1511370218537
Data Privacy & Security

Illinois Privacy Statute Designed To Protect Biometric Information Spawns A Spate Of Class Action Lawsuits


Companies that operate in Illinois should take notice of the flurry of litigation that has arisen under the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1, et seq.  The State of Illinois promulgated the BIPA in 2008 amid the public’s growing concerns relating to companies’ collection of biometric data for business and security purposes. The General Assembly cited “finger-scan technologies at grocery stores, gas stations, and school cafeterias” as an example of the biometric data that it intended to regulate (740 ILCS 14/5(b)). Under the BIPA, among other requirements, a company must inform the person whose biometric data is being collected that it is collecting their data and specific details relating to its data collection and preservation (740 ILCS 14/15(b)).  Companies must also receive a “written release” from the person before collecting any biometric data.  Id.  

Significantly, the BIPA provides a private right of action for any person aggrieved by a BIPA violation, and allows a claimant to recover liquidated damages of $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation (or actual damages, whichever is greater)  (740 ILCS 14/20).  The BIPA also expressly provides that the prevailing party in a BIPA action may recover its reasonable attorneys’ fees and costs.  Id.

As technology has evolved and companies have integrated biometric data collection into their practices, the BIPA has become more relevant and has gained the attention of the plaintiff’s class action bar.  For example, a plaintiff recently filed a putative class action in Illinois state court against a popular restaurant chain, alleging that it failed to make the necessary BIPA disclosures to its customers when it used face-scanning technology at kiosks in its restaurants. Similarly, a plaintiff recently brought a putative class action against a prominent gas station alleging that it unlawfully collected, stored, and used its employees’ fingerprint data, and also improperly disclosed that data to a third-party vendor.  

The defenses available to a company sued under the BIPA will depend on the unique facts of each case, but whenever possible, defense attorneys seem to agree that the defendant should remove the lawsuit to federal court to improve its likelihood of successfully defeating the claim on the basis that the plaintiff has failed to show “actual harm.”  Statutes such as the BIPA are often predicated on technical violations, rather than conduct that actually caused a person harm.  Under the United States Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins, plaintiffs do not have standing to bring lawsuits in federal court when they allege a mere “procedural” violation of a statute, rather than a concrete harm.  Multiple federal courts have dismissed BIPA claims where the plaintiff failed to satisfy the “concrete harm” requirement.  In Vigil v. Take-Two, for example, the district court ruled that two video gamers failed to allege that they were harmed in a concrete manner when they used face-scan technology to upload pictures of their faces into defendant’s video basketball game.  According to the district court, the plaintiffs lacked standing to sue because they could not allege anything more than a technical violation.

To date, Illinois is one of only a handful of states that regulates the use of biometric data.  The recent spate of BIPA lawsuits suggests, however, that companies operating in Illinois will need to take the BIPA as seriously as other privacy-driven statutes, such as the Telephone Consumer Protection Act of 1991, which is a favorite of the plaintiffs’ bar because of the availability of liquidated damages similar to those provided by the BIPA and the ability to bring a suit based upon the failure to obtain a written consent similar to that required by the BIPA.  Further, as technology improves and more companies adopt biometric data collection practices, it is likely that more states (and perhaps the federal government) will begin regulating biometric data collection.  Thus, the BIPA may be a harbinger of things to come nationally, rather than an isolated cost of doing business in Illinois.  

If you have any questions about the BIPA generally, its application to your business or compliance with its requirements, please contact one of our attorneys. 
 

Contributor: Michael McCutcheon