Illinois Appellate Court Imposes Strict Timeline for Retention and Destruction of Biometric Data
December 9, 2022
In 2014, defendant, J&M Plating, began collecting and retaining employee fingerprints for time-keeping purposes, including the fingerprints of plaintiff, Trinidad Mora. Nearly four years later, J&M Plating developed and published written retention and destruction policies for the fingerprint data pursuant to BIPA requirements. Mora’s employment was later terminated in 2021 and his biometric data was destroyed in accordance with the 2018 policies.
Mora commenced a putative class action against his former employer alleging that J&M Plating violated BIPA by collecting his fingerprints prior to developing retention and destruction policies. J&M Plating moved for summary judgment, arguing that BIPA did not contain any language mandating specific timing requirements for adopting these policies. Further, J&M Plating asserted that Mora was unharmed by this delay, as Mora’s data was properly destroyed two weeks following his termination. The trial court granted J&M Plating’s motion, but the appellate court reversed the decision. The Second District Appellate Court reasoned that publishing policies post-collection is inconsistent with the Act’s “preventative and deterrent purposes.”
Retroactive policy creation prevents individuals from learning what will happen to their data before deciding whether to consent to biometric data collection, which defeats the Act’s notification function. Notably, the Appellate Court’s decision effectively introduces a strict liability standard to BIPA litigation, allowing a litigant to bring a claim without a showing of actual harm. While this is a welcome development for plaintiffs, private entities must now exercise caution when collecting biometric data and ensure that compliant policies are in place before collection.
Bond attorneys regularly assist and advise clients on an array of data privacy and cybersecurity matters, including the development of internal data use policies. If you have any questions about BIPA compliance or data destruction schedules, please contact Jessica Copeland, CIPP/US, Mario Ayoub, or any attorney in Bond's cybersecurity and data privacy practice.