Illinois Biometric Information Privacy Act: Using AI notetaking apps and minimizing liability
Scott Cruz
By SCOTT CRUZ
Artificial intelligence (“AI”) notetaking and transcription tools have become increasingly common across organizations in all industries. Companies are using these tools to document virtual safety meetings, virtual employee relations discussions, virtual training sessions, and virtual operational reviews.
While these technologies offer clear business advantages, they also introduce complex legal risks—particularly under the Illinois Biometric Information Privacy Act (“BIPA”).
BIPA is widely regarded as the most stringent biometric privacy law in the United States. For employers with operations, employees, or even virtual meeting participants in Illinois, the use of AI notetaking tools can trigger compliance obligations that are often overlooked.
This article provides companies with practical best practices for minimizing liability, while still leveraging the efficiency benefits of AI tools.
Understanding BIPA
BIPA regulates the collection, use, storage, and destruction of biometric identifiers such as voiceprints, fingerprints, and facial geometry. AI notetaking tools frequently analyze voice characteristics to distinguish speakers, which can result in the creation of “voiceprints.” Because voiceprints are explicitly covered under BIPA, organizations must comply with strict requirements before collecting such data.
BIPA requires employers to provide written notice, disclose the purpose and duration of data collection, and obtain written consent prior to collecting biometric data. Organizations must also establish and follow a publicly available retention and destruction policy. Failure to comply can result in significant statutory damages, even in the absence of actual harm.
Why AI notetaking tools create unique risks for Illinois employers
AI notetaking tools can automatically join virtual company meetings and begin recording or transcribing without verifying that all participants (i.e. Illinois employees) have provided consent. In some cases, Illinois employees may be unaware that their voice data is being captured and analyzed during a virtual work meeting. This creates a significant risk for Illinois companies under BIPA, particularly because liability may extend to Illinois employers who enable and/or permit the use of such tools, even if the software being used is provided by a third-party vendor.
Best Practice 1: Conduct a comprehensive risk assessment
Before implementing any AI notetaking solution, Illinois employers should collaborate with legal, IT, and data privacy teams (as applicable) to conduct a thorough risk assessment. This assessment should determine whether the tool collects or processes biometric data such as voiceprints, whether speaker identification features are enabled, and how data is stored and used by the vendor.
Best Practice 2: Develop clear written policies
Illinois employers should establish formal, written policies governing the use of AI notetaking tools. These policies should specify which tools are approved, outline procedures for obtaining consent, and define acceptable use cases. Policies should also address data retention, access controls, and incident response.
Best Practice 3: Obtain informed written consent
Obtaining written consent is a cornerstone of BIPA compliance. Illinois employers must ensure that their Illinois employees receive clear, written disclosures explaining what data is being collected, why it is being collected, and how long it will be retained. In practice, this may require implementing pre-meeting consent workflows, electronic acknowledgment forms, or standardized disclosures included in virtual meeting invitations.
Best Practice 4: Limit or disable biometric features
Whenever possible, organizations should configure AI tools to minimize risk by disabling features that may create biometric identifiers. This includes speaker recognition, voice profiling, and analytics that rely on identifying individuals based on their voice characteristics.
Best Practice 5: Identify who is permitted to enable AI notetaking
Without disabling biometric features, Illinois employees may be using AI notetaking during virtual work-related meetings without their employers knowledge. This is extremely problematic if, among other things, the necessary consents have not been secured from all employee participants. So, Illinois employers should limit use to those whom it has given express authority, and only after all necessary safeguards have been put in place.
Best Practice 6: Establish and enforce retention policies
BIPA requires organizations to develop and adhere to a written policy governing the retention and destruction of biometric data. Illinois employers should ensure that AI-generated recordings and transcripts are retained only as long as necessary to fulfill their purpose and are securely deleted thereafter.
Best Practice 7: Perform vendor due diligence
Because AI notetaking tools often involve third-party vendors, Illinois employers must conduct thorough due diligence before adoption. This includes reviewing vendor privacy policies, understanding how data is processed and stored, and ensuring that contractual agreements include appropriate safeguards such as indemnification and data protection obligations.
Best Practice 8: Train managers and employees
Training is critical to ensuring compliance. Illinois employers should provide targeted training for managers, supervisors, and employees on the appropriate use of AI notetaking tools, emphasizing consent requirements, prohibited uses, and reporting procedures for potential issues.
Best Practice 9: Implement meeting-level controls
Illinois employers should establish standardized meeting protocols that include clear disclosures at the beginning of each meeting, confirmation of participant consent, and verification that AI tools are authorized for use. These controls help ensure that compliance measures are consistently applied.
Best Practice 10: Monitor and audit usage
Finally, Illinois employers should implement ongoing monitoring and auditing processes to ensure compliance with internal policies and legal requirements. Regular audits can identify unauthorized use of AI tools and provide opportunities for corrective action.
AI notetaking tools offer significant benefits for organizations, but they must be deployed thoughtfully and responsibly. For Illinois employers, the key to minimizing BIPA liability lies in proactive governance, clear communication, and rigorous compliance practices. By conducting thorough risk assessments, obtaining informed consent, limiting unnecessary data collection, and maintaining strong vendor oversight, Illinois employers can harness the advantages of AI while protecting employee privacy and reducing legal exposure under BIPA.
Scott Cruz is a partner in the Labor & Employment Practice Group of UB Greensfelder LLP’s Chicago, O’Fallon, Ill., and St. Louis, Mo. offices. He can be reached at (312) 658-6608 or [email protected].
