What businesses need to know about the Illinois’ Biometric Information Privacy Act
This is a guest post by Ana Tagvoryan, Jeffrey N. Rosenthal and David J. Oberly, attorneys at Blank Rome LLP.
This is the first article in a two-part series examining Illinois’ Biometric Information Privacy Act (BIPA) and the recent flood of class action lawsuits alleging biometric privacy law violations. This article explains the legal requirements of BIPA, and the impact of the Illinois Supreme Court’s January 2019 Rosenbach v. Six Flags Entertainment Corp. decision, which opened the gates for individuals to sue businesses utilizing biometric data for mere technical or procedural violations. The second article provides tips and strategies for corporate defendants to effectively defend against BIPA class action suits.
Overview of biometric data use.
Biometric data generally encompasses unique, measurable human biological or behavioral characteristics—including fingerprints, voiceprints, and scans of the hand or face geometry—for identification and authentication purposes. Indeed, finger and facial recognition has become so commonplace most would not think twice before using biometrics to login to their smartphone; take and organize pictures in their mobile photo app; or authenticate credit card transactions. Biometric data is also widely used by employers to provide secure building access; tracking employee time and attendance; and authenticating users’ identities for increased computer and mobile device login security.
Importantly, biometric data is different from Social Security numbers and other forms of personally identifiable information (PII) that are unique to specific individuals. And the theft of biometric data can be more problematic than the theft of other types of PII because biometric data cannot be changed; once compromised, that biometric data has forever lost its ability to be used as a secure identification mechanism.
The Illinois Biometric Information Privacy Act (BIPA)
The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, was designed to help regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. BIPA is generally considered the most stringent of all state laws of this type. The purpose of BIPA is to give individuals control over a private entity’s use of their biometric information by requiring notice and prior consent.
Under BIPA, a “private entity”—defined as any individual, partnership, corporation, limited liability company, or other group—cannot collect or store biometric data without first providing notice, obtaining written consent, and making certain disclosures. Covered entities are also required to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric data. So too does BIPA bar covered companies from selling or profiting from the biometric data they collect, and requires covered companies to protect biometric data using the reasonable standard of care within the private entity’s industry, and in a manner that is the same as or more protective than the manner in which the organization protects other sensitive information.
BIPA’s requirements are enforceable through a private right of action; specifically, BIPA provides any person “aggrieved” by a violation of its provisions “shall have a right of action . . . against an offending party,” and may recover for each violation the greater of liquidated damages or actual damages, reasonable attorney’s fees and costs, and any other relief the court deems appropriate, including injunctive relief.
The rise in BIPA litigation following the Rosenbach decision.
While the law has been in effect for 11 years, the real turning point of BIPA litigation took place in the beginning of 2019, when the Illinois Supreme Court issued its decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019). In Rosenbach, Illinois’s highest court significantly altered the playing field when it held plaintiffs may pursue BIPA claims for mere technical violations of the law, even where no actual harm or damage is sustained. In doing so, the decision eliminated the essential requirement of having to demonstrate an actual injury or harm to pursue legal recourse for alleged BIPA violations. Instead, it is enough to allege in a state court action that a business entity merely ran afoul the BIPA’s notice, consent, or disclosure requirements. Not surprisingly, the decision led to a spike in the number of BIPA class action filings immediately following this extremely plaintiff-friendly ruling, by which plaintiffs did not need to allege, let alone establish, actual harm or injury to maintain a cognizable claim under BIPA. Included in these lawsuits are actions against social media and technology giants Facebook and Google for purported violations of BIPA stemming from their use of facial recognition technology. And while corporate behemoths like Facebook and Google have recently captured headlines, smaller business entities have also found themselves the target of BIPA class actions.
Rosenbach opened of the floodgates to a new wave of extremely-costly litigation, with attendant damages some consider disproportionate to the nature and extent of the violation. Accordingly, what makes BIPA especially attractive to plaintiffs’ attorneys is the private right of action provision, which allows for statutory damages of $1,000 per “negligent” violation and $5,000 per “intentional” or “reckless” violation. These statutory damages—which, again, can be recovered in state court for mere technical violations of the law—provide noteworthy incentives for plaintiffs’ attorneys to pursue class action litigation. To make matters even worse for defendants, some plaintiffs’ attorneys are alleging each use of biometric data by a defendant—for example, each individual “scan” of a photograph or fingerprint—forms the basis for a separate, independent infringement of the BIPA. Under this theory, the potential damages in BIPA litigation can quickly skyrocket into the billions.
Given the significant uptick BIPA class action filings since Rosenbach, companies that utilize biometric data in the course of their business operations must be prepared to forcefully defend against this type of high-stakes class action litigation. Fortunately, there are several stringent defenses that can be utilized to defeat, or at least limit, exposure. Properly leveraged, these defenses—which will be discussed in our companion piece—can be systematically deployed to completely extinguish, or significantly trim, BIPA claims in a variety of differing circumstances.
About the authors
Ana Tagvoryan is a partner at Blank Rome LLP and serves as chair of the Firm’s Privacy Class Action Defense group and vice chair of the Corporate Litigation group. Jeffrey N. Rosenthal is a partner at Blank Rome LLP. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. David J. Oberly is an associate at Blank Rome LLP and is also a member of the Firm’s Cybersecurity & Data Privacy group.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.