A regulatory minefield awaits private entities that collect biometric information, including requirements that the subject be notified about the data collection and receipt of prior written consent. Failure to comply could result in your business becoming the target of a class action lawsuit!
The Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1, et. seq., is the most comprehensive biometric privacy law in the United States. BIPA makes it illegal for any private entity to collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s “biometric identifier” or “biometric information,” unless it first:
(1) informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
(2) informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.
740 ILCS 14/15(b)(1)-(3).
Under BIPA, “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
740 ILCS 14/10.
BIPA requires that biometric data be safeguarded in the same (or a more protective) way and that other confidential information is protected using a reasonable standard of care (740 ILCS 14/15(e)). BIPA also expressly prohibits private entities from:
- Selling, leasing, or otherwise profiting from an individual’s biometric data under any circumstances (740 ILCS 14/15(c)).
- Disclosing or redisclosing an individual’s biometric data, unless:
- The individual consents to the disclosure;
- The disclosure completes a financial transaction that the individual authorized;
- Federal, state, or local law requires the disclosure; or
- The disclosure is authorized by a warrant or subpoena.
740 ILCS 14/15(d).
BIPA creates a private cause of action for any person “aggrieved” by violation of the statute. A prevailing party may recover for each violation:
(1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater;
(2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater;
(3) reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and
(4) other relief, including an injunction, as the State or federal court may deem appropriate.
740 ILCS 14/20.
Significantly, the Illinois Supreme Court recently decided that a person need not plead and prove actual injury to qualify as “aggrieved” under the Act. Rosenbach v. Six Flags Entertainment Corporation, 432 Ill.Dec. 654, 664, 129 N.E.3d 1197 (2019).
BIPA was enacted in 2008 but got little notice until 2014 when social media users began filing class action lawsuits against Google, Facebook, Shutterfly and Snapchat. Since 2014, there have been hundreds of class action lawsuits filed seeking damages as a result of alleged BIPA violations.
Examples of businesses that have been named in BIPA class action complaints include employers that use biometric data for employees to punch in and punch out of work, Rogers v. CSX Intermodal Terminals, Inc., 2019 WL 4201570, *2 n.3 (N.D. Ill. Sept. 5, 2019); an amusement park that used customers’ fingerprints for issuance of season passes, Rosenbach v. Six Flags Entertainment Corporation, 432 Ill.Dec. 654 2019; retailers that utilize facial geometry for age verification purposes, Flores v. JUUL Labs, Inc., 2019 CH 12935, Circuit Court of Cook County, Illinois; tanning salons whose customers’ fingerprints were scanned for identification and access purposes, Sekura v. Krishna Schaumburg Tan, Inc., 2018 Ill. App. (1st) 180175 (1st Dist. 2018); a video game manufacturer whose customers submitted to facial scanning to create avatars in their likeness, Santana v. Take–Two Interactive Software, Inc., 717 Fed. Appx. 12, No. 17-303, 2017 WL 5592589 (2d Cir. 2017); a retailer that uses customers’ fingerprints as a “key” to use electronic lockers, luggage carts, commercial strollers, and massage chairs for use in public places for a fee. McCollough v. Smarte Carte, Inc., No. 16 C 03777, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016) and a website operator that uses “state-of-the-art facial recognition technology” to extract biometric identifiers from photographs that users upload. Patel v. Facebook Inc., 290 F.Supp.3d 948 (N.D. Cal. 2018), affirmed, 932 F.3d 1264 (2019), cert. denied, ___ S.Ct. ___, 2020 WL 283288 (January 21, 2020). With more than one billion unique users, should the Patel plaintiffs prevail in their case, just the civil penalties Facebook faces are staggering.
Regardless of whether biometric identifiers and biometric information are collected in an employment, retail or on-line setting, the common themes in BIPA lawsuits are: (a) alleged failure to adopt policies required by the Act; and (b) the alleged failure to obtain informed consent of the persons whose biometric information is being collected.
Private entities collecting biometric information must adopt and adhere to policies that safeguard that data. They also must inform those from whom the data is collected of those policies and obtain written consent or face potential class action exposure under BIPA. These requirements can be complex and may seem daunting.
Fortunately, we can assist private entities that collect biometric information from employees or customers to adopt and implement policies that comply with BIPA. Should the need arise, we also can help those facing potential BIPA claims.
John F. Sullivan is a partner in Plunkett Cooney's Chicago office, who maintains a diverse litigation practice. A member of several firm practice groups, Mr. Sullivan’s litigation expertise includes complex commercial ...
Add a comment
- Commercial Liability
- Business Risk Management
- Business Torts
- Civil Litigation
- Alternative Dispute Resolution (ADR)
- Commercial Real Estate
- Trade Secrets
- Litigation Discovery
- Corporate Formation
- Commercial Leasing
- Real Estate
- Real Estate Mortgages
- Commercial Loans
- Mortgage Foreclosure
- Regulatory Law
- Shareholder Liability
- Risk Management
- Fraud Activity
- Cyber Attack
- Tax Law
- Damages Recovery
- Class Action
- Product Liability
- Biometric Data
- Banking Law
- Statute of Limitations
- Noncompete Agreements
- Internet Law
- Consumer Protection
- Residential Liability
- Zoning and Planning
- Department of Education (DOE)
- Fair Debt Collection Practices Act
- Fair Credit Reporting Act
- Unfair Competition
- Uniform Commercial Code (UCC)
- 10 Things About Trade Secrets you may not but Should Probably Know
- What New Lawyers Bring to the Practice of Law
- What Rights do Limited Liability Company Minority Members Really Have?
- Arbitration or the Courtroom, Who Decides?
- Wait, I Have to Pay my Own Attorney? But I Won the Case?
- Preliminary Injunctions in Michigan, the More They Change the More They Stay the Same
- President Biden Signs Cryptocurrency Executive Order Establishing Whole-of-Government Approach to Regulating Digital Assets Industry
- My 5 Lessons Learned from the COVID-19 Pandemic
- Am I at Fault for Breach of Contract if the Other Party Breached It First?
- Maximizing Damages Recovery in Michigan's District Courts Challenged by Jurisdiction Limits