hidden overlay

The Illinois Biometric Information Privacy Act (BIPA)

biometric consumer data

While you may not be familiar with the term “biometrics,” you've probably seen biometrics in action. Take, for instance, your favorite spy movie—when the bad guy uses an eye scan to gain access to their evil lair, or in real life, when you unlock your iPhone with facial recognition. 

Biometrics is the measurement and statistical analysis of an individual's physical and behavioral characteristics. Since its development, biometrics have been implemented with technology in order to help verify personal identities. The physiological characteristics used in biometrics include DNA, fingerprints, face, hand, retina or ear features, and even odor. Behavioral characteristics include gestures, voice, typing rhythm, and others. 

Companies all over the world have often used biometrics for time management, security access, safety, and even in health wellness plans. While these technologies typically aim to increase security and offer quick convenience for identification, many have raised concerns over the risks associated with who has access to this data, how this information is stored, and how this data is being implemented in the workplace. One of the strictest laws in the U.S. concerning the protection of biometric data is the Illinois Biometric Information Privacy Act (BIPA).  

BIPA is a law enacted in Illinois in 2008. BIPA governs the use, collection, and storage of biometric data, which includes the following; 

  • Retina scans
  • Iris scans 
  • Hand scans
  • Face geometry
  • Fingerprints
  • Voiceprints 

Under BIPA, in order for private entities to use, collect, or store biometric data, they are required to;

  • Develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying the biometric data.
  • Receive written, informed consent prior to obtaining the biometric data.
  • Refrain from disclosing or disseminating the biometric data.
  • Refrain from selling, leasing, trading, or otherwise profiting from the biometric data.
  • Store, transmit, and protect from the disclosure of all biometric data in a manner that is, at the minimum, as protective as it stores, shares, and covers other sensitive and or confidential information.

Individuals who have had their rights violated under BIPA are eligible to recover actual damages or liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation, whichever is greater. Victims will also be eligible to receive compensation for attorneys' fees, expert witness fees, and other litigation expenses.

More BIPA Cases Currently Underway 

In Cothron v. White Castle System, Inc., the court will decide whether BIPA section 15(b) and (d) claims accrue when biometric data is first collected or disclosed or with each subsequent scan or disclosure. The questions of when a BIPA violation occurs or whether each scan is an individual violation will substantially impact the damages plaintiffs may claim. The case report states that the fast-food chain has to face claims that it scanned the fingerprints of nearly 9,500 employees without their consent.

White Castle claims they did not qualify for a lawsuit regarding every time an employee would use their biometric security to access their computer systems, but only for the initial information collection. However, the court claimed that White Castle collected their employee's fingerprints each time they needed to access the company's computer systems. The BIPA allows penalties of $1,000 per violation and $5,000 for intentional violations, requiring that companies obtain permission from their employees before collecting their biometric information, like fingertips or facial scans. 

Beyond White Castle, another BIPA case has been brought before the Illinois Supreme Court that would further drive the outcome of pending and future actions. In the case of Tims v. Black Horse Carriers, Inc., the Illinois Supreme Court will review claims related to BIPA sections 15(a), (b), and (e), which have a five-year statute of limitations, and claims pertaining to BIPA section (c) and (d), which have a one-year statute of limitations. 

Other cases that have sparked a flood of similar employee-based and even customer-based class actions include 

Pezen v. Facebook Inc., Licata v. Facebook Inc., Patel v. Facebook Inc., Gullen v. Facebook Inc., and Norberg v. Shutterfly, Inc. These cases should be a major wake-up call for those employers that collect, use, or store biometric data.

Companies like White Castle need to be mindful that the Illinois Supreme Court in Cothron can hold those entities who violate the statute each time a person scans their biometric data rather than only upon collection. Simple solution companies can use to avoid potential BIPA violations and lawsuits would be to ensure a receipt of informed and written consent before collecting biometric data and to comply with all other statutory requirements as stated in BIPA.
Learn more about the Illinois Biometric Information Privacy Act by connecting with us today.