Following the Illinois Supreme Court’s January 25th, 2019 Decision in Rosenbach v. Six Flags Entertainment Corporation, condominium, townhome, and homeowner’s associations utilizing biometric-based technology (that is, employee timeclocks and other technology requiring a person to  provide a retina scan, fingerprint, voiceprint, hand-scan or face-scan) can find themselves facing severe statutory penalties for failing to comply with each technical requirement of the Illinois Biometric Information Privacy Act (BIPA); even when no actual harm was caused.

BIPA was signed into law in 2008 and provides that private entities, including condominium, townhome, and homeowner’s associations, in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying such biometric identifiers and biometric information.

Further, BIPA prohibits a private entity from collecting, capturing, or otherwise obtaining a person’s biometric identifiers or biometric information without:

  • informing such person in writing that his or her biometric identifiers or information is being collected or stored as well as the specific purpose and length of time for such collection, storage, or use; and
  • receiving a written release from such person.

BIPA also requires a private entity to store biometric identifiers or biometric information using a reasonable standard of care that is identical or more secure than the manner in which they store and protect other confidential information.

Additionally, in the Rosenbach case, the Illinois Supreme Court determined that a person filing a BIPA claim only needs to allege a technical violation, without any additional allegations of actual injury or adverse effect, to be entitled to relief.

Associations that intentionally or recklessly violates BIPA’s technical requirements are subject to fines of $5000 for each individual BIPA violation plus court costs and attorneys’ fees. Therefore, Associations utilizing biometric-based technology face a significant risk if they should fail to comply with BIPA requirements.

Associations using biometric-based technology should consider taking the following 5 steps in order to comply with the Illinois Biometric Privacy Act (BIPA):

  • Develop a written policy for retaining and destroying biometric identifiers and information.
  • Make the written policy publicly available.
  • Before collecting, storing or using any biometric identifiers or information, inform the person whose identifiers and information is being collected – in writing – that such identifiers and information is being collected, stored or used and the specific purpose and length of time for such collection, storage and use.
  • Obtain a written release from all persons providing biometric identifiers or information.
  • Store all biometric identifiers and biometric information in a manner which is, at a minimum, more secure than the manner in which other confidential association information is stored.

If your association is interested in adopting or updating a written policy in compliance with BIPA, do not hesitate to contact our firm. Since 1983, KSN has been a legal resource for community associations throughout the Chicagoland area. We have multiple offices including downtown Chicago, Mundelein, and Naperville. Call 855-537-0500 or visit to get started.


This article is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By reading this article you understand that there is no attorney client relationship between you and the article author. This article should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. © 2019 Kovitz Shifrin Nesbit, A Professional Corporation.