Illinois Biometric Privacy Law Developments May Increase Risk to Businesses Generally But Protect Healthcare Employers from Suits

On Friday, February 17, the Illinois Supreme Court ruled that Biometric Information Privacy Act (BIPA) claims accrue each time a biometric identifier is unlawfully collected and disclosed rather than simply the first time. Enacted in 2008, BIPA regulates the collection use, safeguarding, handling, storage, retention and destruction of biometric identifiers, which includes, among other things, fingerprints. The Court’s ruling is expect to increase Illinois' already heavy privacy docket.  In the 4-3 opinion, the Court concluded that in order for the employer-defendant’s use of fingerprint identification technology to work, the employee’s fingerprint must be collected upon every new scan. The decision prevented the employer from fully escaping the employee’s accusation that the employer has repeatedly violated BIPA since the law went into effect in 2008.

In addition, on January 18, 2023, the Illinois General Assembly filed a new Bill (HB 1230), which if passed, will amend BIPA to carve out an exemption for healthcare employers, protecting them from the pervasive BIPA lawsuits that have tied up courts and businesses for years. As Illinois law requires healthcare organizations to perform fingerprint-based background checks on their employees, these organizations may be particularly vulnerable to BIPA lawsuits by keeping employee records on file. Although BIPA already has a healthcare exemption, the Illinois Supreme Court ruled in 2022 that the existing patient data exemption does not apply to employee data. If successful, HB 1230 would help narrow the broad scope of BIPA and shield healthcare employers from biometric privacy lawsuits.

Under the Bill, healthcare employers whose employees submit fingerprint-based background checks under the Health Care Worker Background Check Act (HCWBCA) will be exempt from BIPA regulations as long as the employer processes employee biometric data solely for employment or fraud prevention purposes and maintains a documented process to delete employee biometric data. Healthcare employers, as defined by the HCWBCA, includes many types of healthcare organizations such as owners or licensees of hospitals, nurse agencies, hospice care programs, home services agencies, and community living facilities. As of February 14, 2023, the Bill has been assigned to the Civil Procedure and Tort Liability Subcommittee. A Civil Committee hearing is scheduled for February 22, 2023.

As organizations continue to urge the Illinois legislature to update and amend BIPA, nine other states have introduced biometric privacy legislation. Illinois, Texas, and Washington remain the only states with active biometric privacy laws. While Illinois is the only state that currently grants consumers a private right of action under its biometric privacy law, eight other states currently have active biometric privacy bills that would do the same: Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Missouri, New York, and Tennessee. Vermont also has an active biometric privacy bill, but it does not grant consumers a private right of action.

Should you have any questions regarding the impact of HB 1230 or any pending biometric privacy legislation on your business, or any compliance obligations it creates, please reach out to David A. Wheeler, Laura K. Russell, or your NGE attorney.