It’s much harder to get a new retina pattern or new fingerprints than a new Social Security Number. This was the principle behind the Illinois General Assembly’s enactment of the Biometric Information Privacy Act (BIPA) in 2008. As the General Assembly put it, “Biometrics […] are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” 740 ILCS 14/5(c). BIPA, therefore, regulates the way in which private entities collect, use, store, and dispose of biometric information.
BIPA applies to any individual, corporation, or other non-governmental entity that collects or otherwise comes into possession of biometric information about an individual. BIPA specifically covers “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” as well as certain information based on those identifiers. 740 ILCS 14/10.
When collecting biometrics, a private entity must inform a person in writing of the purpose of the collection and the length of time that the biometrics will be retained, as well as receive written permission therefor from the subject. 740 ILCS 14/15(b). Once obtained, biometrics may not be disclosed without the subject’s permission, and must be protected from disclosure. 740 ILCS 14/15(d)-(e).
In recent years, BIPA lawsuits have been filed across the country, including in New York and California (although all of these suits involve activity that took place in Illinois or involved Illinois residents). Defendants include videogame publisher Take-Two Interactive, for mapping a player’s facial features (Vigil v. Take-Two Interactive Software, Inc., 235 F. Supp. 3d 499 (S.D.N.Y., 2017)); Facebook, for scanning facial features in uploaded photos (In re Facebook Biometric Info. Privacy Litigation 185 F.Supp.3d 1155 (N.D. Cal., 2016)); and amusement park Six Flags, for taking fingerprints of season pass holders (Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill., 2019)).
In that last case, decided in January 2019, the Illinois Supreme Court held that a failure to adhere to the statutory procedures, without any further allegation of likely injury or data breach, is sufficient to subject an entity to liability. And that liability can be severe – a merely negligent violation gives rise to a minimum $1,000 in damages, while damages for a reckless or intentional violation start at $5,000. 740 ILCS 14/20(1)-(2). Either way, a prevailing party may also recover legal fees and costs of suit, as well as obtaining injunctive relief. 740 ILCS 14/20(3)-(4).
Anyone who handles, or regularly comes into contact with, biometric information should tread cautiously and be prepared. It is important to have a retention and disposal policy in place, as well as the appropriate notices and waivers. As the importance of data privacy laws grow, businesses need to be increasingly aware of what they are collecting and why.