It may be April 1st, but this is no prank. If you work in e-discovery and haven't been thinking about biometric data, now is the time to start. Over the past year, biometric privacy cases have surged, and with several filings already this year, that trend shows no signs of slowing. Much of this litigation is driven by the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”), which imposes stringent notice requirements and allows plaintiffs to recover substantial statutory damages—up to $5,000 per occurrence for intentional violations. Corporations using technology to capture biometric data (fingerprints, facial geometry, iris scans, and voiceprints) without complying with the Act’s provisions, are finding themselves in costly class actions. Beyond the obvious compliance concerns, this wave of litigation also creates a new category of discoverable data that doesn't fit neatly into traditional e-discovery workflows.

What Makes Biometric Data Different?

Heightened Disclosure Concerns. Biometric data poses unique security challenges due to its inherently sensitive nature. Unlike passwords or account numbers, fingerprints, voiceprints, and facial geometry cannot be reset if compromised, making this data immutable and requiring heightened safeguards throughout discovery. Protective orders in these cases should include stringent confidentiality provisions and clearly defined redaction protocols.

Preservation and Destruction Don't Always Play Well Together. BIPA mandates organizations to destroy biometric data once the initial purpose for collection has been satisfied or the relationship with the individual has ended. This requirement can conflict directly with litigation hold obligations. Navigating this tension requires close coordination between compliance and litigation teams.

Informed Consent Documents Become Key Evidence. A central feature of BIPA is the requirement that corporations obtain informed written consent before capturing biometric data. If a corporation can establish compliance with this requirement, it may be positioned to file a dispositive motion. Locating these potentially exculpatory documents should be a priority early in the case.

So, What Should You Be Doing?

For e-discovery practitioners, the takeaway is clear: data governance and discovery readiness go hand in hand. Organizations deploying technologies that capture biometric data without first obtaining informed written consent risk becoming defendants in BIPA class actions. Once a suit is filed, proactive measures are essential: properly classifying and protecting this data, confirming that workflows can handle non-traditional data types, and establishing clearly defined protocols for safeguarding biometric information. These formats can also require specialized tools for extraction, processing, and review. Given the complexity and costs of obtaining and producing biometric data, format and usability issues should be addressed at the outset of discovery.

Bottom Line

BIPA is no joke, and this is only going to get more complex. Additional states (Arizona, California, New York, and Oregon, to name a few) are actively considering or reconsidering their own biometric privacy statutes, and organizations operating across multiple jurisdictions will need a “fool-proof” biometric privacy framework to stay compliant. Staying ahead of these challenges isn’t optional or folly—it's essential.