Appeals court draws line between facilitating and collecting biometric data
Staffing agencies that enroll workers in fingerprint time clocks but never access the biometric data are off the hook under Illinois privacy law.
For staffing agencies worried about biometric privacy lawsuits, an Illinois appeals court delivered welcome news on January 30, 2026. The ruling draws a clear line between helping workers use fingerprint scanners and actually collecting their biometric information.
The decision centered on two temporary workers placed at a cheese manufacturing plant in Elgin. Araceli Salinas worked there through Surestaff, while Lorena Servin came through Metrostaff. Both had to scan their fingerprints on time clocks to record their hours at the Arthur Schuman Cheese facility.
The workers sued, claiming the staffing agencies violated the state's Biometric Information Privacy Act by collecting fingerprints without proper written notices and consent. Under the law, companies must inform workers in writing before collecting biometric data and explain how long they'll keep it and why. Workers must also sign a release.
Here's the critical detail. The staffing agencies never actually possessed the fingerprint data. Schuman owned the time clocks through a lease with Paycom Payroll and controlled all the biometric information. The data lived on the devices and Paycom's cloud servers, completely out of reach for Surestaff and Metrostaff.
The agencies did enroll their workers in the system and showed them how to use the scanners. They also had limited administrative access to correct time records when needed. But they had no access to any fingerprints or biometric information.
When the case reached summary judgment, the workers asked for more discovery time to dig into who really controlled the time clocks. The trial court denied the request, finding that the dispositive question wasn't who required the scanners but who actually obtained the biometric data. In January 2025, the court ruled for the staffing agencies.
The workers appealed, arguing that the law doesn't specifically require possession of biometric data. They said the agencies violated the statute simply by enrolling workers and facilitating the whole process.
The Third District Appellate Court rejected that argument. Justice Anderson, writing for the panel, pointed to a recent Illinois Supreme Court case that analyzed what it means to collect biometric information. The verbs in the statute matter: collect, capture, purchase, receive, obtain. They all mean gaining control of something.
The court put it memorably: the law regulates acquisition of biometric data, not proximity to it.
The decision cited similar cases where courts dismissed claims against Apple and Samsung over biometric features on smartphones. In the Samsung case, a federal court in Illinois noted that while Samsung manufactures phones with facial recognition features, the biometric data remains stored on the phone and is not received or controlled by Samsung. The court found no proper claim under Section 15(b) because the defendant had no access or control of biometric information.
The appellate court applied the same reasoning to the staffing agencies. The court stated that each operative verb in Section 15(b) presupposes that a defendant acquires the biometric data, not merely that its conduct facilitates another entity's acquisition. The record showed the staffing agencies never possessed or gained control of any biometric data.
The court acknowledged there might be situations where facilitating collection could create liability. For instance, if the staffing agencies and Schuman had a corporate relationship, or if one controlled the other, or if they functioned as joint employers. But the workers never made those allegations.
As for the discovery request, the appellate court found the trial judge acted reasonably. More discovery about who implemented the time clocks wouldn't change the fundamental issue. The staffing agencies simply didn't collect biometric data as the law defines it.
The court summed up its view with a vivid image: the Biometric Information Privacy Act wields the impact of a grenade, but it doesn't impose liability on everyone standing nearby.
For HR teams managing temporary workers or using biometric time clocks, the takeaway is straightforward. Administrative tasks like enrollment and troubleshooting don't trigger liability when someone else owns and controls the actual biometric information. What matters is who possesses and accesses the data itself.
While the appellate court ruled in favor of the staffing agencies, separate claims against Schuman remain pending in the trial court.
