Black Horse Carriers (2023): The court established a five-year statute of limitations for all BIPA claims, significantly expanding the look-back period for which a company could be held liable for past compliance failures.

The Billion-Dollar Question: Cothron v. White Castle

The most alarming ruling for businesses came in Cothron v. White Castle (2023). The court was asked whether a BIPA violation occurs only at the first improper scan or with every single scan. In a landmark decision, the court held that a new claim accrues with each and every scan or disclosure. This "per-scan liability" interpretation created the risk of what the court itself called "annihilative" damages. For example, White Castle calculated its potential liability at over $17 billion. This ruling made it nearly impossible for companies to risk a trial and was the direct catalyst for the 2024 legislative amendment.

The Shared Burden: Vendor Liability

Plaintiffs soon began targeting not just employers but also the technology vendors who supply biometric systems, like timeclock providers. Courts have found that vendors who design the systems, process the biometric templates, and store the data on their servers can be considered to "collect" and "possess" the data, making them independently liable under BIPA. This established a system of shared liability, making comprehensive vendor due diligence and strong contractual protections more critical than ever.

A New Paradigm: The August 2024 BIPA Amendment

Responding to the risk of "ruinous" liability created by the Cothron decision, the Illinois legislature passed Senate Bill 2979, which was signed into law on August 2, 2024. This amendment fundamentally rebalanced the BIPA risk equation for businesses.

Reversing the Tide: From Per-Scan to Per-Person Damages

The most important change is the direct reversal of the Cothron ruling. The amendment introduces a "single violation" rule. It clarifies that collecting the same biometric identifier from the same person using the same method multiple times counts as only a single violation. This means an employee who scans their fingerprint 1,000 times without proper consent can now only generate one claim for statutory damages ($1,000 for negligent, $5,000 for reckless/intentional), not 1,000 separate claims. While still substantial in a class-action context, this removes the existential threat of multi-billion-dollar judgments for a single oversight.

Modernizing Consent: Codifying Electronic Signatures

The amendment also provided a crucial update by officially adding "electronic signature" to the definition of a "written release." This resolves long-standing ambiguity and gives businesses clear legal authority to use modern, digital workflows—such as HR onboarding systems or e-signature platforms—to obtain and manage BIPA consents. This streamlines compliance and creates a more robust, auditable trail of consent.

Case Study: TimeTrex Workforce Management Under the BIPA Microscope

To see how BIPA applies in the real world, let's analyze TimeTrex's workforce management software, which includes a biometric facial recognition timeclock feature.

Analyzing the Technology

TimeTrex's facial recognition system is designed to "eliminate buddy punching" by verifying an employee's identity with a quick scan. This process collects a "scan of face geometry," which is a "biometric identifier" under BIPA. TimeTrex states that this data is converted into encrypted digital codes, not stored as photos. While this is a strong security measure, these encrypted codes are still "biometric information" under BIPA because they are based on an identifier and used for identification. Therefore, all BIPA rules apply.

Because TimeTrex is a cloud-based service, the biometric information is transmitted to TimeTrex's servers. This is a "disclosure" under BIPA and requires specific employee consent. The employer and TimeTrex share responsibility for compliance.

Evaluating TimeTrex's BIPA Compliance Framework

TimeTrex demonstrates a sophisticated understanding of BIPA by providing customers with a "Biometric Information Privacy Policy" template and a "Biometric Information Privacy Release Form." These documents are designed to help employers meet BIPA's core requirements, including notice, consent, purpose limitation, and data destruction rules. The release form correctly includes a section where the employee can authorize the disclosure of their data to TimeTrex as the vendor.

However, these are templates. Their existence alone does not guarantee compliance. The employer is still responsible for correctly implementing the policy and obtaining consent from every employee before the first scan.

Strategic Recommendations for BIPA Compliance

Even with the 2024 amendment, BIPA compliance remains critical. A proactive and well-documented program is your best defense.

1. Build a Foundational BIPA Compliance Program

• Policy: Develop a clear, public BIPA policy detailing what you collect, why, and your retention/destruction schedule.
• Consent: Use the new law to your advantage. Integrate an electronic consent form into your digital onboarding process. Make it a mandatory, non-skippable step before any employee is enrolled in a biometric system.
• Lifecycle Management: Don't just collect and forget. Implement a reliable, auditable process to enforce your data destruction policy. Track employee separation dates and send formal destruction requests to your vendor. Keep records of everything.

2. Conduct Rigorous Vendor Due Diligence

• Vetting: Go beyond marketing claims. Demand detailed documentation on your vendor's security architecture, encryption methods, and data handling policies. A vendor like TimeTrex that provides BIPA-specific documentation is a good start.
• Contractual Safeguards: Your service agreement is your legal shield. Insist on a strong indemnification clause requiring the vendor to cover costs arising from their negligence or security failures. A detailed Data Processing Addendum (DPA) is also essential.

3. Audit, Train, and Maintain

• Audits: Periodically audit your BIPA program. Check that consent forms are on file for every user and that your data destruction process is working.
• Training: Train HR staff and managers on the absolute importance of getting consent before enrollment. They must understand the process and know that they cannot penalize an employee for refusing consent.
• Stay Informed: BIPA law continues to evolve. Assign someone to monitor legal developments to ensure your program remains compliant.