The Dangers Of The BIPA Rollercoaster

Why are the fingerprints of a 14-year old boy taken at Six Flags Great America causing Illinois employers to immediately review their privacy policies or risk facing civil lawsuits?

In January, the Illinois Supreme Court ruled that the amusement park violated the state’s Biometric Information Privacy Act (BIPA) when it failed to obtain a written release from the boy or his parents, and did not inform them about the purpose and length of retention of the fingerprint data. Rosenbach v. Six Flags Entertainment Corporation, 2019 IL 123186 (Ill. Jan. 25, 2019) Notably, the boy had not suffered any actual monetary damages.

Biometric technology is gaining popularity as a way to verify employee identity, whether for timekeeping, building access, etc. However, with the heightened convenience to the employer comes an increased concern by employees about violations of their privacy rights. A violation under BIPA entitles a plaintiff to at least $1000 in damages each time biometric data is collected or stored without notice and consent.

The decision in Rosenbach is particularly dangerous because the court held that a plaintiff does not have to demonstrate that their private biometric information was actually released or their privacy violated. As a result, dozens of class action suits have been filed in Illinois under BIPA since January seeking injunctive relief and statutory penalties for alleged infractions, including improper collection, storage or use of biometric information and inadequate maintenance of biometric information. Some of the larger payroll companies which use biometric timeclocks may advise that they do not actually collect or store employee fingerprints, but rather convert biometric data to encrypted mathematical images. Nonetheless, because the Illinois courts have set such a low threshold of proof, employers should still implement or revise their privacy policies as soon as possible to ensure they are BIPA compliant.

It is relatively easy for an employer to comply with BIPA:
1. Develop and distribute a written policy that establishes a retention schedule and guidelines for permanent destruction of the biometric data;
2. Provide information in writing and obtain a release before collecting the biometric info;
3. Safely store and prevent disclosure of biometric data to unauthorized third parties; and
4. Destroy the information where there is no longer a reason to keep it, or within 3 years of the individual’s last interaction with you, whichever comes first.

For more information on BIPA compliance, contact Leslie Morse, Esq. at

Photo credit: Stephen Hateley, Unsplash