January 30, 2026|Franchise Frontlines
January 30, 2026 | Appellate Court of Illinois, Third District | 2026 IL App (3d) 250239 (Not Yet Released for Publication)
Executive Summary
In a January 30, 2026 opinion, the Appellate Court of Illinois, Third District, affirmed summary judgment in favor of two staffing agencies in a putative class action under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq. The plaintiffs alleged that the staffing agencies violated section 15(b) of BIPA by enrolling employees in a biometric time clock system used at a food manufacturing facility without providing required notice and obtaining written consent. The court held that section 15(b) regulates the acquisition of biometric data and that liability requires actual collection, capture, or control over the biometric information. Because the staffing agencies did not possess, access, or control the biometric data—which was controlled by the host company and its payroll vendor—summary judgment was proper. In doing so, the court rejected a “conduit” or facilitation theory of liability and emphasized that BIPA “does not impose liability on everyone who happens to be standing nearby.”
Relevant Background
Plaintiffs Araceli Salinas and Lorena Servin worked at a food manufacturing facility operated by Arthur Schuman Cheese, LLC. They were placed at the facility by separate staffing agencies—Surestaff, LLC and Metrostaff, Inc.
The facility utilized biometric time clocks leased from a payroll vendor. Plaintiffs alleged that the staffing agencies enrolled workers in the biometric timekeeping system and instructed them to use the clocks. They further alleged that this conduct violated section 15(b) of BIPA because the staffing agencies failed to provide written notice and obtain written consent before collecting biometric identifiers.
The staffing agencies moved for summary judgment, submitting affidavits establishing that:
- The host company required use of the biometric time clocks.
- The host company had exclusive possession of the biometric data.
- The staffing agencies had no ability to access, control, or retrieve biometric data.
- The staffing agencies’ administrative access was limited to enrolling employees and correcting time records, not accessing biometric information itself.
The trial court granted summary judgment, and plaintiffs appealed.
Decision
The Illinois Appellate Court affirmed.
Section 15(b) of BIPA provides that “[n]o private entity may collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric identifier or biometric information without first providing notice and obtaining a written release. 740 ILCS 14/15(b) (West 2022).
Relying in part on the Illinois Supreme Court’s analysis in Cothron v. White Castle System, Inc., 2023 IL 128004, the court emphasized that the operative verbs in section 15(b)—collect, capture, purchase, receive, obtain—presuppose that the defendant gains control over the biometric data. The court stated that “each operative verb in section 15(b) presupposes that a defendant acquires the biometric data, not merely that its conduct facilitates another entity’s acquisition.”
The court rejected plaintiffs’ argument that section 15(b) does not require possession and therefore should extend to entities that merely implement or require use of a biometric system. The absence of the phrase “in possession,” the court held, does not expand liability to parties that do not collect or control the data. Rather, coming into “possession” is inherent in the statutory concepts of receiving or obtaining.
The court further observed that the staffing agencies did not access, store, or control the biometric data, which was stored on the time clocks and transmitted to the payroll vendor’s cloud servers. Their role was ministerial: enrolling employees and instructing them to use the system. That conduct, without more, did not constitute collecting or obtaining biometric information within the meaning of section 15(b).
Importantly, the court acknowledged that different facts might support liability under corporate-control or vicarious-liability theories, but plaintiffs had not alleged that the staffing agencies controlled the host company or the vendor, nor that they exercised control over the biometric data itself.
The court concluded with a pointed observation: while BIPA “wields the impact of a grenade,” it “does not impose liability on everyone who happens to be standing nearby.”
Looking Forward
For franchisors and multi-unit operators—particularly those with Illinois operations—this decision provides meaningful guidance on the outer limits of section 15(b) liability.
First, the opinion reinforces that BIPA’s collection provision is directed at entities that actually acquire or control biometric data. Requiring use of a biometric timekeeping system, enrolling employees in that system, or administering payroll functions may not, without more, constitute “collecting” or “obtaining” biometric information if the entity does not possess or control the data.
Second, the court’s rejection of a pure “conduit” theory is significant. In complex operational structures—whether staffing arrangements, franchise systems, or vendor relationships—plaintiffs often attempt to extend BIPA liability to multiple layers of participants. This opinion underscores that proximity to biometric processes is not enough; control and acquisition remain central.
At the same time, the decision should not be read as eliminating exposure in all multi-entity arrangements. The court expressly noted that different allegations—such as corporate control, vicarious liability, or joint employer-type relationships—might alter the analysis. Entities that contract for biometric systems, retain access rights, store data, or direct how data is handled may still face risk under section 15(b) or other BIPA provisions.
For franchisors in particular, the practical takeaway is structural clarity. Agreements with vendors and franchisees should define clearly which party controls, accesses, and stores biometric data. Operational practices should align with those contractual allocations. Where possible, franchisors should avoid direct possession or control of biometric identifiers unless they are prepared to comply fully with BIPA’s notice, consent, retention, and destruction requirements.
In short, while this decision narrows section 15(b) exposure for entities that do not actually acquire biometric data, it reinforces the importance of careful system design and documentation in Illinois operations.
This article is based solely on the opinion of the Court in this matter. The author has not conducted any independent investigation into the facts. For the avoidance of doubt, each statement related to the law and facts in this article is drawn from the Court’s opinion in this case.
Thomas O’Connell is a Shareholder at Buchalter LLP and Chair of the firm’s Franchise Practice Group. For questions about this article or media inquiries, you can contact Tom at toconnell@buchalter.com.
This communication is not intended to create, and does not create, an attorney-client relationship or any other legal relationship. No statement herein constitutes legal advice, nor should it be relied upon or interpreted as such. This communication is for general informational purposes only and is not a substitute for legal counsel. Readers should not act or refrain from acting based on any information provided without seeking appropriate legal advice specific to their situation. For more information, visit www.buchalter.com.
