BIPA and the importance of conducting deal diligence into biometrics collection

By Henry Lebowitz and Jarrett Lewis, attorneys at Debevoise & Plimpton LLP

The Illinois biometrics law in transactional due diligence

Data privacy, data security and the protection of personal information have entered the zeitgeist. Legislatures are moving swiftly to increase regulation, with comprehensive privacy laws now in effect in California and Virginia, Colorado, Connecticut and other states are not far behind. Prospective M&A buyers have responded by supplementing their standard diligence processes with targeted data security and data privacy diligence.

One law that has garnered significant attention in recent years is the Illinois Biometric Information Privacy Act (“BIPA”), which governs the use and storage of biometric information by private entities operating in Illinois. The law reflects the Illinois legislature’s conclusion that biometric personal information is particularly sensitive because (unlike other personal identifiers): “biometrics, which are biologically unique, once compromised are a risk for the remainder of the individual’s life.”

BIPA is notable in that it provides both a private right of action and statutory damages. This combination has resulted in class actions being filed against all manner of entities, from relatively small businesses to Fortune 100 companies.  These cases have yielded a number of multi-million-dollar settlements and, most recently a jury verdict in the amount of $228,000,000.  Consequently, it is increasingly important that M&A due diligence include confirmation that the target company does not collect biometric information in Illinois or does so in compliance with BIPA.

Conducting BIPA diligence

The threshold step in conducting BIPA diligence is to determine whether BIPA applies to the target. The text of the act provides that BIPA “applies to private entities operating in Illinois.” Consequently, any business conducting business in Illinois is potentially subject to BIPA. Case law further clarifies that the alleged activity giving rise to the BIPA violation must occur primarily or substantially within Illinois.

The next inquiry is whether the company collects Biometric Identifiers or Biometric Information regulated under BIPA. The act provides that Biometric Identifiers are “retinal or iris scans, fingerprints or scans of hand or face geometry.” Importantly, though, Biometric Information regulated under BIPA also includes “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” So, BIPA regulates not only biometric identifiers themselves, but also other information based on or derived from such identifiers.

The statute also provides certain exceptions to the definition of Biometric Identifiers such as “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color are not subject to the law.” Notably, although the statute exempts photographs, some courts have indicated that facial geometry derived from photographs may be covered by BIPA.

If the company collects information subject to BIPA, the next step in the diligence exercise is to determine whether the Company satisfies all of BIPA’s regulatory requirements. Specifically, regulated companies must:

• Develop a written policy that is publicly available, establish a retention schedule and guidelines for permanently destroying Biometric Identifiers and Information;
• Obtain a written informed release from individuals subject to Biometric Identifier or Information collection, ensuring that such persons are informed of the purpose for the data collection and the ways in which the data is being collected, stored or used;
• Not profit from Biometric Information, either through sale, lease or trade of such information; and
• Use reasonable care commensurate with the company’s industry or at the same level it uses for other confidential and sensitive information to store, transmit and protect the biometric data.

As noted above, where there is reason to suspect that a target company is subject to BIPA, legal due diligence should include BIPA-specific requests and questions. Diligence counsel should request policies and procedures with respect to BIPA and otherwise governing Biometric Information and its collection and, where applicable, they should obtain a copy of the form of informed BIPA release, coupled with confirmation (e.g., on a diligence call) that the form has been executed by all relevant individuals, including employees and customers. M&A buyers or their advisors should also review the target’s cyber insurance policies to confirm whether BIPA compliance is covered or has been carved out by the insurer, and to confirm that post-closing coverage is available under such policies.

In a best case scenario, of course, buyer’s counsel is able to conclude in diligence that the target has no BIPA exposure. Where, however, it appears that the target may have violated BIPA, it becomes important to estimate as closely as possible the target’s potential liability. In this regard, it is important to note two highly-anticipated, recently-decided cases in the Illinois Supreme Court that significantly affect any liability calculus.  First, in Tims v. Black Horse Carriers, Inc., the Illinois Supreme Court determined that the BIPA statute of limitations is five years (and not one year) for all BIPA violations. Second, in a decision rendered just a few days ago on February 17, 2023, the Illinois Supreme Court held in Cothron v. White Castle Sys., Inc. that a BIPA violation occurs at each instance of biometric information collection (e.g., every time the same employee enters the same facility using biometric identifiers, such as fingerprint), rather than only the first time an employee’s biometric information is collected. These decision can be expected to significantly impact the quantum of damages available to plaintiffs, and therefore, presumably, the volume of litigation (and, particularly, class action litigation) arising under BIPA.

Future trends in biometric laws and diligence

Issues related to the collection of biometric information are certain to become increasingly salient in the coming years. Biometric information is collected today primarily for security-access authentication (e.g., fingerprint scans or facial scans to access a building) but technologists are continuing to find new and innovative uses for Biometric Identifiers, which will inevitably expand their use. In addition, although BIPA is perhaps the most well known law of its kind, Texas and Washington also have biometrics statutes, and Colorado, Connecticut, and Virginia have enacted comprehensive privacy laws that require consent to process sensitive data, including biometric information. Similar legislation is being actively considered in other states as well. It is therefore advisable for dealmakers and their counsel to have the collection and use of biometric information high on their list of legal due diligence topics where there is reason to believe BIPA or similar laws may be applicable.

About the authors

Henry Lebowitz is a corporate partner at Debevoise & Plimpton LLP and a member of the Intellectual Property and Technology Transactions Group. Jarrett Lewis is an associate and a member of the Mergers & Acquisitions Group.

DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.

Article Topics

best practices  |  biometric data  |  biometrics  |  BIPA  |  data collection  |  data privacy  |  data protection  |  lawsuits  |  legislation