The Illinois Biometric Information Privacy Act (“BIPA”) went into effect in 2008 and has been a steady source of litigation ever since. This post summarizes the obligations BIPA imposes, the current state of BIPA litigation, and what steps businesses can take to reduce litigation risks.
What is BIPA?
The stated intent of BIPA was to address the heightened risk of identity theft associated with the processing of biometric data. The legislator’s findings state that, “unlike other unique identifiers that are used to access finances or other sensitive information,” when biologically unique data is compromised, “the individual has no recourse” because the individual cannot change these identifiers.
Scope: BIPA regulates how “private entities” collect, use, and share “biometric information” and “biometric identifiers” (collectively, “biometric data”), and imposes certain security requirements.
- A “private entity” is any individual, partnership, corporation, limited liability company, association, or other group, however organized.
- “Biometric information” means any information, “regardless of how it is captured, converted, stored, or shared,” based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of “biometric identifier.”
- “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. The law expressly excludes certain data elements from the definition of “biometric identifier” (e.g., writing samples, photographs, tattoo descriptions, information captured in a health care setting or under HIPAA, etc.).
Exclusions: BIPA excludes certain types of entities, including financial institutions subject to the Gramm-Leach-Bliley Act of 1999, governmental entities and agencies, and contractors to governmental entities or agencies.
Obligations: BIPA imposes five distinct obligations:
(1) Written retention and destruction policy: Private entities in possession of biometric data must develop a written policy (made available to the public) establishing a retention schedule and guidelines for permanently destroying biometric data.
(2) Written release: BIPA prohibits private entities from obtaining biometric data without informed written consent.
(3) Prohibition against profiting (even with consent): BIPA prohibits private entities in possession of biometric data from selling, leasing, trading or otherwise profiting from biometric data.
(4) Restrictions on disclosure: Private entities in possession of biometric data may not “disclose, redisclose, or otherwise disseminate” it unless consent is obtained or the disclosure is required for specific purposes (e.g., the disclosure is necessary to complete a financial transaction, required by law, or pursuant to a valid warrant or subpoena).
(5) Security requirements: A private entity in possession of biometric data must use reasonable standards of care applicable to the entity’s industry and in a similar, if not more protective, manner as the entity uses for other confidential and sensitive information (defined to by reference to a list of elements that includes, among others, Social Security number, passcodes, and account numbers).
Enforcement: The most striking aspect of BIPA is that it includes a private right of action that enables any person aggrieved to recover “for each violation” liquidated damages of $1,000 or actual damages (whichever is greater) for negligent violations and liquidated damages of up $5,000 or actual damages (whichever is greater) for intentional or reckless violations. Plaintiffs may also recover reasonable attorney’s fees and costs (including expert witness fees and other litigation expenses) and seek other relief available (including injunction). As discussed in the next section, this has given rise to steady litigation that has led to significant payouts.
BIPA litigation: The State of Play
In a prior post, we discussed the Illinois Supreme Court’s ruling in Rosenbach v. Six Flags in January 2019, concluding that a consumer need not demonstrate an adverse effect or specific harm (such as evidence that personal information was stolen or misused) to have standing to sue under BIPA. In other words, a procedural violation of the law itself is sufficient to support a private right of action under BIPA. This ruling gave real teeth to the 200-plus BIPA complaints already filed in Illinois at that time.
While it may be less of a challenge to establish standing in Illinois State court since January 2019, plaintiffs could still struggle with Article III standing issues in federal courts. In December 2018, the U.S. District Court for the Northern District of Illinois in Rivera v. Google granted Google summary judgment and dismissed the plaintiffs’ claims for lack of subject matter jurisdiction because it determined that the plaintiffs had not satisfied the Article III “injury in fact” standing requirement to sue. See our previous post discussing this case.
Cases filed in State court have led to significant settlements, some well into the hundreds of thousands. Facebook’s recent announcement of a large settlement to resolve BIPA litigation brought in the Northern District of California will likely result in an increase in BIPA litigation. The plaintiffs in that suit convinced the Ninth Circuit of Appeals that “violations of the procedures in BIPA actually harm or pose a material risk of harm” such that they confer Article III standing. Patel v. Facebook, Inc., 932 F.3d 1264, 1275 (9th Cir. 2019). According to The Washington Post, after the Supreme Court declined to review the Ninth Circuit’s decision, Facebook agreed to resolve the case for a substantial sum; that settlement is set to be presented to the court for preliminary approval on March 12, 2020.
What Can You Do to Help Avoid BIPA exposure?
There is a continued trend toward the regulation of biometric data, and issues around its processing are likely to continue to generate litigation. All businesses should evaluate whether they collect biometric data (e.g., fingerprints, facial scans, voiceprints) and assess whether BIPA applies to them. If BIPA applies, the business should take steps to comply with the law as soon as possible, including providing notice, obtaining written consent, and adhering to BIPA’s retention, disclosure, and security requirements.
If your company needs assistance determining whether BIPA applies or what steps to take to comply, please contact any of the following members of our Data Privacy & Cybersecurity team:
Lydia de la Torre, Of Counsel, Palo Alto, CA
Elliot Golding, Partner, Washington, DC