Don't Bet the Business

A regulatory minefield awaits private entities that collect biometric information, including requirements that the subject be notified about the data collection and receipt of prior written consent. Failure to comply could result in your business becoming the target of a class action lawsuit!

The Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1, et. seq., is the most comprehensive biometric privacy law in the United States. BIPA makes it illegal for any private entity to collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s “biometric identifier” or “biometric information,” unless it first:

(1) informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;

(2) informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative. 

740 ILCS 14/15(b)(1)-(3).

Under BIPA, “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.

740 ILCS 14/10.

BIPA requires that biometric data be safeguarded in the same (or a more protective) way and that other confidential information is protected using a reasonable standard of care (740 ILCS 14/15(e)).  BIPA also expressly prohibits private entities from:

• Selling, leasing, or otherwise profiting from an individual’s biometric data under any circumstances (740 ILCS 14/15(c)).
• Disclosing or redisclosing an individual’s biometric data, unless:
  • The individual consents to the disclosure;
  • The disclosure completes a financial transaction that the individual authorized;
  • Federal, state, or local law requires the disclosure; or
  • The disclosure is authorized by a warrant or subpoena.

740 ILCS 14/15(d).

BIPA creates a private cause of action for any person “aggrieved” by violation of the statute. A prevailing party may recover for each violation:

(1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater;

(2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater;

(3) reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and

(4) other relief, including an injunction, as the State or federal court may deem appropriate.

740 ILCS 14/20.

Significantly, the Illinois Supreme Court recently decided that a person need not plead and prove actual injury to qualify as “aggrieved” under the Act. Rosenbach v. Six Flags Entertainment Corporation, 432 Ill.Dec. 654, 664, 129 N.E.3d 1197 (2019).

BIPA was enacted in 2008 but got little notice until 2014 when social media users began filing class action lawsuits against Google, Facebook, Shutterfly and Snapchat. Since 2014, there have been hundreds of class action lawsuits filed seeking damages as a result of alleged BIPA violations.

Examples of businesses that have been named in BIPA class action complaints include employers that use biometric data for employees to punch in and punch out of work, Rogers v. CSX Intermodal Terminals, Inc., 2019 WL 4201570, *2 n.3 (N.D. Ill. Sept. 5, 2019); an amusement park that used customers’ fingerprints for issuance of season passes, Rosenbach v. Six Flags Entertainment Corporation, 432 Ill.Dec. 654 2019; retailers that utilize facial geometry for age verification purposes, Flores v. JUUL Labs, Inc., 2019 CH 12935, Circuit Court of Cook County, Illinois; tanning salons whose customers’ fingerprints were scanned for identification and access purposes, Sekura v. Krishna Schaumburg Tan, Inc., 2018 Ill. App. (1st) 180175 (1^st Dist. 2018); a video game manufacturer whose customers submitted to facial scanning to create avatars in their likeness, Santana v. Take–Two Interactive Software, Inc., 717 Fed. Appx. 12, No. 17-303, 2017 WL 5592589 (2d Cir. 2017); a retailer that uses customers’ fingerprints as a “key” to use electronic lockers, luggage carts, commercial strollers, and massage chairs for use in public places for a fee. McCollough v. Smarte Carte, Inc., No. 16 C 03777, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016) and a website operator that uses “state-of-the-art facial recognition technology” to extract biometric identifiers from photographs that users upload. Patel v. Facebook Inc., 290 F.Supp.3d 948 (N.D. Cal. 2018), affirmed, 932 F.3d 1264 (2019), cert. denied, ___ S.Ct. ___, 2020 WL 283288 (January 21, 2020). With more than one billion unique users, should the Patel plaintiffs prevail in their case, just the civil penalties Facebook faces are staggering.

Regardless of whether biometric identifiers and biometric information are collected in an employment, retail or on-line setting, the common themes in BIPA lawsuits are:  (a) alleged failure to adopt policies required by the Act; and (b) the alleged failure to obtain informed consent of the persons whose biometric information is being collected.

Private entities collecting biometric information must adopt and adhere to policies that safeguard that data. They also must inform those from whom the data is collected of those policies and obtain written consent or face potential class action exposure under BIPA. These requirements can be complex and may seem daunting.

Fortunately, we can assist private entities that collect biometric information from employees or customers to adopt and implement policies that comply with BIPA. Should the need arise, we also can help those facing potential BIPA claims.