United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
Quick Hits
- On January 30, 2026, the Appellate Court of Illinois affirmed summary judgment in Salinas v. Arthur Schuman Midwest, LLC, in favor of staffing agencies accused of BIPA violations, holding that the agencies did not “collect, capture, or otherwise obtain” biometric data simply by enrolling employees in a biometric time clock system and instructing them on its use.
- The court emphasized that each operative verb in Section 15(b) of BIPA—collect, capture, purchase, receive, and obtain—“presupposes that a defendant acquires the biometric data, not merely that its conduct facilitates another entity’s acquisition.”
- Colorfully summarizing its holding, the court stated: “While the Biometric Information Privacy Act is a statute that wields the impact of a grenade, it does not impose liability on everyone who happens to be standing nearby.”
- The ruling provides potentially significant protection for staffing agencies, payroll companies, and other service providers that may interact with biometric systems but do not actually possess or control the underlying biometric data.
Background
The case arose from a putative class action brought by two temporary workers who had been placed at a food manufacturing facility in Elgin, Illinois, operated by Arthur Schuman Cheese, LLC. Schuman contracted with a payroll service provider to lease and install biometric time clocks at its facility. The plaintiffs were placed at Schuman by two defendant staffing agencies and were required to use the biometric time clocks to clock in and out of their shifts.
The plaintiffs alleged that the staffing agencies violated Section 15(b) of BIPA by collecting their fingerprints through the biometric time clocks without providing proper notice and obtaining consent. The third amended complaint alleged that Schuman had exclusive possession of the biometric time clocks under its lease with the payroll services provider, that Schuman decided to install biometric time clocks at its facility, and that Schuman had exclusive authority to require their use. Biometric information was allegedly stored on the time clocks and transferred by Schuman to the payroll service provider’s cloud-based servers. The plaintiffs further alleged that the staffing agencies would enroll workers in the time clock system and then instruct and monitor workers’ use of the time clocks to track their hours.
The staffing agencies moved for summary judgment, submitting affidavits stating that: (1) Schuman required all of the staffing agencies’ employees to clock in and out using the biometric time clocks; (2) Schuman had exclusive possession of the biometric data and the Staffing Agencies could not access or control the data; and (3) Schuman had granted the staffing agencies only limited administrative access to enroll employees and correct time records. The circuit court granted summary judgment to the staffing agencies, finding that there was no dispute that they did not possess, could not access, and had no control over the biometric data.
The Court’s Analysis
On appeal, the Appellate Court of Illinois, Third District, affirmed the grant of summary judgment and the denial of discovery.
Section 15(b) Requires Acquisition, Not Facilitation
The court began its analysis by examining the text of Section 15(b), which provides that no private entity may “collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric identifier or biometric information without first providing written notice and obtaining a written release. Citing the Supreme Court of Illinois’s decision in Cothron v. White Castle System, Inc., the court noted that “collect” means “to receive, gather, or exact from a number of persons or other sources” and “capture” means “to take, seize, or catch.” The court emphasized that the Cothron court had stated that “[t]he active verbs used in section 15(b)—collect, capture, purchase, receive, and obtain—all mean to gain control.”
Based on the third amended complaint and unrebutted affidavits, the court found that the staffing agencies never possessed or gained control of any biometric data.
Rejection of “Conduit” or “Facilitation” Theory
The plaintiffs argued that the staffing agencies’ actions in enrolling, instructing, and monitoring time clock usage implicated Section 15(b) because that section—unlike other sections of BIPA—does not require that the entity be “in possession” of the biometric information. They argued that the absence of an “in possession” requirement broadened Section 15(b)’s reach to include those who facilitated or acted as a conduit relative to data collection.
The court rejected this argument. First, the court reasoned that coming into “possession” of something means it was “obtained” or “received,” and that there is no material distinction between these terms. Second, the court cited prior cases rejecting similar arguments where a party played a passive or ministerial role in connection with biometric identifying devices.
The court concluded that “[e]ach operative verb in section 15(b) presupposes that a defendant acquires the biometric data, not merely that its conduct facilitates another entity’s acquisition. In other words, section 15(b) regulates acquisition of biometric data; not proximity to it.”
Potential Limits of the Holding
The court acknowledged that there might be circumstances where a “conduit theory” could be persuasive, such as if one of the entities controlled another. The court cited federal cases suggesting that a company’s right to control another entity’s collection of biometric data could be relevant to vicarious liability or joint-employer liability claims. However, the court declined to reach that question because the plaintiffs made no allegations that the staffing agencies and Schuman were corporately related, vicariously liable, or joint employers.
Practical Considerations
Salinas offers helpful guidance for entities that interact with biometric technology but do not themselves possess or control biometric data. Companies may wish to consider the following in light of this ruling:
Staffing agencies and third-party service providers: The Salinas decision suggests that performing ministerial functions—such as enrolling employees in a biometric system, instructing them on its use, or monitoring compliance—may not, standing alone, constitute “collection” or “capture” under Section 15(b). Entities in similar positions may wish to evaluate their contracts and operational practices to ensure clear delineation of which party possesses and controls biometric data.
Host companies that own or lease biometric systems: The decision confirms that Section 15(b) liability is likely to attach to the entity that actually acquires and controls biometric data. Organizations that own or lease biometric systems and grant third parties limited administrative access should ensure that their compliance obligations under BIPA—including notice and consent requirements—are fully addressed.
Documenting access and control: The staffing agencies prevailed in part because they submitted unrebutted affidavits establishing their lack of access and control over biometric data. Entities that wish to rely on similar arguments in future disputes may benefit from maintaining clear documentation of their limited role.
Vicarious liability and joint employer theories remain viable: The court expressly left open the possibility that a conduit theory might succeed where one entity controls another or where vicarious liability or joint-employer claims are properly alleged. Because the court did not make a ruling on that point, the Salinas holding may not insulate entities operating in multiparty arrangements from all potential theories of liability.
Ogletree Deakins’ Chicago office and Cybersecurity and Privacy Practice Group will continue to monitor developments and will post updates on the Cybersecurity and Privacy and Illinois blogs as additional information becomes available.
Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts
