Illinois' Broad Biometric Data Privacy Law

Introduction

If the Illinois legislature’s goal in providing for liquidated statutory damages in private actions to enforce violations of the Illinois Biometric Information Privacy Act (“BIPA”)^[i] was to get the attention of employers and businesses, then the Act has been an unqualified success. As discussed below, it has been the source of a great deal of recent litigation activity and some large settlements.

BIPA is an expansive state statute regulating the collection of biometric data (e.g., fingerprints, eye-scans, and far beyond). It imposes various requirements upon businesses, including obtaining consents from individuals to obtain such data and disclosures about how it will be used and retained. BIPA provides that “any person aggrieved by a violation” of the Act may file suit against the violator, and it imposes a sizeable liquidated damages award of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, plus attorneys’ fees.^[ii] Because every instance in which biometric identifier technology or information is used, collected, or stored for each customer or employee could constitute a separate violation, as some courts have held,^[iii] damages awards in BIPA class actions are potentially astronomic. Companies with a physical presence in Illinois or an online presence with Illinois consumers thus are well-advised to familiarize themselves with and adhere to BIPA’s requirements.

BIPA Requirements

BIPA applies to “biometric identifiers” and “biometric information.” The statute defines a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”^[iv] It defines “biometric information” as “any information…based on an individual’s biometric identifiers used to identify the individual.”^[v]

To comply with BIPA, any private entity that collects or possesses biometric identifiers or information (collectively, “biometric data”) must take or refrain from certain actions and adhere to certain requirements set forth in section 15 of the statute:

1. Under section 15(a), any private entity that possesses biometric data belonging to an individual must develop and comply with a publicly available, written policy establishing a retention schedule for the data and guidelines for permanently destroying the data upon the earlier of three years after an individual’s last interaction with the entity or when the initial purpose for collecting or obtaining the data has been satisfied.^[vi]
   
   
2. Under section 15(b), no private entity may collect or obtain any person’s biometric data unless it first:
1. Provides written notice to the person informing them (1) that the data are being collected or stored, (2) the specific purpose of the collection, storage, and use, and (3) the length of time that the data will be collected, stored, and used; and
2. Obtains a written release executed by the person.^[vii]
3. Under section 15(c), no private entity that possesses biometric data may sell, lease, trade, or otherwise profit from that data.^[viii]
4. Under section 15(d), no private entity may it disclose or disseminate the data without consent or legal authorization.^[ix]
5. Finally, under section 15(e), any private entity that possesses biometric data must store, transmit, and protect that data from disclosure (1) “using the reasonable standard of care within the private entity’s industry,” and (2) “in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.^[x]

Recent BIPA Litigation

In August 2020, a federal district court in California granted preliminary approval to a class-action settlement in which Facebook agreed to pay $650 million to settle claims that it violated BIPA’s procedural requirements in its use of automatic facial geometry scanning software to “tag” members in online photos.^[xi] Similar suits involving facial recognition software have been filed against Apple, Google, TikTok, and other software and website operators.^[xii] Employers have faced and often settled a slew of suits alleging that they failed to obtain consent or to adhere to BIPA in using fingerprint scanning for employee timekeeping or in point-of-sale systems.^[xiii] Sephora was recently sued by its customers over the facial recognition technology in its in-store Visual Artist kiosks.^[xiv] A casino is defending claims that it used facial recognition technology in its video surveillance of patrons without their consent, while the operator of a customer call center is defending similar claims based on its use of voice recognition software.^[xv] And other suits have been brought by holders of memberships or season passes required to scan their fingerprints to obtain access to such places as tanning salons or amusement parks.^[xvi]

Much of the recent litigation generated by BIPA has involved whether a plaintiff complaining of a violation of the Act has suffered an “injury in fact” sufficient to confer standing under Article III of the U.S. Constitution. The U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins held that, to establish an injury in fact, “a plaintiff must show that he or she suffered an invasion of a legally protected interest” that is both particularized (that is, individual rather than collective) and concrete (that is, real rather than abstract).^[xvii] Although a statute might elevate intangible procedural requirements such as those imposed by BIPA to a legally cognizable injury, “a bare procedural injury”—that is, a bare failure to observe statutory procedural requirements—does not satisfy Article III.^[xviii] Instead, a plaintiff must have suffered some concrete harm or be subjected to a material risk of harm by the defendant’s failure to observe the procedural requirements established to prevent such harms.^[xix]  

Federal courts have not been uniform in their application of Spokeo to BIPA claims, but the Seventh Circuit has recently provided useful guidance. First, a plaintiff alleging a violation of section 15(b)’s requirement that an entity obtain the plaintiff’s informed consent before collecting or obtaining her biometric data has suffered a concrete injury in fact: the deprivation of informed consent itself.^[xx] Second, a plaintiff alleging that an entity has violated section 15(a)’s duty to disclose its data retention schedule and destruction guidelines likely has not suffered a concrete and particularized injury.^[xxi] Third, and by contrast, a plaintiff alleging that an entity has violated section 15(a)’s duty to comply with its data retention schedule and destruction guidelines likely has suffered an injury in fact, because the retention of her data invades her privacy and materially increases the risk that her data will be leaked or stolen.^[xxii]

Applying these principles, it seems reasonably clear—and district courts within the Seventh Circuit have so held—that a plaintiff alleging a violation of section 15(d)’s requirement of obtaining consent before disclosing or disseminating the plaintiff’s biometric data likely gives rise to a concrete injury.^[xxiii] A violation of section 15(c)’s absolute prohibition on the sale of biometric data also likely would be considered a concrete injury.^[xxiv]

Section 15(e)’s requirements for observing safeguards in the storage of biometric data is more complicated and likely depends on the circumstances of each case. Failing to adhere to the same reasonable standard of care applied by industry peers or that one applies to other confidential or sensitive data could materially increase the risk that an individual’s data might be stolen or disclosed, but one can imagine numerous scenarios in which a violation might not increase the actual risk because of other factors mitigating any carelessness. Or the safeguards which are usually applied to other information might be so high that use of a lesser standard would result in a statutory violation but still be sufficient to guard against any risk. 

Unfortunately for defendants, obtaining dismissal in federal court for lack of standing in a BIPA case is something of a Pyrrhic victory. Contrary to expectations that a finding that plaintiffs lack standing under Article III of the U.S. Constitution will mean an end to the case, the end result of such a finding is usually that the case is remanded to or may be re-filed in state court.^[xxv] State courts are not subject to the standing requirements of Article III,^[xxvi] and even where state courts have adopted their own standing doctrines, those doctrines may be less restrictive than federal standing doctrine.

The Illinois Supreme Court has held that when a private entity fails to comply with BIPA’s requirements in its collection, possession, or use of an individual’s data, that individual is an “aggrieved” person within the meaning of the statute and may assert a cause of action for liquidated statutory damages in Illinois state court even without alleging an injury.^[xxvii] The court concluded that the term “aggrieved” meant, at least, the denial of a legal right, and the control of one’s biometric data was such a right as recognized by the Illinois Supreme Court.

Conclusions

The standing defense to an Illinois BIPA action is questionable in federal court, and success might only result in refiling in a state court where the defense does not exist. And the tenuous status of the injury requirement, combined with statutory penalties, present significant issues with opposing class certification. There remain, of course, potential class-defeating individuals issues associated with consents obtained and what was done with an individual’s data. As in other settings, the best defense to a BIPA claim is taking proactive measures to ensure compliance before such a claim is ever brought.

---

[i] 740 Ill. Comp. Stat. 14/1 et seq.

[ii] 740 Ill. Comp. Stat. 14/20.

[iii] See Fernandez v. Kerry, Inc., No. 17 C 8971, 2020 WL 1820521, at *4 (N.D. Ill. Apr. 10, 2020) (citing Peatry v. Bimbo Bakeries USA, Inc., 393 F. Supp.3d 766, 770 (N.D. Ill. 2019) (applying “expansive reading of BIPA’s damages provisions”)).

[iv] 740 Ill. Comp. Stat. 14/10. The statutory definition contains certain express exclusions, most notably for “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.” Id. 

[v] Id.

[vi] Id. § 15(a).

[vii] Id. § 15(b).

[viii] Id. § 15(c).

[ix] Id. § 15(d).

[x] Id. § 15(e).

[xi] In re Facebook Biometric Information Privacy Litigation, No. 3:15-cv-03747-JD, Dkt. 468 at 12 (N.D. Cal. filed July 22, 2020)

[xii] See, e.g., Hazlitt v. Apple Inc., 2020 WL 6681374 (S.D. Ill. Nov. 12, 2020); Thornley v. Clearview AI, Inc., 2020 WL 6262356 (N.D. Ill. Oct. 23, 2020); Vance v. Int’l Business Machines Corp., 2020 WL 5530134 (N.D. Ill. Sept. 15, 2020); A.S. ex rel. A.S. v. TikTok Inc., 2020 WL 3574699 (S.D. Ill. July 1, 2020); Acaley v. Vimeo, Inc., 464 F. Supp. 3d 959 (N.D. Ill. 2020); Vo v. VSP Retail Development Holding, Inc., 2020 WL 1445605 (N.D. Ill. Mar. 25, 2020); Rivera v. Google Inc., 238 F. Supp. 3d 1088 (N.D. Ill. 2017); Vigil v. Take-Two Interactive Software, Inc., 235 F. Supp. 3d 499 (S.D.N.Y. 2017); Norberg v. Shutterfly, Inc., 152 F. Supp. 3d 1103 (N.D. Ill. 2015).

[xiii] See, e.g., Stauffer v. Innovative Heights Fairview Heights, LLC, 2020 WL 4815960 (S.D. Ill. Aug. 19, 2020); Snider v. Heartland Beef, Inc., 2020 WL 4880163 (C.D. Ill. Aug. 14, 2020); Cothron v. White Castle System, Inc., 467 F. Supp. 3d 604 (N.D. Ill. 2020); Jones v. CBC Restaurant Corp., No. 1:19-cv-06736 (N.D. Ill. June 12, 2020); Namuwonge v. Kronos, Inc., 418 F. Supp. 3d 279 (N.D. Ill. 2019); Peatry v. Bimbo Bakeries USA, Inc., 393 F. Supp. 3d 766 (N.D. Ill. 2019); Thome v. Flexicorps, Inc., No. 2018-CHG-01751 (Ill. Cir. Ct. 2020); Lloyd v. Xanitos, Inc., No. 2018-CH-15351 (Ill. Cir. Ct. 2019); McGee v. LSC Communications Inc., et al., No. 2017-CH-12818 (Ill. Cir. Ct. 2019).

[xiv] See Salkauskaite v. Sephora USA, Inc., 2020 WL 2796122.

[xv] See McGoveran v. Amazon Web Servs., Inc., 2020 WL 5602819 (S.D. Ill. Sept. 18, 2020); Pruitt v. Par-A-Dice Hotel Casino, 2020 WL 5118035 (C.D. Ill. Aug. 31, 2020).

[xvi] See, e.g., Rosenbach v. Six Flags Entm’t Corp., 129 N.E.3d 1197 (Ill. 2019) (amusement park season pass); Rottner v. Palm Beach Tan, Inc., 2019 WL 1049107 (Ill. App. Ct. Mar. 4, 2019) (tanning salon membership); Sekura v. Krishna Schaumburg Tan, Inc., 115 N.E.3d 1080 (Ill. App. Ct. 2018) (tanning salon membership); see also Bryant v. Compass Grp. USA, Inc., 958 F.3d 617 (7th Cir. 2020) (class action involving fingerprint verification for vending machine purchases); Marsh v. CSL Plasma Inc., 2020 WL 7027720 (N.D. Ill. Nov. 30, 2020) (class action involving fingerprint verification of plasma donors).

[xvii] See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548–49 (2016).

[xviii] Id. at 1550.

[xix] See id. at 1549–50.

[xx] Bryant v. Compass Grp. USA, Inc., 958 F.3d 617, 626 (7th Cir. 2020), as amended on denial of reh’g and reh’g en banc (June 30, 2020); but cf. Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12, 16 (2d Cir. 2017) (holding that plaintiffs who claimed that a defendant software company violated section 15(b) did not allege, under the circumstances, that the violations created a risk of real harm).

[xxi] Bryant, 958 F.3d at 626.

[xxii] Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146, 1154 (7th Cir. 2020); accord Patel v. Facebook, Inc., 932 F.3d 1264, 1274 (9th Cir. 2019), cert. denied, 140 S. Ct. 937, 205 L. Ed. 2d 524 (2020).

[xxiii] See, e.g., Cothron v. White Castle Sys., Inc., 467 F. Supp. 3d 604, 613 (N.D. Ill. 2020); Figueroa v. Kronos Inc., 454 F. Supp. 3d 772, 781-82 (N.D. Ill. 2020).

[xxiv] But cf. Hazlitt v. Apple Inc., 2020 WL 6681374, at *6–7 (S.D. Ill. Nov. 12, 2020) (holding that plaintiffs lacked standing to assert a claim that Apple profited from their customers’ biometric data generally “by marketing and selling its devices based upon claims that its facial recognition technology could sort photographs”). 

[xxv] See, e.g., Marquez v. Google LLC, 2020 WL 6287408 (N.D. Ill. Oct. 27, 2020); Thornley v. Clearview AI, Inc., 2020 WL 6262356, at *2 (N.D. Ill. Oct. 23, 2020); Cothron v. White Castle Sys., Inc., 467 F. Supp. 3d 604, 613 (N.D. Ill. 2020); Kiefer v. Bob Evans Farms, LLC, 313 F. Supp. 3d 966, 968 (C.D. Ill. 2018) (citing Collier v. SP Plus Corp., 889 F.3d 894 (7th Cir. 2018)); Roberts v. Dart Container Corp. of Ill., 2018 WL 3015793, at *2 (N.D. Ill. Mar. 12, 2018).

[xxvi] See Asarco, Inc. v. Kadish, 490 U.S. 605, 617 (1989) (‘‘[T]he constraints of Article III do not apply to state courts, and accordingly the state courts are not bound by the limitations of a case or controversy or other federal rules of justiciability . . . .’’).

[xxvii] Rosenbach v. Six Flags Entm’t Corp., 129 N.E.3d 1197, 1205–6 (Ill. 2019).