As states and localities enact more robust laws related to consumer data privacy and security, biometric laws – such as the Illinois Biometric Information Privacy Act (BIPA) – are front of mind for both legislators and businesses. An increase in biometric privacy class action lawsuits and arbitration, an uptick in proposed legislation, and widespread criticism of both facial and voice recognition technologies suggest that biometrics will remain a hot topic for legal professionals.
What is biometric data?
Biometrics are measurements related to a person’s unique physical characteristics, including but not limited to fingerprints, palmprints, voiceprints, facial, retinal, or iris measurements, and more. A person’s biometric data – their specific measurements – can be used as unique identifiers.
As tools to collect biometric data become more advanced and increasingly employed, laws like the Illinois Biometric Information Privacy Act (BIPA) are being introduced and considered to prevent private entities from collecting biometric information without disclosure and consent.
The Illinois Biometric Information Privacy Act (BIPA)
In 2008, Illinois became the first state to enact a biometric data privacy law. The law requires entities that use and store biometric identifiers to comply with certain requirements and provides a private right of action for recovering statutory damages when they do not.
BIPA specifies that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
BIPA also defines a “biometric identifier,” in part, as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
Prominent BIPA lawsuits
A decade after its enactment, several recent cases have put BIPA in the headlines and made it easier to file BIPA suits.
First, in 2019, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp. held that a plaintiff can be considered an “aggrieved person” under the statute and “be entitled to liquidated damages and injunctive relief” without alleging an actual injury. Then, in May 2020, the U.S. Court of Appeals for the Seventh Circuit in Bryant v. Compass Group USA, Inc. clarified that such a person has suffered an injury-in-fact sufficient to support standing under BIPA Section 15(b).
Also in 2020, the Facebook BIPA class action lawsuit Patel v. Facebook, Inc. reached a conclusion when Facebook agreed to a $650 million settlement, one of the largest consumer privacy settlements in U.S. history, to resolve claims it collected user biometric data without consent.
It was not until October 2022 that the first-ever jury verdict in a BIPA class action lawsuit was handed down in Rogers v. BNSF Railway Company. Although the defending company announced its plans to appeal the decision of the District Court for the Northern District of Illinois, the plaintiffs’ success at the trial level may further embolden individuals to pursue their own BIPA claims.
Finally, in February 2023, the Illinois Supreme Court held in Cothron v. White Castle System, Inc., that a separate claim accrues under BIPA each time a private entity scans or transmits a person’s biometric identifier or information in violation of the law. The court also observed that BIPA damages are discretionary and not mandatory. Earlier the same month, the court ruled in Tims v. Black Horse Carriers, Inc., that a five-year limitations period applies to all claims arising under BIPA.
Which states have biometric privacy laws?
Texas and Washington also have broad biometric privacy laws on the books, but neither creates a private right of action like BIPA does. In addition, California, Colorado, Connecticut, Utah, and Virginia have passed comprehensive consumer privacy laws that, once in full effect, will expressly govern the processing of biometric information. And even more states have enacted data breach notification laws that explicitly include biometric data within their scope.
Various municipalities, such as New York City and Portland, Ore., have also passed tailored biometric privacy measures. New York City’s Biometric Information Privacy Law, applicable to certain commercial establishments, provides a private right of action.
As more states continue to introduce legislation similar to BIPA, insurers have begun expressly excluding biometric liability coverage from their policies, further adding to the risks posed by noncompliance with biometric privacy laws.
[Download this comparison chart of state biometric privacy laws to easily compare the details of each statute.]