ARTICLE
19 December 2022

Illinois Appellate Court Weighs In On Biometric Data Policies

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
An Illinois state appellate court's recent ruling will impact how companies consider compliance with Illinois' Biometric Information Privacy Act (BIPA).
United States Illinois Privacy
David M. Poell and Kari M. Rollins
Your Author LinkedIn Connections
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Cannabis & Hemp and Insolvency/Bankruptcy/Re-Structuring topic(s)

An Illinois state appellate court's recent ruling will impact how companies consider compliance with Illinois' Biometric Information Privacy Act (BIPA). That court ruled companies must have a BIPA-compliant written retention-and-destruction policy in place before collecting and possessing biometric data. The decision makes clear that mere possession of biometric data triggers the duty to develop the necessary written BIPA policy. In relevant part, under BIPA's section 15(a), companies must establish a written, publicly-available policy that governs their retention and destruction of biometric data.

The plaintiff in the case (Mora v. J&M Plating, Inc.) began clocking into his job via biometric fingerprint scan in September 2014. His company, however, did not implement a biometric data policy until May 2018. On these facts, the trial court granted summary judgment for defendant. The trial court found that Section 15(a) established no time limit for the implementation of a BIPA policy and therefore concluded defendant's implementation of a BIPA policy in 2018, four years after initial collection, satisfied Section 15(a).

The appellate court reversed the decision on appeal. According to the appellate court, the 2014 collection of plaintiff's biometric data triggered defendant's duty to implement a written policy. Putting it in place four years later was insufficient to retroactively shield defendant's otherwise non-compliant collection of plaintiff's biometric information from 2014 to 2018. There is still an opportunity for the defendant to appeal to the Illinois Supreme Court, and the decision is not binding outside of Illinois's second appellate district.

Putting Into Practice: This case suggests that -at least in one Illinois jurisdiction- companies will need to have a written retention-and-destruction policy in place for biometric data before collecting such information. Doing so will minimize risk under Section 15(a) of BIPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of David M. Poell
David M. Poell
Photo of Kari M. Rollins
Kari M. Rollins
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More