andy-campbell.jpgMulti-residence, office and mixed-used commercial buildings often have “smart access” security systems in place to verify the identity of residents and employees who enter the facility and sections within. These systems increasingly use biometric technology, in which individuals are identified by their fingerprints, facial features, voice, retinal features, or other unique characteristics. While these sophisticated security systems allow building owners and management companies to efficiently enhance the safety of their properties, these companies must take care to balance security with individuals’ rights to privacy under the Biometric Information Privacy Act (BIPA).

What is BIPA? 

Illinois became the first state to regulate companies’ collection and use of individuals’ biometric identifying information when it passed BIPA in 2008. BIPA requires that private entities possessing biometric identifiers, such as fingerprints, retina scans and hand geometry scans, do the following: 

• Develop a written policy setting forth retention and destruction practices. 

• Obtain informed consent and a written release prior to collection. 

• Protect and retain collected information in a reasonably confidential and secure manner. 

• Refrain from selling or otherwise profiting from collected information. 

• Refrain from disclosing or disseminating collected information except in certain limited circumstances, such as in response to a subpoena or warrant. 

The Act is unlike privacy laws in other states in that it creates a private right of action for those whose rights are violated. BIPA supporters applaud the fact that Illinois residents are empowered by the statute to protect their rights by directly suing a company, rather than relying on state prosecutors to act. However, critics of the law grumble that the private right of action has forced companies to spend enormous amounts of money defending against frivolous lawsuits, particularly class actions, for alleged BIPA violations.   

BIPA Litigation

In recent years, there has been a surge in class action lawsuits filed in Illinois federal and state courts by employees, customers and others alleging BIPA violations. The Illinois Supreme Court’s 2019 ruling in Rosenbach v. Six Flags Entertainment Corporation made filing a BIPA lawsuit even easier for plaintiffs and classes. The court held that a plaintiff need not show actual injury or damages to succeed on a cause of action under BIPA. Rather, plaintiffs must only demonstrate that there was a violation of their rights under the Act, such as the company scanned their fingerprint without their consent. 

Costs related to BIPA violations can quickly mount for defendants. BIPA plaintiffs can recover $1,000 in liquidated damages or their actual damages, whichever is greater, for each negligent violation; or $5,000 in liquidated damages or their actual damages, whichever is greater, for each reckless violation. Successful BIPA plaintiffs can also recover reasonable attorneys’ fees.

Privacy vs. Security

Property owners and management companies must carefully consider the potential privacy and security risks involved before installing new technologies and collecting biometric information from residents or corporate tenants. 

Access systems using biometrics have certain advantages over alternatives. For instance, systems using key cards are potentially less secure, because the cards can be lost or stolen, and they create inconveniences both for the residents and employees, who must carry their cards with them, and for the company, which must replace lost cards. But due to the sensitivity of biometric data and the financial risks involved under BIPA, some companies may choose to forego access systems requiring biometrics in favor of a less high-tech alternative. 

Your Biometric Policy 

If you do opt for a system using biometrics, it is important to consult with an attorney with expertise in the Act when developing your written policy to set protocols for collecting, retaining and destroying biometric data in accordance with BIPA.

Before collecting biometric data from individuals, you must, among other things, inform them in writing about: (a) the purpose of collecting the information; and (b) the duration for which the information will be kept. Further, individuals’ consent must be obtained, in writing, and you must retain detailed records of how and when consent was acquired. The biometric identifiers themselves must be safely stored, and they must be destroyed when the purpose for which they were obtained is accomplished or within three years of the individual’s last interaction with the business, whichever comes first. In the case of collecting biometric information to identify a resident in a multifamily residence, the purpose of possessing the biometric information ceases when the individual moves out of the building, so the individual’s biometric identifiers should be destroyed at this time. 

It is also advisable that you review your written biometric data policy with a law firm with expertise in BIPA litigation as it pertains to the real estate sector. There have been many important developments in how BIPA is interpreted by the courts in recent months, and a litigator can review your policy and practices with current litigation trends in mind to advise you on your litigation risks. 

Novack and Macey LLP represents real estate developers, owners, brokers, landlords, tenants, buyers, sellers, national retailers, portfolio managers, property and facilities managers, REITs and other industry players in a wide range of commercial real estate disputes, including BIPA violations. To contact the author, please email Andrew D. Campbell at or call 312.419.6900. 


DISCLAIMER: Novack and Macey is providing this web page for informational purposes only. The information contained in this web page is not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Readers should consult with a lawyer before acting in reliance on any such information. Novack and Macey seeks to provide accurate and timely information. There may, however, be inadvertent inaccuracies, for which we apologize. Although Novack and Macey has attempted to make the information in this web page as timely and as accurate as possible, there may be inaccuracies due to, among other things, the fact that laws, and their interpretations, constantly change and vary from jurisdiction to jurisdiction. Novack and Macey assumes no responsibility, and expressly disclaims all liability, for errors or omissions in, and use or interpretation by others of, any information contained in this web page.