The Illinois Biometric Information Privacy Act: What Makes a Winning Case?

    In a time where technology is an ever-changing, omnipresent aspect of our everyday lives, there is an increasing number of ways our privacy and personal information can be compromised. Biometric data—that is, physical characteristics of a person that can be used as a digital identifier such as fingerprints or facial recognition—presents its own unique privacy complications and questions over legal protections. The Illinois Biometric Information Privacy Act (BIPA) was created to address these very questions. Passed by the Illinois General Assembly in 2008, the BIPA’s purpose was to address the risks involved in technology’s use of biometrics and to give harmed plaintiffs a private right of action against privacy violations.

    Since the BIPA became law, a number of lawsuits have been filed that have established precedent, while also setting trends for future legal issues. Here, we’ll examine the Act itself and explore determining the viability of a lawsuit claiming BIPA violations.

    What is the BIPA?

    The Illinois Biometric Information Privacy Act was established in response to the growing use, as well as related public concern, of biometrics data. As the Act states: “The public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” According to the BIPA, biometric identifiers are defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” This definition of biometric data does not include things like writing samples, biological samples used for scientific or medical reasons, physical descriptions, or demographic data.

    What is Protected By BIPA?

    The BIPA addresses four major concerns of biometric information—its retention, collection, disclosure, and destruction. It requires any private entity that collects biometric data to inform the person that the data is being collected, as well as the specific purpose and the length of term for the collection. Notably, the person must also provide a written release. The BIPA prohibits any private entity from selling the data, even with the person’s consent. Disclosures to this rule may only be made with consent and for a specific purpose (i.e., required by law or pursuant to a warrant). The BIPA also requires that the data be protected using the same reasonable standard of care within the industry, or by “more protective” measures.

    Under the BIPA, any person harmed by a violation of the Act has a private right of action. Plaintiffs may recover liquidated damages of $1,000 for each violation or actual damages, whichever is greater, for negligent violations. For violations that were intentional or reckless, plaintiffs are entitled to liquidated damages of $5,000 or actual damages, whichever is greater.

    Establishing Precedence Under BIPA

    Although the BIPA was enacted in 2008, plaintiffs did not begin to file related lawsuits until 2015. The majority of cases appeared between 2017 and 2019, for a total number of 324 cases filed as of the end of last year. A number of court decisions during this period have given future plaintiffs an idea as to whether their own suits are viable.

    In 2019, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp. that an individual does not need to demonstrate actual harm to establish that they are aggrieved under the BIPA. In Rosenbach, the plaintiff alleges that the defendant theme park used a fingerprinting scan to capture her biometrics without her knowledge or consent. The court found that plaintiffs could still file suit based on a violation of the Act, without an actual injury, largely due to the deterrent aspect of the BIPA.

    However, in federal court, plaintiffs must show that they suffered concrete injuries to satisfy Article III standing. For example, in Rivera v. Google, Inc., the U.S. District Court for the Northern District of Illinois dismissed a BIPA lawsuit against Google, holding that the plaintiffs did not suffer any concrete injury in connection to Google’s photo storage that creates face templates of uploaded photos. Given this significant difference in standing requirements between state and federal courts, attorneys and potential plaintiffs must carefully consider the alleged injuries before choosing a jurisdiction.

    After Rosenbach, a number of class actions were filed in Illinois court, regardless of actual injury, which also prompted substantial settlements. For instance, in January 2020, Facebook paid $550 million to settle a class action lawsuit alleging BIPA violations. The plaintiffs claimed that Facebook collected facial recognition data from user images without disclosure or consent.

    Pending BIPA Litigation

    Currently, a number of lawsuits are pending under the BIPA. Motorola and Vigilant are facing lawsuits for allegedly collecting mugshots that were then used as a database for law enforcement. Similarly, Clearview AI is being sued for its facial recognition technology and its alleged sales to the Chicago Police Department. In a crop of new lawsuits in California and Washington, a number of tech giants are facing BIPA violation claims. Microsoft, Amazon, Google’s parent company Alphabet, and FaceFirst Inc. are alleged to have violated the BIPA by collecting photos for facial recognition data from the photo-sharing website, Flickr.

    The majority of BIPA lawsuits are filed against employers, as well as biometric timekeeping systems, that collect biometric data of employees through fingerprints or facial recognition scans. For example, in Figueroa v. Kronos Inc. and Bray v. Lathem Time Co., the plaintiffs’ employees allege that both of the defendant timekeeping system manufacturers violated BIPA by collecting biometric data without meeting the requisite notice and written consent requirements. Interestingly, the defendants each obtained different outcomes when challenging jurisdiction. In Bray, the court found that the plaintiff did not have personal jurisdiction because the company had no physical presence in Illinois and no connection to the state, but for the plaintiff’s employer’s use of its software. The defendant’s customers were employers, not the plaintiffs, and the data was collected outside of Illinois. But in Figueroa, the court found that the defendant sold thousands of its timekeeping systems within Illinois and that the collection of employee biometric information can create distinct duties under the BIPA to meet jurisdictional requirements. These opinions leave certain questions of personal jurisdiction unresolved but do indicate that contacts with Illinois can be most successfully established by showing data was collected within the state.

    How Can the Experts Help?

    The biggest question concerning the viability of a lawsuit under BIPA is whether the prospective defendants acted in compliance with statutory requirements. In the context of data storage, compliance experts in the cybersecurity fields can be helpful in establishing what constitutes “reasonable care” in the biometrics industry and if such a standard was met. If the standard was not met by the defendant, there is then the issue of whether such failure was negligent or reckless/intentional, which greatly affects the amount of damages rewarded. Likewise, though the BIPA limits disclosures to certain circumstances, compliance experts can set forth the proper procedure for handling such data requests and whether the disclosures (such as pursuant to a subpoena) were made lawfully.

    An important aspect of the BIPA’s notice requirement is that the collector must state the specific purpose of the data collection. It is likely that cybersecurity experts will be needed to explain or justify any alleged purpose. For example, some cybersecurity experts have held that biometrics data prevents identity theft by utilizing a more accurate means of identification aside from the usual password protections. Whether such a stated purpose is sufficient under BIPA, however, is an issue to be decided.

    Overall, the BIPA has opened the door for a number of lawsuits against social media and technology companies, places of employment, department stores, and many other facets of everyday life. As the importance of data privacy becomes more and more prevalent, these lawsuits will undoubtedly shift how the courts look at biometric data and its implications.