September 22, 2020

Volume X, Number 266

September 22, 2020

Subscribe to Latest Legal News and Analysis

September 21, 2020

Subscribe to Latest Legal News and Analysis

To Scan or Not to Scan: Surge in Lawsuits under Illinois Biometrics Law

In Depth

The Illinois Biometric Information Privacy Act (BIPA) is having its moment. At least 32 class action lawsuits have been filed by Illinois residents in state court in the past two months challenging the collection, use and storage of biometric data by companies in the state. This may cause a reassessment of company strategies and development of new defenses in the use of advancing biometric technology.

Although BIPA has been on the books for nearly a decade, the recent surge in lawsuits has likely been brought on by developments in biometric scanning technology and its increased use in the workplace. In the vast majority of these lawsuits, the plaintiffs allege BIPA noncompliance against their employers based on the employers’ use of fingerprint-operated timeclocks. Specifically, they claim that the collection, use and storage of fingerprints in this manner violates BIPA’s requirement of consent, notice and disclosure.

Components of the Illinois Statute

Illinois enacted BIPA in 2008 in response to the introduction of biometrics across multiple industries. At the time, many large companies were piloting biometric scanning applications in Chicago and elsewhere in Illinois, such as finger-scan technologies for authentication purposes in financial transactions. 740 ILCS 14/5(a). The Illinois legislature voiced concern over the privacy implications of biometrics because, unlike many other types of sensitive information, biometrics are immutable and cannot be changed in the event of a compromise. 740 ILCS 14/5(c).

At its core, BIPA sets out to regulate companies’ collection and storage of biometric data by creating a private right of action for consumers and employees. BIPA broadly defines “biometric information” to include “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” 740 ILCS 14/10. A “biometric identifier” is defined to mean “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 ILCS 14/10. It does not include photographs, digital signatures, writing samples and biological samples used for screening, which are not protected under the statute. 740 ILCS 14/10.

With the privacy of consumers and employees in mind, BIPA requires that companies be transparent about their practices regarding the collection, use and storage of biometric data. BIPA imposes three requirements:

  1. Creating a publicly available written policy that establishes the retention schedule and outlines guidelines for permanently destroying biometric data in the company’s possession;

  2. Fully informing the data subject and receiving the data subject’s written consent prior to collecting or storing the data subject’s biometric data; and

  3. Protecting the biometric data in its possession using the industry’s reasonable standard of care and in the same or more protective manner that the company stores other confidential and sensitive information. 740 ILCS 14/15.

BIPA also prohibits companies from selling, trading, leasing or otherwise profiting from biometric data in its possession. 740 ILCS 14/15(c).

Potential Damages

Failure to comply with BIPA can be costly. Under the statute, each wronged party is entitled to receive actual damages or liquidated damages of $1,000 for each negligent violation and actual damages, or liquidated damages of $5,000 for each intentional or reckless violation. 740 ILCS 14/20. BIPA also provides the prevailing party reasonable lawyers’ fees and costs, as well as injunctive relief. 740 ILCS 14/20. These remedies create incentives for the filing of cases, especially class actions where the potential exposure can be massive in instances where large volumes of biometric information are involved.

This potential exposure arises even in situations where the violation appears technical or procedural in nature and does not appear to have caused any tangible loss to any individual. There are multiple legal issues and defenses that arise in this type of case, and will inevitably be the subject of litigation. Nevertheless, and like many privacy-focused statutes, Illinois courts have not yet interpreted BIPA’s key components or the requirements for recovering in an individual or class action. Current litigation remains in the early stages. It remains unknown how damages will be calculated or if plaintiffs will be entitled to liquidated damages for alleged technical or procedural violations.

Other States’ Biometric Data Laws

Illinois is one of three states with privacy laws pertaining to biometric data; however, it is the only statute of its kind that creates a private right of action for violations of the law. Texas and Washington have similar statutes that regulate the collection, use and storage of biometric data, but both statutes leave enforcement of the law up to their respective Attorneys General. State legislatures in Alaska, Connecticut, Massachusetts and New Hampshire are currently considering similar statutes. If adopted, the statutes in Alaska and New Hampshire would create a private right of action that mirrors BIPA in terms of potential damages for negligent and intentional violations. 

Company Strategies

Companies that collect, use or store biometric data of Illinois residents should assess their current policies and practices to ensure they are in compliance with BIPA. Companies should also review their cyber liability and other insurance policies to determine the likelihood of coverage in the event of a lawsuit.

If a claim is brought, it is possible that privacy and/or cyber liability insurance policies may cover the costs related to defending actions brought under BIPA. These claims may be covered under certain types of cyber, wrongful data collection or related policies.

© 2020 McDermott Will & EmeryNational Law Review, Volume VII, Number 312


About this Author

Michael G. Morgan Prvacy Attorney McDermott Will & Emery Law Firm

Michael G. Morgan represents clients in class actions, litigation and other matters involving cybersecurity, privacy, and protection of consumer and business data. He is co-leader of the Firm’s Privacy and Data Protection practice.

With more than 20 years’ experience in data security and privacy matters, Michael advises clients on cyber incident preparation, prevention and response; compliance with US and EU laws and regulations; completion of enterprise-wide cybersecurity assessments; and data security policies and best practices. He has...

310 551 9366

Kristin Michaels is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm's Chicago office. She focuses her practice on labor and employment litigation and counseling.

Kristin’s practice is national in scope and involves representing employers in a wide range of industries, including hospitality, media, telecommunications, retail, steel, healthcare, automotive, cable and utility. She has litigated from inception through trial numerous cases before the National Labor Relations Board, United States District Courts, United States Courts of Appeal and arbitration tribunals. These cases have involved a full spectrum of labor and employment issues arising under Title VII of the Civil Rights Act, the National Labor Relations Act, the Age Discrimination In Employment Act, the Americans With Disabilities Act, the Fair Labor Standards Act, Section 301 of the Labor Management Relations Act, contractual issues and terminations under collective bargaining agreements, and various other federal and state statutes. Kristin has served as the chief spokesperson on behalf of companies in numerous labor negotiations around the country.

Christopher M. Murphy class action lawyer, complex commercial litigation attorney McDermott Will Chicago

Christopher M. Murphy is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm's Chicago office. He focuses his practice in the areas of class actions and complex commercial litigation. He heads the Firm's Class Action group.

Chris defends clients in a variety of class actions, including consumer fraud, product liability, health care, Employee Retirement Income Security Act (ERISA), tax and Racketeer Influenced and Corrupt Organizations Act (RICO) class actions. He has obtained dismissals of class allegations and defeated motions for class...

Mark Schreiber, McDermott Law Firm, Boston, Cybersecurity Law Attorney

Mark E. Schreiber focuses his practice on cybersecurity, data breach response and global privacy coordination. He advises entities facing cross-border data protection, Privacy Shield and related issues, strategic decisions, and investigations. Mark has led numerous multi-national and cross-border matters, including those involving data breaches, and has advised senior management, boards, and special board committees on a variety of investigations, including data breach prevention and response. Mark is a leader of the Firm’s Global Privacy and Cybersecurity practice....

Lynette Ryan Arce Cybersecurity Lawyer McDermott

Lynette Arce focuses her practice in privacy and data security matters. She assists clients with drafting domestic privacy policies in accordance with state and federal laws, as well as custom incident response plans in the event of a breach. She also assesses companies cybersecurity preparedness and cyber risk exposure in the context of corporate mergers and acquisitions. Lynette is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP).

While in law school, Lynette was a member...

312 984 2759