CBRE Illinois Biometric Data Privacy Policy

Effective Date: 15 October 2025
Last Reviewed: 13 October 2025
Last Updated: 13 October 2025

Definitions

As used in this policy, “Biometric Data” includes “Biometric Identifiers” and “Biometric Information” as defined in the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1, et seq.

“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.

“Biometric Information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric Information does not include information derived from items or procedures excluded under the definition of biometric identifiers.

Purpose for Collection of Biometric Data

CBRE and its suppliers use Biometric Data solely as a secure and reliable means of administering employee access (where appliable) to certain third-party timekeeping and compensation technology platforms, which platforms are used to record your working hours and to calculate compensation due to employees based on such working hours and to monitor and create records of employees’ workplace attendance.

Disclosure and Authorization

To the extent that the CBRE or its third-party service providers capture, convert, store, share, or otherwise obtain Biometric Data relating to an employee, CBRE shall first:

  • Inform the employee in writing that CBRE and/or its third-party service providers are collecting, capturing, or otherwise obtaining the employee’s Biometric Data, and that CBRE and/or its third-party service providers are processing such Biometric Data for purposes related to timekeeping, compensation and employee workplace attendance;
  • Inform the employee in writing of the specific purpose and length of time for which the employee’s Biometric Data is being collected, stored, and used; and
  • Receive clear, unambiguous and affirmative consent from the employee authorizing CBRE and its third-party service providers to collect, store, and use the employee’s Biometric Data for the specific purposes disclosed by CBRE and, as applicable, for CBRE to make such Biometric Data available to its suppliers.
  • Neither CBRE nor its third-party service providers will sell, lease, trade, or otherwise profit from employees’ Biometric Data; provided, however, that CBRE’s third-party service providers may be paid for products or services used by CBRE that utilize such Biometric Data for the purposes described in this Policy.

Disclosure

CBRE will not disclose or disseminate any Biometric Data to anyone other than its third-party service providers engaged to provide timekeeping and compensation services using Biometric Data without/unless:

  • First obtaining written employee consent to such disclosure or dissemination;
  • Disclosure is required by state or federal law or municipal ordinance; or
  • Disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Retention Schedule

CBRE retains employee Biometric Data only until, and shall request that its third-party suppliers permanently destroy such data when, the first of the following occurs:

  • The employee’s employment with CBRE is terminated;
  • The employee assumes a new role or transfers to an account or department that does not employ timekeeping and compensation software that utilizes Biometric Data;
  • The employee revokes their consent to CBRE’s processing of their Biometric Data.

Data Storage

CBRE shall employ a reasonable degree of care to store, transmit and safeguard from disclosure all Biometric Data, which shall be at least the same degree of care with which CBRE stores, transmits and safeguards from disclosure other confidential and sensitive information in its possession, including personal information that can be used to uniquely identify an individual or an individual’s account or property.

Contact Information

If you have questions about this policy, or to request information relating to this CBRE Biometric Data Privacy and Record Retention Policy, please contact:

Global Data Privacy Office
CBRE, Inc.
300 North Lasalle Drive, Suite 600-700
Chicago, IL 60654

[email protected]