The Illinois Biometric Information Privacy Act: What Makes a Winning Case?

    Technology is an ever-changing, omnipresent aspect of our everyday lives. As such, there is an increasing number of ways our privacy and personal information can be compromised. Biometric data—physical characteristics of a person that can be used as a digital identifier such as fingerprints or facial recognition—presents its own unique privacy complications and questions over legal protections.

    Lawmakers created the Illinois Biometric Information Privacy Act (BIPA) to address these very questions. The Illinois General Assembly passed the Act in 2008. BIPA’s purpose was to address the risks involved in technology’s use of biometrics. Additionally, lawmakers wanted to give harmed plaintiffs a private right of action against privacy violations.

    Since the BIPA became law, IL attorneys have brought a number of related lawsuits. This has established important precedent, while also setting trends for future legal issues. Here, we’ll examine the Act itself and explore determining the viability of a lawsuit claiming BIPA violations.

    What is the BIPA?

    State lawmakers established the Illinois Biometric Information Privacy Act in response to the growing useand related public concernof biometrics data. As the Act states: “The public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” According to the BIPA, biometric identifiers are defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” This definition doesn’t include things like writing samples, biological samples used for scientific or medical reasons, physical descriptions, or demographic data.

    What Does BIPA Protect?

    The BIPA addresses four major concerns of biometric information—its retention, collection, disclosure, and destruction. It requires any private entity collecting biometric data to inform subjects of the data collection. Companies must also provide the specific purpose and the length of term for the collection. Notably, the subject must also provide a written release. The BIPA prohibits any private entity from selling the data, even with consent. Disclosures to this rule may only be made with consent and for a specific purpose (i.e., required by law or pursuant to a warrant). The BIPA also requires that the data be protected using the same reasonable standard of care within the industry, or by “more protective” measures.

    Under the BIPA, any person harmed by a violation of the Act has a private right of action. Plaintiffs may recover liquidated damages of $1,000 for each violation or actual damages, whichever is greater, for negligent violations. For intentional or reckless violations, plaintiffs are entitled to $5,000 in liquidated damages or actual damages, whichever is greater.

    Establishing Precedence Under BIPA

    BIPA became law in 2008. However, plaintiff lawsuits did not appear until 2015. The majority of cases appeared between 2017 and 2019, for a total number of 324 cases filed as of the end of 2020. A number of court decisions during this period have given future plaintiffs an idea as to whether their own suits are viable.

    In 2019, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp. that an individual does not need to demonstrate actual harm to establish that they are aggrieved under the BIPA. In Rosenbach, the plaintiff alleges that the defendant theme park used a fingerprinting scan to capture her biometrics without her knowledge or consent. The court found that plaintiffs could still file suit based on a violation of the Act, without an actual injury, largely due to the deterrent aspect of the BIPA.

    However, in federal court, plaintiffs must show that they suffered concrete injuries to satisfy Article III standing. For example, in Rivera v. Google, Inc., the U.S. District Court for the Northern District of Illinois dismissed a BIPA lawsuit against Google, holding that the plaintiffs did not suffer any concrete injury in connection to Google’s photo storage that creates face templates of uploaded photos. Given this significant difference in standing requirements between state and federal courts, attorneys and potential plaintiffs must carefully consider the alleged injuries before choosing a jurisdiction.

    After Rosenbach, plaintiffs filed a number of class actions in Illinois court, regardless of actual injury. This also prompted substantial settlements. For instance, in January 2020, Facebook paid $550 million to settle a class action lawsuit alleging BIPA violations. The plaintiffs claimed that Facebook collected facial recognition data from user images without disclosure or consent.

    Pending BIPA Litigation

    Currently, a number of lawsuits are pending under the BIPA. Motorola and Vigilant are facing lawsuits for allegedly collecting mugshots that were then used as a database for law enforcement. Similarly, Clearview AI is being sued for its facial recognition technology and its alleged sales to the Chicago Police Department. In a crop of new lawsuits in California and Washington, a number of tech giants are facing BIPA violation claims. Microsoft, Amazon, Google’s parent company Alphabet, and FaceFirst Inc. are alleged to have violated the BIPA by collecting photos for facial recognition data from the photo-sharing website, Flickr.

    The majority of BIPA lawsuits are filed against employers, as well as biometric timekeeping systems, that collect biometric data of employees through fingerprints or facial recognition scans. For example, in Figueroa v. Kronos Inc. and Bray v. Lathem Time Co., the plaintiffs’ employees allege that both of the defendant timekeeping system manufacturers violated BIPA. The systems collected biometric data without meeting the requisite notice and written consent requirements. Interestingly, the defendants each obtained different outcomes when challenging jurisdiction.

    In Bray, the court found that the plaintiff did not have personal jurisdiction because the company had no physical presence in Illinois. Further, the company had no connection to the state, but for the plaintiff’s employer’s use of its software. The defendant’s customers were employers, not the plaintiffs. Plus, the data collection occurred outside of Illinois.

    But in Figueroa, the court found that the defendant sold thousands of its timekeeping systems within Illinois and that the collection of employee biometric information can create distinct duties under the BIPA to meet jurisdictional requirements. These opinions leave certain questions of personal jurisdiction unresolved. However, the decisions indicate that establishing an Illinois connection depends on demonstrating in-state data collection.

    How Can the Experts Help?

    The biggest question surrounding viability of a BIPA lawsuit is whether the prospective defendants acted in compliance with statutory requirements. In the context of data storage, compliance experts in the cybersecurity fields can be helpful in establishing what constitutes “reasonable care” in the biometrics industry and if such a standard was met. If a defendant did not meet the standard, there is then the issue of whether such failure was negligent or reckless/intentional. This determination greatly affects the amount of potential damages. Likewise, though the BIPA limits disclosures to certain circumstances, compliance experts can set forth the proper procedure for handling such data requests and whether the disclosures (such as pursuant to a subpoena) were made lawfully.

    An important aspect of the BIPA’s notice requirement is that the collector must state the specific purpose of the collection. Cybersecurity experts will need to explain or justify any alleged purpose. For example, some cybersecurity experts have held that biometrics data prevents identity theft by utilizing a more accurate means of identification aside from the usual password protections. It’s undecided, however, whether such a stated purpose is sufficient under BIPA.

    Overall, the BIPA has opened the door for a number of lawsuits against technology companies, employers, department stores, and more. The importance of data privacy will only become further prevalent. In turn, these lawsuits will undoubtedly shift how the courts look at biometric data and its implications.