BIPA Enforcement Accelerates
The Illinois Biometric Information Privacy Act has become the source of some of the largest class action settlements in privacy law history. With per-violation damages ranging from $1,000 to $5,000, a single company-wide practice of collecting biometric identifiers without consent can generate exposure of hundreds of millions of dollars.
What Constitutes a Biometric Identifier
Courts have broadly interpreted BIPA to cover facial geometry scans, fingerprints, voiceprints, iris or retina scans, and any scan of hand or face geometry. Time-and-attendance systems, visitor management platforms, and employee wellness apps have all been found to collect covered data.
Compliance Checklist
Organizations should (1) conduct a full audit of all biometric data collection points, (2) implement written retention schedules and deletion protocols, (3) obtain written consent before any biometric data collection, and (4) train HR and IT staff on compliance obligations.