Latimer LeVay Fyock, LLCLatimer LeVay Fyock, LLC

The Illinois Biometric Information Privacy Act Can Cost Companies Plenty

Colin T.J. O'Brien

The unique qualities and information that make us who we are – our fingerprints, voices, DNA, and other genetic markers – remain unalterable. The permanent and unchanging nature of such “biometric identifiers” is precisely why companies increasingly collect and use them for a wide range of purposes. As more companies acquire more biometric data, the security and protection of such information should be of utmost importance to companies.

The State of Illinois recognized the need to protect biometric information a dozen years ago, when the commercial and security screening use of such identifiers was in its relative infancy. The Illinois Biometric Information Privacy Act (“BIPA”), enacted in 2008, was a forbearer to more recent and more widely known laws such as California’s Consumer Privacy Act or Europe’s GDPR regime.

Companies can also face significant exposure in such suits – even if no information was compromised or the plaintiffs suffered no actual damages.

What Is BIPA?

As the legislature noted when passing BIPA, “Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information,” because they “are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

BIPA imposes several obligations on all private entities regarding the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. Specifically, a private entity may not obtain or possess a person’s biometric identifiers or information unless it first:

  • informs the person in writing that it is doing so;
  • advises the person in writing of the specific purpose and length of term for which the identifier or information is being collected, stored, and used; and
  • receives a written release from the person authorizing the collection of biometric identifiers and information.

Additionally, all companies in possession of biometric information and identifiers must:

  • develop a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and data when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first;
  • get a customer’s written consent before it can “disclose, redisclose, or otherwise disseminate” the customer’s biometric information and identifiers;
  • use reasonable standards of care to protect the security of biometric information and identifiers in its possession.

Private Right of Action For BIPA Violations – Even Without Actual Harm

Not only does BIPA impose a host of obligations on companies involved with biometrics, but it also provides consumers with a private right of action against entities that violate those duties.

Any person “aggrieved by” a BIPA violation may recover “for each violation” $1000 in liquidated or actual damages for negligent violations and $5,000 in liquidated or actual damages for intentional or reckless violations, whichever is greater. A prevailing plaintiff can recover attorney’s fees and costs as well.

Around 2015, this private right of action led to a flurry of class action lawsuits arising from alleged BIPA violations. But it was a January 2019 Illinois Supreme Court ruling that opened the floodgates and put companies on notice that they could be on the hook for significant damages for even the most technical or seemingly inconsequential BIPA transgressions.

In Rosenbach v. Six Flags, the court held that a consumer does not need to demonstrate an adverse effect or specific harm, such as evidence that personal information was misused or stolen, to have standing to sue under BIPA. A procedural violation was sufficient to support a claim under the act, the court ruled.

Best Practices: Do You Really Need That Biometric Information?

Since companies are in effect subject to strict liability for BIPA violations, those who possess and use biometrics must take all necessary steps to ensure compliance. As the court noted in Rosenbach:

“[c]ompliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded…”

Consider the following when reviewing your company’s use of – and need for – biometric information:

  • Only collect biometric information if you truly need it.
  • Don’t collect any more information than absolutely necessary for a lawful purpose related to your company’s operations or functions.
  • Do not retain biometric information any longer than necessary.
  • Ensure that any unneeded biometric information is safely destroyed.
  • When destroying biometric information, conduct a thorough inventory of all places where it may have been stored, such as back-up files, employees’ devices, or with third-party vendors.
  • Implement appropriate administrative, physical, and technical safeguards to limit access to biometric information.
  • Conduct an audit of security protocols, policies, and procedures for BIPA compliance.
  • Develop and implement a breach containment and remediation plan.

Let Us Help

If you are a business owner who needs assistance ensuring that your business complies with the CCPA or other data privacy regulations we welcome the opportunity to help. Please contact one of our data protection attorneys Colin O’Brien at cobrien@llflegal.com, John Ambrogi at jambrogi@llflegal.com Brian LeVay blevay@llflegal.com or Avery Buffa abuffa@llflegal.com if you have any questions or comments.