Illinois Biometric Policy Law Does Not Require Proof of Actual Damages

Contact: Mark Brookstein, Gould & Ratner
Posted Apr 1, 2019

Attention businesses operating in Illinois: If you use a person’s “biometric” data for things like timekeeping or security, you must have a written policy under which you: (1) obtain written consent, (2) store the data confidentially and (3) destroy the data no later than three years after the last interaction with the person.

If you fail to do so, you face statutory penalties of $1,000 (negligently) or $5,000 (recklessly/intentionally) per person per violation – even if the employee suffered no actual damages (such as identity theft, etc.). You will also be paying the person’s attorneys’ fees and litigation expenses (including expert witnesses).

That was the Illinois Supreme Court’s ruling in Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, a case involving an amusement park scanning customer fingerprints for use with entry passes. The park did not obtain consent or provide any information about its use of the fingerprints. The potential damages based on millions of customers visiting the park each year is staggering.

It is therefore vital for companies operating in Illinois to understand their obligations when it comes to biometric data.

View entire article here.