In 2008, Illinois passed the Biometric Information Privacy Act (“BIPA”) which governs and regulates private entities’ use of biometric identifiers, including but not limited to fingerprints or face scans, and how the biometric information is captured, converted, stored, or shared. See 740 ILCS 14/1 et seq. Essentially, BIPA prohibits private entities from collecting, storing, or using biometric information unless it issues written notice, obtains written consent, and meets data retention requirements. Id. BIPA provides a private right of action, allowing any person “aggrieved by a violation” of BIPA to bring suit to recover damages, attorneys’ fees, costs, and other relief. A person may recover actual damages or statutory damages in the amount of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation of BIPA.
Earlier this year, on January 25, 2019, in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the Illinois Supreme Court held that an “aggrieved” individual does not need to suffer actual damage beyond the mere violation of to obtain relief under BIPA. Essentially, the mere violation of BIPA creates an injury, regardless of whether the violation resulted in any quantifiable harm to the individual.
Since the Rosenbach ruling, a flood of class actions have been filed in Illinois and federal courts on behalf of employees, consumers, and any other individuals whose biometric information was taken in allegedly violation of BIPA. A couple examples of the types of suits that have been brought include allegations that employers violated BIPA by requiring employees to scan their fingerprint to clock-in or clock-out or that a company has been improperly collecting face scans through facial recognition technology that locates each face appearing in photos uploaded to its service. The potential cost of these suits could be significant, as BIPA allows damages for each violation. This could be interpreted to mean, for example, each and every time an employee scanned a fingerprint, i.e., checking in, going or coming from breaks or meals, etc.
While the Rosenbach decision has opened the faucet for BIPA lawsuits, there are still defenses that can be raised in response. Some include, among others:
- Lack of standing under Article III standing requirements;
- Lack of personal jurisdiction;
- The one-year statute of limitations that applies to right of privacy claims;
- That the information collected and/or stored is not considered biometric information under BIPA; and
- There was express notice and consent.
If your company has been hit with a lawsuit alleging BIPA violations, or if you would like further information regarding BIPA, compliance with BIPA, or other BIPA related matters, please do not hesitate to contact us.