Illinois BIPA

Subscribe to Illinois BIPA via RSS

This article was originally published by IAPP linked here.

When monitoring employees in the workplace in the U.S. and Canada, employers must be cognizant of their obligations under employment and data privacy laws. 

In the US, employers can mostly negate privacy expectations from developing in the workplace by providing clear notice of monitoring practices and which notice is required in certain states, such as New York. But under the California Consumer Privacy Act, data minimization requirements apply and monitoring practices must be justifiable as necessary and proportionate.

In Canada, employers are required to balance operational needs such as safety, security and productivity, with the privacy rights of their employees. Monitoring should be reasonable, proportionate and tied to a legitimate business purpose. Organizations must comply with applicable federal or provincial privacy legislation, which can include safeguarding any employee personal information collected, obtaining employee consent in certain circumstances, and providing notice to employees of monitoring practices. 

For federally regulated private-sector employers — such as banks, airlines and telecommunications companies — employee monitoring is generally governed by the Personal Information Protection and Electronic Documents Act. Provinces that have enacted privacy laws deemed “substantially similar” to PIPEDA are exempt from its collection, use and disclosure provisions under section 26(2)(b). Presently, only Alberta, British Columbia and Québec have privacy legislation that is substantially similar to PIPEDA.

US: A patchwork of requirements apply to employers

At the federal level in the U.S., employee monitoring is primarily governed by the Electronic Communications Privacy Act and the Stored Communications Act, which permit monitoring for legitimate business purposes but impose strict limits on unauthorized interception and access to private communications. Further, employers must conduct all workplace monitoring and surveillance in compliance with federal, state and local anti-discrimination laws. And, all employers, even those with a nonunionized workforce, must comply with the National Labor Relations Act when conducting workplace monitoring and surveillance. Continue Reading Employee Monitoring in the US and Canada: What Employers Need to Know

Following the Illinois’ Supreme Court’s decision in Cothron v. White Castle System, Inc., the Illinois legislature amended the Biometric Information Privacy Act (BIPA), which the governor signed into law as Public Act 103-0769 on August 2, 2024. Public Act 103-0769 clarified that multiple BIPA violations against the same person using the same method, constitute

The Illinois Supreme Court just handed union employers with broad management rights clauses in their collective bargaining agreements (CBA) a win. On March 23, 2023 the Illinois Supreme Court affirmatively answered a certified question (Does Section 301 of the Labor Management Relations Act preempt BIPA claims asserted by bargaining unit employees covered by a collective

Employers will now have to contend with a five-year statute of limitations for all employee claims under the Illinois Biometric Information Privacy Act (BIPA). On February 2, 2023, in Tims v. Black Horse Carriers, the Illinois Supreme Court held that a five-year statute of limitations applies to all BIPA claims—even those that are tied to the publication of an individual’s data and could presumably be subject to a one-year limitations period “for publication of matter violating the right of privacy.” The Court held that the legislative intent and purpose of BIPA, and the fact that BIPA does not have its own statute of limitations, favor all BIPA claims being subject to the state’s “catchall” five-year limitations period.

What happened

Plaintiff Tims filed a class-action complaint against his former employer, Black Horse, alleging that Black Horse violated section 15(a) of BIPA (providing for the retention and deletion of biometric information), and sections 15(b) and 15(d) of BIPA (providing for the consensual collection and disclosure of biometric identifiers and biometric information). Specifically, Tims alleged that Black Horse required its employees to use a fingerprint authentication time clock, and that Black Horse violated BIPA because it (1) failed to institute, maintain, and adhere to a publicly available biometric information retention and destruction policy required under section 15(a); (2) failed to provide notice and to obtain employees’ consent when collecting their biometrics, in violation of section 15(b); and (3) disclosed or otherwise disseminated employees’ biometric information to third parties without consent in violation of section 15(d).

Black Horse moved to dismiss the complaint as untimely, arguing that it was barred by the one-year statute of limitations in section 13-201 of the Illinois Code of Civil Procedure (Code). Black Horse argued that claims brought under BIPA concern violations of privacy, therefore the one-year limitations period in section 13-201 governing actions for the “publication of matter violating the right of privacy” should apply to such BIPA claims.

The circuit court rejected Black Horse’s argument, and denied the motion to dismiss. In doing so, the court held that violations of all three sections of BIPA were subject to Illinois’ “catchall” five-year limitations period in section 13-205 of the Code.

The appellate court, however, distinguished the applicable statute of limitations under BIPA based on the type of violation alleged. It held that violations of section 15(c) (prohibiting the sale, lease, trade or other profit from biometric information) and 15(d) (prohibiting the disclosure, redisclosure or dissemination of biometric information) were subject to the one-year limitations period in section 13-201 of the Code, while violations of section 15(a) (requiring a written policy with a retention schedule and guidelines for destroying biometric information), 15(b) (requiring notice and the specific purpose and length of collection of biometric information prior to collection), and 15(e) (requiring confidentiality and protective measures in the storage and transmission of biometric information) were subject to the five-year “catchall” limitations period in section 13-205.Continue Reading One Limitations Period for All: Illinois Supreme Court Holds All Claims Under BIPA Have a Five-Year Statute of Limitations

As detailed in prior posts, in January, the Illinois Supreme Court held that a plaintiff need not plead an actual injury beyond a per se statutory violation to state a claim for statutory liquidated damages or injunctive relief under the Illinois Biometric Information Privacy Act (BIPA). While recent decisions applying BIPA have been largely Illinois-based, the Ninth Circuit recently applied BIPA in Patel v. Facebook to affirm a lower court’s ruling that plaintiffs in the ongoing Facebook BIPA class action alleged a concrete injury-in-fact to confer Article III standing and that the class was properly certified.

The Ninth Circuit is the first federal circuit court to conclude that a plaintiff alleging a BIPA violation has standing for purposes of Article III of the US Constitution. The ruling makes it easier for plaintiffs to certify BIPA class actions, within and outside of Illinois. 
Continue Reading The Ninth Circuit Clears The Way For BIPA Class Actions