What Companies Should Know About Illinois’ Biometric Information Privacy Act (BIPA)

Throughout 2019 and continuing into 2020, courts have seen an increase in litigation relating to biometric data privacy, including in particular lawsuits asserting claims under Illinois’ Biometric Information Privacy Act (BIPA).  As the uptick in BIPA litigation continues, here is a high-level look at what companies should know and consider to minimize litigation risk:

1.     Background on BIPA

The goal of BIPA is “regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”  740 ILCS 14/5.  BIPA emerged in the context of the growing use of biometrics for identification and authentication, including finger-scanning technology for use in financial transactions.  BIPA imposes certain obligations on private entities regarding the collection, retention, disclosure, and destruction of certain types of biometric information.  It also requires those entities to obtain informed, written consent, before they may collect or otherwise obtain biometric information.  BIPA allows any person “aggrieved” by a violation of the Act to sue for damages and other relief, including the greater of actual damages or liquidated damages ($1,000 for negligent violations and $5,000 for intentional or reckless violations), attorneys’ fees and costs, “including expert witness fees and other litigation expenses,” and injunctive relief.  740 ILCS 14/20.  

2.     What Information Does BIPA Cover?

Under the Act, “biometric information” means “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”  740 ILCS 14/10.  A “biometric identifier” means “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Id.  BIPA also outlines the kinds of information not covered as biometric information or identifiers, including, for example, written samples, signatures, photographs, physical descriptions, or information captured for operations governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Id. 

3.     Who Does BIPA Apply to?

BIPA generally applies to any “private entity,” defined broadly as “any individual, partnership, corporation, limited liability company, association, or other group, however organized,” that collects, stores, or uses biometric identifiers or information.  With this broad definition of a covered entity, BIPA can apply to companies that collect, store, or use biometric information in Illinois or have customers using their products or services in Illinois, even where the companies are not in Illinois.

4.     What Does BIPA Require?

BIPA imposes a number of requirements on covered entities:

• BIPA prohibits any private entity from collecting or storing biometric data without first notifying affected individuals, obtaining their informed written consent, and making required disclosures regarding the entity’s treatment of biometric data; 

• BIPA requires covered entities in possession of biometric identifiers or information to develop  and make available to the public a written policy establishing a retention schedule and guidelines for permanent destruction of biometric identifiers and information; 

• BIPA prohibits covered entities from selling or profiting from a person’s biometric identifier(s) or information;

• BIPA establishes strict limitations and requirements regarding disclosure and dissemination of biometric identifiers or information; and

• BIPA requires that covered entities take measures to protect biometric identifiers and information using the reasonable standard of care in that entity’s industry and in a manner that is the same or more protective than the manner in which the entity stores, transmits, and protects other confidential and sensitive information.

5.     Why the Rise in BIPA Litigation?

Courts have seen an increase in BIPA litigation after the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entm’t Corp., 129 N.E.3d 1197, 1203 (2019).  There, the Illinois Supreme Court held that a plaintiff could qualify as an “aggrieved” person and therefore have standing to bring a BIPA claim even if he or she has not alleged any actual injury beyond a technical violation of the statute.  The court reasoned that such a technical violation amounted to a sufficient invasion, impairment, or denial of that person’s statutory rights under BIPA.  The ruling thus largely eliminates the requirement that a plaintiff show a concrete injury from a violation of the statute. When coupled with the the available remedies under BIPA, including actual or liquidated damages, attorneys’ fees and costs, and injunctive relief, it is not surprising to see a rise in lawsuits for technical violations of the statute. 

6.     What You Can Do to Mitigate BIPA Litigation Risk

Companies covered by BIPA should take steps early and often to ensure compliance.  At minimum, if you are a covered entity, you should:

• Establish policies and procedures for informing and obtaining written consent from customers of your collection or storage of biometric identifiers or information;

• Develop and disclose to the public a written policy regarding your retention and destruction of biometric identifiers and information consistent with BIPA’s requirements;

• Refrain from selling or otherwise profiting from your possession of biometric identifiers or information; and

• Establish safeguards for secure storage, transmission, and protection of biometric identifiers and information you collect or store.

Taking these steps to comply with BIPA at the outset and staying up to date on the ongoing BIPA developments in the courts should help mitigate the risk of facing a BIPA lawsuit.