Eleven years ago, the Biometric Information Privacy Act (“BIPA”) came into effect in Illinois, but until recently, it has not been the subject of much litigation. With advancements in technology being used in multiple facets of business, along with a recent Illinois Supreme Court ruling in regard to BIPA, every business owner located in Illinois or that conducts business in Illinois should be aware of BIPA requirements.
First, a little background. When BIPA was passed, it was a law the first of its kind in the nation because it not only regulates the protection and privacy of biometric information gathered by companies, it provides a right of action for individuals to pursue violations of the act. What is biometric information? It is defined as retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. The Illinois legislature felt biometric information needed additional safeguards because unlike a credit card number or social security number that has been compromised, biometric information cannot be changed and is completely unique to the individual. Under BIPA, companies that collect biometric information are required to inform the individual their information is being collected, give the reason for the collection, and tell the individual how long the information is going to be collected, stored, or used. Companies are also required to develop a written policy that is publicly available as well as obtaining a release from the individual before collecting or sharing biometric information with a third party.
Until the Illinois Supreme Court ruled on January 25th, 2019 in the Rosenbach v. Six Flags Entertainment Corp case, there had been minimal litigation under BIPA. The BIPA states that “any person aggrieved” by violations of the Act has a right to sue, and the damages for negligently violating the act are the greater of liquidated damages of $1,000 or actual damages per violation, and for intentional or recklessly violating the Act they are the greater of liquidated damages of $5,000 or actual damages per violation. Violators are also liable for attorneys’ fees and costs, including expert witness fees and other litigation expenses. The issue settled this year in Rosenbach is what “aggrieved” meant. Previously the consensus was that an actual or threatened injury (such as identity theft) had to be suffered to have standing to sue under the statute. In Rosenbach, Six Flags was gathering the fingerprints of season ticket holders without meeting the notice and consent requirements of the BIPA. Six Flags argued that no actual injury had occurred, therefore no standing to sue, but the Illinois Supreme Court disagreed and clarified that a mere violation of the BIPA requirements is enough to assert a BIPA claim.
What does this mean for my business? The use of biometrics is becoming increasingly popular in today’s business climate for such things as timekeeping, security, and safety, just to name a few. Even if your business is not directly collecting and storing the information but instead are using a third party, such as timekeeping software or security on a company-issued phone, the third party is collecting on your behalf, exposing you to possible liability if the BIPA requirements are not met. With the recent ruling in Rosenbach that no actual harm must occur, there will be a tremendous increase in the amount of litigation filed under the BIPA. Since the cost of creating a policy that meets the requirements of the BIPA is less than the damages and legal fees for a single violation, businesses should act immediately to protect their interests.
Written by Derek Luster