In the last two years, a wave of class action lawsuits alleging violations under the Illinois Biometric Information Privacy Act (BIPA), [1] has flooded state and federal courts in Illinois. In 2008, BIPA was enacted because the Illinois legislature understood the importance of regulating biometric information and preventing that information from getting into the wrong hands. As it turns out, Illinois was ahead of the curve, and now several states are considering following Illinois’s lead.
Meanwhile, BIPA remains possibly the most significant piece of legislation regulating biometrics, in part because it is the only current legislation that provides aggrieved individuals a private right of action against businesses that fail to properly handle biometric information. In fact, BIPA provides statutory penalties of up to $5,000 for intentional or reckless violations of the act.
In recent years, biometric technology has exploded. By 2025, the industry is projected to be worth as much as $59 billion. [2] Companies everywhere are using face recognition devices, iris recognition devices, fingerprint scanners, voice recognition devices, and hand geometry applications that capture an individual’s biometric information after each use. Biometrics have infiltrated virtually every industry, including automotive, financial services, health care, food and beverage, hospitality, retail, border control, law enforcement, and education. As a result, more and more companies will face potential exposure under current legislation and will face further potential exposure as more states consider whether to implement legislation aimed at regulating the use of biometric information.
The recent wave of BIPA class action lawsuits is, in part, a result of the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., [3] which held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under [BIPA], in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief.” Plaintiffs are now emboldened to bring more class action lawsuits because the plaintiff need not show an actual injury. Rather, a mere technical violation of BIPA will suffice.