Taking the Measure of the Biometric Information Privacy Act

You may have recently seen many of your online friends posting pictures that matched them with their supposed lookalikes in paintings, but this feature was not available to Illinoisans. This blackout was the first encounter many people had with the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). Illinois was the first state to pass such a law (in 2008), but the BIPA has only recently surged as a source of potential litigation, similar to past waves of blast-fax and patent-troll cases. As other states start to pass similar laws, businesses must increasingly be aware of what the BIPA requires and what penalties could result from violations.

As stated in Section 5, the BIPA was passed to regulate the use of biometric identifiers and biometric information – e.g., retina scans, fingerprints and handprints, voiceprints, and face scans – by private entities in functions like security screenings and financial transactions. The Illinois legislature expressed concern that such information was susceptible to the same risks of theft and misuse as other personal identifiers like social security or credit card numbers. But unlike those numbers, biometric identifiers are physically and permanently linked to the holder: no one can simply assign new identifiers if they are compromised.

Section 15 of the BIPA requires a private entity in possession of biometric information to develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying such information within a certain time. The entity must inform the individual that such information is being collected and stored, state the purpose for its collection, and receive a written release from the individual. No private entity may sell, lease, trade, or profit from such information. The information may not be disclosed to others unless the subject has consented, the disclosure completes a financial transaction the subject has authorized, or the disclosure is required by law or by a warrant or subpoena. The information must be stored with a reasonable degree of care. Section 20 provides a private right of action for any “person aggrieved by a violation of this Act.”

Few judicial opinions to date have concerned the BIPA, but they have shown the wide variety of contexts in which such claims can arise. Several suits have alleged that websites like Shutterfly, Facebook, and Google have violated the BIPA with their facial-recognition technology. One suit involved a video game that creates a digital avatar from a scan of the player's face. Others have involved alleged fingerprinting for “smart” rental lockers, a season pass at an amusement park, and an employer's timeclock system.

Some BIPA cases may fail on threshold issues of standing or jurisdiction. Several opinions from federal courts, including the Northern District of Illinois, have held that a purely procedural violation of the BIPA does not present a real risk of harm to a concrete interest and therefore does not confer federal standing. One of those federal courts and the Second District of the Illinois Appellate Court have also held that a purely technical violation of the BIPA does not render a party “aggrieved” or confer statutory standing under Section 20 of the BIPA.

While entities may have defenses based on such procedural arguments or based on strict compliance with the requirements of Section 15, the risks of violations are substantial: under Section 20, defendants may be liable for liquidated damages of $1,000 for each negligent violation, $5,000 for each intentional or reckless violation, and “reasonable attorneys' fees and costs.” In a class action brought by employees or consumers, liabilities could run into the millions of dollars. The stakes are high both for the plaintiffs whose information was collected and for the defendants who collected it. The Illinois legislature is currently considering bills that would limit the scope of the BIPA, particularly as it relates to employers and to entities that store a person's data for less than 24 hours.