December 7, 2021

Volume XI, Number 341


December 06, 2021

Subscribe to Latest Legal News and Analysis

Litigation Breeding Ground: Illinois’ Biometric Information Privacy Act

Illinois’ Biometric Information Privacy Act (“BIPA”) is alive and well as a potential breeding ground for litigation for tech companies. In the last month, two settlements have been announced in class actions where the plaintiffs alleged violations of BIPA in the U.S. District Court for the Northern District of Illinois. These settlements show that companies collecting biometrics should take care to ensure that their practices do not run afoul of BIPA’s requirements.

What is BIPA?

A biometric identifier is a retina or iris scan, fingerprint, voiceprint or scan of the hand or face geometry. Biometric information is any information based on an individual’s biometric identifier used to identify an individual. Notably, BIPA expressly excludes, among other things, photographs and information captured from a patient in a health care setting from its definition of a biometric identifier.

Under BIPA, a private entity cannot collect, capture, purchase, receive through trade or otherwise obtain a person’s biometric identifier or biometric information without: (a) informing the subject in writing that a biometric identifier or biometric information is being collected or stored; (b) informing the subject in writing of the specific purpose and duration for which it is being collected, stored and used; and (c) receiving the subject’s written consent. BIPA also requires that private entities that possess biometric identifiers or biometric information:

  1. Develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers or biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever occurs first;

  2. Store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry and in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information;

  3. Not sell, lease, trade or otherwise profit from such identifiers or information; and

  4. Not disclose or otherwise disseminate such information unless the subject of the identifier or information consents, the disclosure or redisclosure completes a financial transaction requested or authorized by the subject or the disclosure or redisclosure is required by law, valid warrant or subpoena.

Perhaps the most significant aspect of BIPA is that it provides a private right of action for individuals harmed by BIPA violations and statutory damages up to $1,000 for each negligent violation and up to $5,000 for each intentional or reckless violation. The statute itself does not contain a statute of limitations. In 2019, the Illinois Supreme Court ruled in Rosenbach v. Six Flags, that actual harm is not required to establish standing to sue under BIPA – a procedural violation is sufficient to support a private right of action.

Recent BIPA Cases

As noted, BIPA remains a fertile ground for litigation, in particular due to its private right of action.  On February 18, 2021, the plaintiffs in a putative class action announced that they reached an undisclosed settlement-in-principle to resolve their claims against Shutterfly, Inc. (“Shutterfly”) in the U.S. District Court for the Northern District of Illinois. The plaintiffs alleged Shutterfly stored their biometric data from its facial recognition technology without their consent, thereby violating BIPA. According to the plaintiffs, Shutterfly’s technology scans people’s faces in uploaded pictures, regardless of whether that person is a registered user of Shutterfly, and either suggests a user tag a previously identified individual or asks whether the user would like to name an unrecognized individual.

The following week, in the same district court, the popular video-sharing app TikTok reached a proposed $92 million settlement in a multi-district class action litigation in which the plaintiffs had alleged TikTok collected, captured, obtained, stored and disclosed users’ facial geometric scans without users’ consent. The settlement will provide compensation for TikTok users and ensure it respects users’ privacy.


In determining whether BIPA applies to its operations, a company should consider whether it actively targets consumers for collection of biometric data, or merely provides the technology for the collection of such data to another party. In Corey Heard v. Becton, Dickinson & Co., for instance, the court held that BIPA did not apply to the defendant, a manufacturer of an automated medication dispensing system, because it did not directly collect biometric information. If BIPA does apply, the company should immediately comply with the statute’s five requirements described above, which includes providing notice, obtaining written consent and following BIPA’s security requirements.

Remember – suits under BIPA have been filed in many jurisdictions outside of Illinois, as was the case in H.K. et al. v. Google LLC. Moreover, a company whose principal place of business is not in Illinois may still be subject to BIPA if it has sufficient contacts with the state to establish personal jurisdiction.

Due to the COVID-19 pandemic, many employers and schools have turned to remote work and learning, and some use facial recognition or other forms of biometric information as a contactless way to track employees’ time or ensure secure access to information or buildings. Companies using this technology in particular may want to consider their possible obligations under BIPA.

© 2021 Proskauer Rose LLP. National Law Review, Volume XI, Number 77

About this Author

Ryan Blaney Privacy Law Attorney Proskauer Law Firm

Ryan Blaney has particular expertise in privacy law, and represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters. Blaney also practices life sciences and digital health law and has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including...

Julia D. Alonzo Litigation Attorney Proskauer Rose New York, NY
Senior Counsel

Julia Alonzo is a senior counsel in the Litigation Department with a focus on securities and corporate governance litigation. She is experienced in complex securities and white collar litigation matters, including federal securities class actions, derivative lawsuits, internal investigations and federal white collar defense.

Julia maintains an active pro bono practice, with a focus on immigration law, asylum and child welfare issues. In addition, she sits on the associate board of the Brooklyn Defender Services Family Defense Practice, which aims to provide interdisciplinary...

Brooke G. Gottlieb Litigation Proskauer

Brooke Gottlieb earned a J.D. from New York University School of Law, where she was a cyber security scholar and served as an executive editor of the Journal of Legislation and Public Policy. While attending law school, Brooke worked as a research assistant for Professor Arthur R. Miller on his Federal Practice and Procedure treatise and was an extern at the U.S. Attorney’s Office for the Southern District of New York. She also earned a B.A. from Barnard College.