Data at Your Fingertips
The Illinois Biometric Information Privacy Act (“BIPA”)
The Illinois Biometric Information Privacy Act (“BIPA”) regulates the storage and sale of biometric data—most simply, information regarding a person’s body measurements—and affords consumers the right to sue businesses that fail to comply. BIPA was enacted in 2008, but it wasn’t until 2015 that the first BIPA lawsuit was filed. However, BIPA proved to be ahead of its time. BIPA litigation has taken off over the last few years, as hundreds of BIPA cases have been filed and this trend is anticipated to continue.
This growth is due in part to a series of plaintiff-favorable rulings from both the Illinois Supreme Court and the federal Courts of Appeal. More fundamentally, however, BIPA is poised to have a material impact on the privacy landscape because of the scope of biometric information it protects and the routine ways in which this data is now collected.
Biometric information protected under BIPA can include data as intrusive as DNA or fingerprints, and as benign as your phone identifying your friends in a group photo so you can tag them. And the capture of biometric information has now become commonplace compared to twelve years ago when BIPA passed: we now unlock our phones with our faces, gain access to computers and clock into work via fingerprints, and use voice-matching verification to prove our identity to financial institutions. BIPA recognizes that consumer biometric features are permanent—we can’t change this stuff about ourselves—which is precisely why it is so useful to gain access to sensitive information. But if consumer biometric data falls into the wrongs hands, there’s no way to limit the risk consumers face from that breach or loss—you can change a password, but not your retina scan.
BIPA was designed as one of the strongest privacy laws in the US and a failure to understand its impact on your business can have truly dire consequences. To understand the context in which BIPA privacy litigation arises, read on below.
What Biometric Data Is Protected Under BIPA?
At its core, BIPA protects the “biometric information” of Illinois residents, which is any information based on “biometric identifiers” that identifies a specific person—regardless of how it is captured, converted, stored, or shared. 740 ILCS 14/10. Biometric identifiers are “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Id. (collectively, with “biometric information,” “biometric data”).
Are There Any Exclusions to the Data Protected Under BIPA?
There are several notable exclusions from the scope of what is a biometric identifier under BIPA, including but not limited to:
- Writing samples, written signatures, and photographs;
- Human biological samples used for valid scientific testing or screening;
- Demographic data;
- Tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color;
- Information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under HIPAA; or
- An X-ray, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
740 ILCS 14/10. The statute additionally clarifies that biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers. Id.
What Entities Are Covered Under BIPA?
BIPA regulates “private entities,” which are “any individual, partnership, corporation, limited liability company, association, or other group, however organized.” 740 ILCS 14/10. The statute expressly excludes from the definition of “private entity” state or local government agencies as well as Illinois state courts and its judges and clerks. Id.
Additionally, BIPA also has a rule of construction that further excludes from the statute’s scope, among other things:
- A financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder, and
- A contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government.
740 ILCS 14/25. The bottom line is that most entities operating in the private sector are covered by BIPA and have exposure risks for noncompliance.
What Does BIPA Require?
BIPA regulates how private entities collect, use, and share the biometric data of Illinois residents. It imposes five distinct obligations:
- Written Retention and Destruction Policy: Private entities in possession of biometric data must develop a written policy (made available to the public) establishing a biometric data retention schedule. This policy also must include guidelines for permanently destroying biometric data.
- Written Release: BIPA prohibits private entities from collecting any biometric data without a person’s informed, written consent obtained in advance of the collection.
- Prohibition Against Profiting From Biometric Data: BIPA prohibits private entities in possession of biometric data from selling, leasing, trading or otherwise profiting from biometric data. Notably, private entities cannot circumvent this prohibition by obtaining consent from the individual.
- Restrictions on Disclosure: Further, under BIPA private entities in possession of biometric data may not “disclose, redisclose, or otherwise disseminate” it unless (i) an individual consents or (ii) the disclosure is required for a specific purpose set forth in the statute. This would include, for instance, when the disclosure is necessary to complete a financial transaction, required by law, or pursuant to a valid warrant or subpoena.
- Industry-Specific “Reasonable” Security Requirements: A private entity must use reasonable standards of care in the processing of biometric data. However, BIPA requires that the definition of “reasonableness” is informed by the entity’s industry standard of care. Additionally, the level of security utilized must also be in a similar, if not more protective, manner as the private entity uses for other confidential and sensitive information (including, among others, Social Security number, passcodes, and account numbers).
740 ILCS 14/15.
How is BIPA Enforced?
Unlike most state privacy statutes which are enforced only by state attorneys general, BIPA includes a private right of action that permits any aggrieved person to recover per BIPA violation:
- Liquidated damages of $1,000 or actual damages (whichever is greater) for negligent violations; and
- Liquidated damages of up $5,000 or actual damages (whichever is greater) for intentional or reckless violations.
740 ILCS 14/20. Plaintiffs may also recover reasonable attorney’s fees and costs (including expert witness fees and other litigation expenses) and seek other relief available (including an injunction). Id.
Are There Other Considerations For a Plaintiff Bringing a BIPA Claim?
BIPA litigation has been bolstered by a series of favorable rulings regarding what is required for a plaintiff to have standing to bring a claim under the statute.
The Illinois Supreme Court’s concluded in Rosenbach v. Six Flags in 2019 that a consumer need not demonstrate an adverse effect or specific harm (such as evidence that personal information was stolen or misused) to have standing to sue under BIPA. 129 N.E.3d 1197 (Ill. 2019). In other words, a procedural violation of the law itself can suffice to support a private right of action under BIPA in Illinois state court.
Many BIPA cases are filed as a class and subsequently removed to federal court. The federal threshold for Article III standing requires that a plaintiff demonstrate concrete and particularized harm rather than a mere alleged procedural violation in the absence of such harm, as set forth in Spokeo v. Robins, 136 S. Ct. 1540 (2016).
The Seventh Circuit Court of Appeals concluded in May 2020 that at least some requirements of BIPA regarding the unauthorized collection of biometric data create an obligation to the individual, constituting a concrete and particularized injury for purposes of Article III. Bryant v. Compass Grp. USA, Inc., 20-1443 (decided May 5, 2020). The same conclusion was not reached, however, for a BIPA claim for failing to make publicly available a data retention policy because that duty (according to the Court) belongs to the public. The Ninth Circuit Court of Appeals has similarly found Article III standing for alleged BIPA violations, although the Second Circuit has held otherwise.
This remains an area of development to watch going forward, with implications for when BIPA litigation, including BIPA class actions, may be removed to federal court. This is because, as with Bryant, most BIPA lawsuits include claims under multiple statutory subsections making strategic decisions on removal of heightened importance to avoid having to defend litigation concurrently in multiple forums.
Are There Any Preemption Issues Implicated by BIPA?
There has been a tendency among employers to use biometric readers for employee timekeeping purposes, particularly those in the hospitality and travel industry. Employers in Illinois should be aware of and in compliance with their obligations under BIPA, as an increasing number of lawsuits have been filed by employees concerning these practices. These cases generally do not allege the unauthorized disclosure or misuse of this biometric data and instead concern alleged failures to follow BIPA’s specific notice and consent requirements.
For these lawsuits preemption continues to be a reoccurring issue, particularly when federally regulated industries or unionized workers are at play. By way of example, the Seventh Circuit Court of Appeals and district courts within the Seventh Circuit have held that BIPA claims brought by unionized airline workers are preempted by the Railway Labor Act, because the claims could not be resolved without interpretation of the collective bargaining agreement governing plaintiffs’ employment. The plaintiffs in that case had pursue to their claims in arbitration and/or before an adjustment board—not federal court.
What Else is Important For Litigation Under BIPA?
The body of BIPA case law continues to evolve in response to new technologies and creative plaintiffs’ lawyers. As just one example, while the definitions of “biometric information” and “biometric identifiers” may seem relatively clear, the courts have taken a widespread view of what is and is not included for purposes of compliance with BIPA.
There have been several instances where the courts have concluded that creating facial mapping from uploaded pictures is in conflict with BIPA. This interpretation seems to go against BIPA’s definitions, which on their face (pun intended) state that because a photograph is excluded from the scope of biometric identifiers, then information derived from it is not biometric information covered under BIPA.
While these rulings will influence defense strategies in future cases, private entities considering application of biometric technology should also thoroughly consider BIPA-related risks beyond the text of the statute.
The collection and use of biometric data is increasing on a daily basis, and questions surrounding its use will continue to generate litigation, including in relation to BIPA. All businesses should evaluate whether they collect biometric and perform a detailed assessment of whether BIPA applies to them. As noted above, this is a complex and evolving analysis. Our Data Privacy & Cybersecurity practice group can help you determine whether, and to what extent, BIPA impacts your business and your biometric data practices. If BIPA applies, our experts can advise you on what measures should be taken to comply with the law, including providing notice, obtaining written consent, and adhering to BIPA’s retention, disclosure, and security requirements. As BIPA claims continue to be filed, Consumer Privacy World is your first stop to stay informed on this evolving body of law and other relevant developments. Stay tuned.