chevron-down Created with Sketch Beta.

TortSource

Fall 2024

The Biometric Information Privacy Act

Daniel A Cotter

Summary

  • What is biometric information?
  • Developments in IL biometric law
  • Insurance issues raised
The Biometric Information Privacy Act
Maria Korneeva/Moment via Getty Images

Jump to:

In 2008, the Illinois legislature passed the Illinois Biometric Information Protection Act (BIPA). The act regulates the “collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.” The law for many years was dormant. However, plaintiffs’ lawyers discovered that statutory penalties outlined in BIPA provided a potentially large amount of recoveries. Thousands of class actions under BIPA theories were filed in the next few years. In recent years, the Illinois Supreme Court has issued several impactful BIPA decisions. In July 2024, Governor J.B. Pritzker signed into law an amendment to the statute to limit some of those significant exposures. This article addresses what lawyers should know about BIPA, including how it works, what it covers, and significant recent developments. As noted, even those not practicing in Illinois may encounter suits for their clients.

What BIPA Covers

BIPA defines a biometric identifier as “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.” The law was introduced and became law in response to various stores in Chicago setting up pilot programs to test the evolving technology for point-of-sale fingerprint scanners. School cafeterias and gas stations were also testing the new technology.

BIPA provides for the awarding of statutory damages in the greater of $1,000 or actual damages for each negligent violation and $5,000 or actual damages for intentional violations, plus reasonable attorney fees, litigation expenses, and costs.

Although suits have been filed against tech industry companies such as Google and Meta, most recent class actions have been filed against employers alleging violations of BIPA. For example, a lawsuit was filed against Roundy’s in May 2017, alleging that the supermarket chain required employees to utilize a “biometric fingerprint time clock” when checking in and out of work.

Statutory Damages

Illinois is the only state with legislation addressing biometric information, providing a private right to action against alleged offenders. While Texas and Washington have legislation similar to Illinois’ act, neither permits a private right of action — only the attorney general of each respective state may initiate action against alleged violators. But exposure in those states is not negligible. Texas Attorney General Ken Paxton recently announced a $1.4 billion settlement with Meta. In addition, many privacy acts, such as the California CCPA/CPRA, include provisions on how biometric information may be collected, stored, and used.

BIPA has several different ways in which holders of biometric information may violate BIPA. Section 15 provides for potential recoveries. The main two used against employers and other alleged violators in class action lawsuits are Section 15(b), addressing the collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s biometric identifier or biometric information without prior written consent, and Section 15(d), which requires prior consent before an entity may engage in the disclosure, redisclosure, or dissemination of biometric identifiers and biometric information.

Illinois Supreme Court Weighs In

In two cases in 2023, the Illinois Supreme Court opened the door to ruinous exposure for employers and potential other defendants facing BIPA litigation. The first, Cothron v. White Castle, held that “a separate [Section 15(b)] claim accrues under the Act each time a private entity scans or transmits…” The second was Tims v. Black Horse Carriers, holding that a five-year statute of limitations governs claims under BIPA.

Readers should understand that, in many cases, general liability insurance policies have been found not to afford coverage for these BIPA allegations, and at least two recent cyber policy coverage cases have found that BIPA violations are not cyber incidents.

The Legislature Amends the Statute

In May 2024, the Illinois Legislature amended BIPA to clarify that anyone whose biometric identifier or biometric information is scanned may only recover damages for a single violation. On Aug. 2, 2024, Illinois Gov. J.B. Pritzker signed SB 2979 into law. The next battle will be whether this amendment applies retrospectively. To date, no case has developed testing that idea.

Conclusion

Practitioners should be familiar with BIPA and how it has been applied in various contexts, as it has the potential to touch on many areas of practice. Given the recent legislative changes in Illinois, future developments are likely.

    Author