Human Resources

Biometric Information Protection Act : How can we become compliant?

We have had our timeclock system for years.  We’ve never heard (which I realize is no excuse), of the BIPA law.  How does that work since we already have this system setup and are already utilizing employee’s fingerprints to clock in/out?  Do we simply have them sign a written consent acknowledging the BIPA regulations after the fact?

Probably. Here is advice from a reputable site: https://www.natlawreview.com/article/under-illinois-biometric-information-privacy-law-actual-harm-not-required-to-sue

If they have not already done so, companies should immediately take steps to comply with the statute. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric information (any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual) against the requirements under the BIPA. In the event they find technical or procedural gaps in compliance – such as not providing written notice, obtaining a release from the subject of the biometric information, obtaining consent to provide biometric information to a third party, or maintaining a policy and guidelines for the retention and destruction of biometric information – they need to quickly remedy those gaps.  For additional information on complying with the BIPA, please see our BIPA FAQs.


-Also, this is our timeclock system.  If a current employee decides they do not want to sign the form – can this be a condition of employment or do we have to accommodate them without utilizing the biometric identification? 

The IL law actually says “as a condition of employment”. Some states do not allow adverse action to be taken against employees who refuse to sign a consent. However, this article provides an argument for having an alternate accommodation for EEOC protected reasons if you have 15+ employees. https://newfocushr.com/2018/07/12/biometric-authentication-workplace/

Here are some other legal sites with FAQs and court cases surrounding BIPA.




Sample Consent

As of January 2019, There are three states with laws to look out for:

  • Illinois
  • Texas
  • Washington

Illinois Biometric Information Privacy Act

Illinois passed a specific biometric privacy law before any other state. It’s the archetype of biometric privacy laws that other states – Texas and Washington – would draw up on later.

The Illinois Biometric Information Privacy Act (BIPA) refers to biometric data as the following:

  • Retina scan
  • Iris scan
  • Fingerprint
  • Voiceprint
  • Hand scan
  • Face geometry

It doesn’t include things like demographic data, physical descriptions, writing samples or photographs.

The law is long and sweeping, with five main requirements.

  1. Businesses must achieve informed consent before collecting biometric data.
  2. Businesses have limited rights for disclosure.
  3. Businesses may not profit from biometric data.
  4. Businesses must protect and retain the data according to the statute.
  5. Individuals harmed by a violation of the law may receive $1,000 per negligent violation or $5,000 per intentional violation through a private right of action.

Illinois passed BIPA in 2008, but it meant little until five class action lawsuits were filed in 2015 against businesses that had violated the law.

Although the law has been on the books for a decade, it’s continuing to evolve. If you do business and work with biometrics in Illinois, it’s imperative to continue watching these changes.

As a rule, businesses find that it’s prudent to collect only the necessary biometric information and retention should not continue longer than required for a specific business purpose. Businesses also need a plan for storing, protecting, and sharing biometric information. The plan should be formally enacted with the administrative, physical, and technical safeguards for caring for the data all in place.

Texas Business and Commerce Code – BUS & COM 503.001 Capture or Use of Biometric Identifier

The Texas law offers the same foundation as the Illinois law. It also includes only eye, face, finger, hand, or voice scans and relies on consent prior to the collection of the biometric data.

This law began in 2009 and requires businesses to:

  • Refrain from selling, lease or disclosing biometric information without consent
  • Store and protect identifying information from disclosure
  • Destroy the information no later than the first anniversary of the date the information was collected unless otherwise specified

The law applies to anyone who use the identifiers for “commercial purposes” but the law does not extrapolate on what it means by “commercial purposes.”

Washington House Bill 1493 (2017)

Washington State’s biometrics law was signed into effect on May 16, 2017. It applies to individuals and non-government entities (businesses) and regulates the way those parties are able to collect, store, and use biometric identifiers.

Anyone in Washington is prohibited from “enrolling a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”

Washington’s law is similar to both the archetypal law in Illinois and the later law in Texas in the way it regulates collecting, using, and retaining data. The primary difference is that Washington does not offer a private right of action in its law. Illinois does offer this remedy but Texas does not.

I hope this helps. It’s a super hot topic.


Log in or Register to save this content for later.