Of all the targeted state biometric laws currently on the books, none poses more of an existential threat to companies than the Illinois Biometric Information Privacy Act (“BIPA”). BIPA has recently become the darling of the plaintiffs’ bar and the preferred statute under which bet-the-company class actions are being filed. If you have a presence in Illinois and use biometrics in your operations, chances are reasonably good you will be facing down a BIPA complaint at some point. But don’t despair! There are several proactive compliance steps to mitigate or, ideally, avoid such liability. And even after a case has been filed, there are several established (and even more developing) defenses available to minimize liability or obtain an outright dismissal. For example, having an enforceable arbitration agreement can be one of the most effective ways to mitigate the ever-increasing scope of biometric privacy exposure.
At their core, biometric systems analyze unique physical/behavioral human characteristics to identify and verify the identities of individuals. In our personal lives, this means using our faces to unlock our phones, or our eyes to unlock our homes. In our professional lives, companies may be verifying customer identities via facial scans or voice recognition software, or using employee fingerprints to track time and attendance, just to name a few.
In 2008, Illinois became the first state to regulate the collection, use, retention, storage, and deletion of biometric data. In addition to being the first law on the books, the Electronic Frontier Foundation described BIPA as the “strongest biometric privacy law in the United States.”
At its core, BIPA can be boiled down to four key requirements: (a) the maintenance of a publicly available privacy policy and data retention and destruction schedule; (b) the provision of notice and obtaining consent before collecting or sharing biometric data; (c) a strict prohibition on selling or “profiting from” biometric data; and (d) ensuring the security of biometric data.
Notably, under BIPA a prevailing party can recover statutory damages ranging between $1,000 and $5,000 for each violation of the law. Beyond that, plaintiffs can also recover attorneys’ fees and costs, including expert witness fees and other expenses, as well as injunctive and any other relief the “court may deem appropriate.”
In January 2019, the Illinois Supreme Court further lowered the barrier to entry when it held in Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197 (Ill. 2019), that individuals can pursue BIPA claims for mere “technical violations.” Not surprisingly, this opened the door for innumerable more cases. Combined with several notable class-wide BIPA settlements ($650 million; $25 million; $10 million), as well as other class-wide settlements awaiting approval ($92 million), the focus on BIPA suits has never been higher. And the stakes will continue to rise.
The Final Word
Companies that operate in Illinois should take proactive measures immediately—if they have not already done so—to ensure compliance with the above biometric privacy requirements. For additional information on how to comply with BIPA, please view our BIPA Compliance Checklist.