Illinois biometric law changes require Home Depot compliance steps

Illinois' Biometric Information Privacy Act (BIPA, 740 ILCS 14/) sets strict rules that matter for Home Depot managers and store employees wherever biometric data is collected. The statute requires private entities to give written notice and obtain informed, written consent before collecting biometric identifiers such as fingerprints, hand geometry, retina or iris scans, and facial geometry. It also requires a public retention schedule and a policy for permanent destruction that entities must follow.

For retailers, those requirements touch common workplace systems: fingerprint scanners used for timekeeping, facial geometry or other biometric tools used by asset protection, and biometric access systems. Home Depot stores operating in Illinois or collecting data from Illinois residents must ensure any such systems have written release forms and clear explanations of the purpose and length of retention before any data is captured.

BIPA historically allowed private causes of action with statutory damages against companies that failed to comply. Illinois amended the law in 2024 to limit some exposures, but the core compliance obligations remain significant. That means even with the 2024 changes, employers and retailers still face operational requirements and potential legal risk if they do not follow notice, consent, retention and destruction rules.

Practical steps for Home Depot managers and teams include maintaining clear, public policies describing what biometric identifiers are collected, why they are collected, how long they are retained, and how they will be destroyed. Obtain and document written consent for any biometric system used for timekeeping, security or loss prevention. Review and update vendor agreements to require compliance with BIPA provisions and permit audits of vendor practices. Train store managers, human resources staff and asset-protection teams on correct notice and consent practices so that consent is obtained before collection and retention schedules are followed.

Operationally, compliance may mean standardizing consent forms across stores, posting notices at points of collection, updating point-of-hire materials, and implementing checklists for asset-protection installations. Vendors supplying biometric hardware and software should be required to demonstrate and document their compliance obligations and destruction practices.

For employees, the law reinforces a right to be informed and to consent before biometric data is collected, and it establishes expectations for how long such data can be kept and when it must be destroyed. For store leaders, the upshot is straightforward: audit current biometric uses, tighten policies and contracts, and train staff now to avoid gaps that can lead to litigation or regulatory scrutiny. Compliance is an ongoing process, and managers should expect to revisit policies as technology and law continue to evolve.