There’s been a blogging blizzard about two recent cases interpreting the Illinois Biometric Information Privacy Act (BIPA). In early February 2023 the Illinois Supreme Court ruled in Tims v. Black Horse Carriers, Inc. that a five year limitations period applies to all BIPA claims. And just two weeks later, in Cothron v. White Castle Sys., Inc., the Court held that “a claim accrues under [BIPA] with every scan or transmission of biometric identifiers or biometric information without prior informed consent.”

These are indeed important rulings. Because BIPA authorizes private lawsuits for statutory damages without a showing of actual injury, these decisions add more fuel to the fire of BIPA class action litigation.

But there’s yet another recent BIPA case that’s important, regarding privacy laws that require data retention schedules and disposal of unnecessary data.

First, some background. With rare exceptions, U.S. privacy laws traditionally have not required either data minimization (only collect the sensitive data actually needed) or storage limitation (only keep such data while needed for its collection purposes). One of those early outliers was BIPA, first effective in 2008.

Our focus here is on a particular provision in BIPA, in Section 15(a):

A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

740 ILL. COMP. STAT. 14/15(a)(emphasis added). 

BIPA thus included elements of data privacy seldom seen in other U.S. data privacy laws at that time – data is tied to the purpose(s) for collecting it (data minimization), and the regulated data must be disposed of after no longer necessary, pursuant to a written data retention schedule (storage limitation).

And this brings us to the Illinois Court of Appeals decision in Mora v. J&M Plating, Inc., 2022 IL App (2d) 210692, 2022 WL 17335861 (Ill. App. Ct. November 30, 2022). Mora dispels any notion that BIPA’s data retention schedule requirement is inconsequential.

Plaintiff Mora was hired by the defendant employer in July 2014 and began clocking into work by fingerprint scan in September 2014.  In May 2018, Mora’s employer published its biometric data privacy policy, which contained a retention and destruction schedule for biometric data. Mora signed the policy notice and consented to the collection and use of his biometric data. Mora was terminated from employment on January 7, 2021, and his biometric information was destroyed approximately two weeks after his termination.  Nine days later, Mora filed a class action lawsuit against his former employer, alleging BIPA violations.  Id. at *3.

There was no dispute over whether the employer’s policy complied with BIPA. The “J&M PLATING BIOMETRIC INFORMATION PRIVACY POLICY” contained the BIPA-required retention and destruction schedule and provided the mandated privacy notice.  Id. at fn. 2.  Plaintiff Mora consented in 2018 to the employer’s collection and use of his biometric data, and the employer disposed of Mora’s data in compliance with its BIPA policy after plaintiff was terminated.  Id. at *3.

The problem, and the reason why the Illinois Court of Appeals reversed the trial court’s dismissal of plaintiff’s lawsuit, was instead the lack of the BIPA-required retention schedule and privacy notice from 2014 to 2018.  According to the court, “defendant began collecting plaintiff’s biometric data in September 2014, and this triggered its obligation under [BIPA] section 15(a) to develop a retention-and-destruction schedule. Defendant did not have a schedule in place until May 2018, or nearly four years later. Thus, it violated section 15(a).”  And because a BIPA violation is sufficient to support an individual’s statutory cause of action, no showing of actual harm to Plaintiff was required.  Id. at *8.

What does this mean? Certainly, BIPA-covered businesses are on notice that they must comply with BIPA’s data retention schedule requirement before collecting any covered data. Yet more broadly, this case signals that any privacy law requiring data retention schedules may result in enforcement consequences for companies that fail to establish and maintain such data retention scheduling.

And BIPA is no longer an outlier – there’s a growing wave of state-level comprehensive consumer privacy laws that require data minimization and storage limitation, covering a far broader range of personal information than under BIPA. We’ll take a closer look at that next time, in Less Data #5.