April 2, 2020

April 02, 2020

Subscribe to Latest Legal News and Analysis

April 01, 2020

Subscribe to Latest Legal News and Analysis

March 31, 2020

Subscribe to Latest Legal News and Analysis

The Illinois Biometric Information Privacy Act (“BIPA”): When Will Companies Heed the Warning Signs?

The Illinois Biometric Information Privacy Act (“BIPA”) went into effect in 2008 and has been a steady source of litigation ever since. This post summarizes the obligations BIPA imposes, the current state of BIPA litigation, and what steps businesses can take to reduce litigation risks.

What is BIPA?

The stated intent of BIPA was to address the heightened risk of identity theft associated with the processing of biometric data. The legislator’s findings state that, “unlike other unique identifiers that are used to access finances or other sensitive information,” when biologically unique data is compromised, “the individual has no recourse” because the individual cannot change these identifiers.

Scope: BIPA regulates how “private entities” collect, use, and share “biometric information” and “biometric identifiers” (collectively, “biometric data”), and imposes certain security requirements.

  • “private entity” is any individual, partnership, corporation, limited liability company, association, or other group, however organized.

  • “Biometric information” means any information, “regardless of how it is captured, converted, stored, or shared,” based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of “biometric identifier.”

  • “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. The law expressly excludes certain data elements from the definition of “biometric identifier” (e.g., writing samples, photographs, tattoo descriptions, information captured in a health care setting or under HIPAA, etc.).

Exclusions: BIPA excludes certain types of entities, including financial institutions subject to the Gramm-Leach-Bliley Act of 1999, governmental entities and agencies, and contractors to governmental entities or agencies.

Obligations: BIPA imposes five distinct obligations:

(1) Written retention and destruction policy: Private entities in possession of biometric data must develop a written policy (made available to the public) establishing a retention schedule and guidelines for permanently destroying biometric data.

(2) Written release: BIPA prohibits private entities from obtaining biometric data without informed written consent.

(3) Prohibition against profiting (even with consent): BIPA prohibits private entities in possession of biometric data from selling, leasing, trading or otherwise profiting from biometric data.

(4) Restrictions on disclosure: Private entities in possession of biometric data may not “disclose, redisclose, or otherwise disseminate” it unless consent is obtained or the disclosure is required for specific purposes (e.g., the disclosure is necessary to complete a financial transaction, required by law, or pursuant to a valid warrant or subpoena).

(5) Security requirements: A private entity in possession of biometric data must use reasonable standards of care applicable to the entity’s industry and in a similar, if not more protective, manner as the entity uses for other confidential and sensitive information (defined to by reference to a list of elements that includes, among others, Social Security number, passcodes, and account numbers).

Enforcement: The most striking aspect of BIPA is that it includes a private right of action that enables any person aggrieved to recover “for each violation” liquidated damages of $1,000 or actual damages (whichever is greater) for negligent violations and liquidated damages of up $5,000 or actual damages (whichever is greater) for intentional or reckless violations. Plaintiffs may also recover reasonable attorney’s fees and costs (including expert witness fees and other litigation expenses) and seek other relief available (including injunction). As discussed in the next section, this has given rise to steady litigation that has led to significant payouts.

BIPA litigation: The State of Play

In a prior post, we discussed the Illinois Supreme Court’s ruling in Rosenbach v. Six Flags in January 2019, concluding that a consumer need not demonstrate an adverse effect or specific harm (such as evidence that personal information was stolen or misused) to have standing to sue under BIPA. In other words, a procedural violation of the law itself is sufficient to support a private right of action under BIPA. This ruling gave real teeth to the 200-plus BIPA complaints already filed in Illinois at that time.

While it may be less of a challenge to establish standing in Illinois State court since January 2019, plaintiffs could still struggle with Article III standing issues in federal courts. In December 2018, the U.S. District Court for the Northern District of Illinois in Rivera v. Google granted Google summary judgment and dismissed the plaintiffs’ claims for lack of subject matter jurisdiction because it determined that the plaintiffs had not satisfied the Article III “injury in fact” standing requirement to sue. See our previous post discussing this case.

Cases filed in State court have led to significant settlements, some well into the hundreds of thousands.  Facebook’s recent announcement of a large settlement to resolve BIPA litigation brought in the Northern District of California will likely result in an increase in BIPA litigation.  The plaintiffs in that suit convinced the Ninth Circuit of Appeals that “violations of the procedures in BIPA actually harm or pose a material risk of harm” such that they confer Article III standing.  Patel v. Facebook, Inc., 932 F.3d 1264, 1275 (9th Cir. 2019). According to The Washington Post, after the Supreme Court declined to review the Ninth Circuit’s decision, Facebook agreed to resolve the case for a substantial sum; that settlement is set to be presented to the court for preliminary approval on March 12, 2020.

What Can You Do to Help Avoid BIPA exposure?

 There is a continued trend toward the regulation of biometric data, and issues around its processing are likely to continue to generate litigation.  All businesses should evaluate whether they collect biometric data (e.g., fingerprints, facial scans, voiceprints) and assess whether BIPA applies to them. If BIPA applies, the business should take steps to comply with the law as soon as possible, including providing notice, obtaining written consent, and adhering to BIPA’s retention, disclosure, and security requirements.

© Copyright 2020 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Lydia de la Torre Privacy Lawyer Squire Patton Boggs
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups...

650 843 3227
Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

Elliot has also managed dozens of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

Elliot's practice covers a wide range of laws, regulations, industry standards and best practices, such as HIPAA and HITECH; 42 CFR Part 2 (Federal Confidentiality of Alcohol and Drug Abuse Patient Records); Federal Trade Commission (FTC) Act and FTC guidance; state laws and guidance governing privacy, security and breach notification (such as the California Shine the Light law, Lanterman-Petris-Short Act, Confidentiality of Medical Information Act, CalOPPA, and state laws governing sensitive health information); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Gramm-Leach-Bliley Act (GLBA); Children's Online Privacy Protection Act (COPPA); NIST Security Standards; and Payment Card Industry Data Security Standards (PCI-DSS).

Elliot is co-chair of the ABA E-Privacy Law Committee, vice-chair of the ABA Healthcare Technology Committee, vice-chair of the Privacy, Security and Emerging Technology Division for the ABA Section of Science & Technology Law, a member of the Bloomberg BNA Health Care Innovations Board, and a frequent speaker and writer of thought leadership pieces. He is also a Certified Information Privacy Professional (CIPP/US).

202-457-6407
India Scarver, Squire Patton Boggs Law Firm, Columbus, Litigation Attorney
Associate

India Scarver focuses her practice on toxic tort litigation in federal and state courts. India also has experience representing clients in debt collection cases.

614-365-2719