Norton Rose Fulbright - Data Protection Report blog

On November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data.  In this case, the court found that the employer (J&M Plating Inc.) violated BIPA because it did not create its retention and destruction schedule until four years after it possessed employees’ fingerprint data.  Notably, the Court did not find that J&M Plating had over-retained the fingerprint data or that the policy was not in place before it had to make any retention decisions.


The Illinois law governs private employers’ uses of biometrics and includes a private right of action.  As we have previously written, since its enactment in 2008, BIPA has been one of the most litigated privacy-related laws with some of the highest penalties.  The portion of BIPA at issue in this case was section 15(a), which reads in part:

“A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.”

Section 15(b) requires that the private entity must, prior to collection, provide written notice that biometric information is being collected, provide written information about the specific purpose and length of term for which the biometric information is being collected, stored, and used, and receive a written release for the collection from the data subject or the data subject’s representative.

The timeline of this matter is:

  • July 2, 2014                Plaintiff began working for J&M
  • September 2014         J&M began requiring employees to use a fingerprint scanner to clock in
  • May 2018                    J&M established written retention and destruction schedule
  • May 22, 2018              Plaintiff acknowledged receipt of the policy and consented to defendant’s collection and use of his biometric data.
  • January 7, 2021          J&M terminated plaintiff’s employment
  • January 21, 2021        J&M deleted plaintiff’s biometric records

The Court Rulings

The plaintiff then sued J&M in state court, claiming that the four-year gap between collection of his fingerprints and the creation of the written retention and destruction schedule violated BIPA.  The trial court disagreed, and instead granted J&M’s motion to dismiss, on the grounds that BIPA did not include a time limit for the creation of the schedule.  The court of appeals reversed and remanded.

The appellate court reviewed Section 15(a) and concluded that the trigger for creation of the written retention and destruction schedule was the entity’s possession of biometric data.  The court found that Section 15(b)’s requirement of prior notice was consistent with the court’s conclusion.  The court also rejected J&M’s argument that the plaintiff had not shown any harm, pointing out that the statute does not require the plaintiff prove damages.

Our Take

The court’s ruling indicates that the mere failure to have a retention schedule – regardless of whether there is evidence of over-retention of biometric data, which is not assessed in the ruling – is a violation of BIPA.  This is a departure from our previous posts where regulators have fined companies for over-retention of data, focusing on the retention schedule as a means for evaluating over-retention and taking steps to dispose of data.  Instead, this case found J&M liable under BIPA simply because the employer simply did not have a policy when it collected and stored the biometric data, in accordance with Section 15(a) of BIPA.

Notably, it does not appear that the court contemplates that BIPA affords the ability for companies to “cure” a violation by implementing a retention schedule at a later date, even if the company obtains employee consent as J&M did here.  Instead, companies that collect biometric data and are covered by BIPA are expected to develop a retention schedule “upon possession of biometric data.”  Companies that collect–or anticipate collecting–biometric data should take steps to evaluate their retention policies and schedule, and ensure they are published prior to the collection of biometric data and are otherwise up-to-date for all persons from whom they may collect biometric data, including employees.