November 21, 2019

November 20, 2019

Subscribe to Latest Legal News and Analysis

November 19, 2019

Subscribe to Latest Legal News and Analysis

November 18, 2019

Subscribe to Latest Legal News and Analysis

Collecting Biometric Data Without Consent is Sufficient Harm to Base an Action

Illinois, the only state with a statute allowing private actions for unconsented collection of biometric readings, has made plaintiff recovery significantly easier, and defending such cases significantly harder.

On January 25, 2019, the Illinois Supreme Court found that where a plaintiff shows evidence of a violation of biometric privacy, the plaintiff need not show special harm to hold the defendant legally accountable. This decision makes compliance with Illinois’s Biometric Information Privacy Act (“BIPA”) all the more important to reduce exposure to litigation.

In 2008, Illinois was the first state to enact a specific biometric privacy law when it enacted BIPA to address the emergence of biometric identification technology, such as retina scans, fingerprint identification and facial recognition technology. Under BIPA, individuals have a private right of action to sue. While BIPA litigation is not new (now over 10 years since the law’s enactment), we will likely see more lawsuits alleging BIPA violations in the wake of this decision.

BIPA requires Illinois businesses that use biometric identifiers and information to inform the subject in writing that a biometric identifier or information is being collected or stored, along with the purpose and length of time for which it is being collected or stored. Regulated businesses must also obtain a written release from the subject.

Non-compliance comes with significant penalties, which vary based on the nature of the violation. For negligent violations, private entities may be liable for $1,000 per violation or the amount of actual damages, whichever is greater. And for willful or reckless violations, penalties may be up to $5,000 per violation or actual damages. Private entities may also liable for reasonable attorneys’ fees, costs and experts’ fees.

In Rosenbach v. Six Flags Entertainment Corporation, the mother of a fourteen-year-old boy sued Six Flags Entertainment Corporation under BIPA. The plaintiff claimed that her son’s fingerprint was obtained by Six Flags in violation of BIPA, and specifically without written consent and proper disclosure of Six Flag’s business practices relating to the collection, use, and retention of the fingerprint data.

The plaintiff identified three types of harm flowing from the collection of an individual’s fingerprints without their consent: harm to their personal privacy interest, harm to their property right in their biometrics, and an informational injury from being deprived of the opportunity to make an informed decision. The Illinois Supreme Court unanimously found such injuries to be both “real and significant.” As a result, to have standing in a BIPA private right of action case, a plaintiff does not need to have sustained actual damage beyond violation of his or her rights under BIPA. Further, the court did not show sympathy to businesses and their compliance efforts, stating “[c]ompliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude