Loyola University Chicago School of Law, JD 2020
In 2008, the Illinois legislature introduced and passed the Biometric Information Privacy Act (BIPA), which became the first law of its kind in the US. BIPA was passed to protect individuals against the unlawful collection and storing of biometric information. While many states have enacted similar laws, BIPA remains the most stringent among its contemporaries.
What is BIPA?
BIPA has five main elements: (1) companies must obtain informed consent before collecting the biometric data, (2) they have a limited right to disclose this data, (3) there is a prohibition against profiting from the data, (4) there are responsibilities about the appropriate safeguards and destruction surrounding the data, and (5) individuals are entitled to a private right of action.
BIPA’s definition of “biometric data” is broad, and it covers fingerprints and other information that can be utilized to personally identify an individual, and is often used for timekeeping purposes.
BIPA is unusual in that it provides a private right of action to individuals. It gives employees who believe their employers are accessing their biometric data without their consent an avenue to seek relief. Individuals can seek damages ranging from $1,000 to $5,000 per violation, depending on the intent of the violation. Currently, BIPA is the only law that provides a private right of action in the U.S.
Recent Illinois case law
BIPA allowing a private right of action has led to confusion, and currently, a big point of contention is whether a technical violation of BIPA is enough to bring a private cause of action.
In McGinnis v. US Cold Storage, the district court held that plaintiff did not have standing to bring a private cause of action for a technical BIPA violation. In this case, the plaintiff’s employer had retained his fingerprints without attaining the required informed consent, nor did the employer have a written retention or destruction plan. But the court held that since the employee “knew” that his fingerprints were collected every day when he punched in, the notice and consent from the plaintiff was implied. And, the court found that there was no actual improper disclosure of this data.
In Santana v. Take-Two Interactive Software, Inc., the Illinois Court of Appeals held that the plaintiff was found to not have standing for a technical violation of BIPA. Once again, the court said there was no actual improper disclosure of the data, and the plaintiff had given implied consent since he knew his biometrics were being collected.
But, in Dixon v. Wash. & Jane Smith Cmty, the district held that while the plaintiff had alleged technical violations, the plaintiff had also alleged that her employer had disclosed her data without her knowledge and thus violated “her right to privacy in her biometric information.” The court stated that invasion of privacy suits are not new and that violations of the right to privacy have been recognized in the courts as a valid basis for a suit.
In sum, while some Illinois courts have held that a technical violation is not sufficient, some have held that it is. Interpretation of BIPA is mixed, and it is not clear how broadly BIPA will be read in the future.
What have other states done?
Texas was the first state to follow Illinois and pass a similar law, §503.001, which has been called “BIPA lite.” The statute applies to “biometric identifies,” which are similar in nature to those covered by BIPA, however it only applies to data that has been “capture[d]” for a “commercial purpose” and it does not provide a private right of action. Only Texas’s Attorney General may bring suit.
In 2017, Washington’s legislature passed the Washington Biometric Privacy Act which protects biometric identifiers that are collected for commercial purposes. Washington’s Act explicitly exempts employers from utilizing this data for security purposes.
Florida tried to introduce legislation in February 2019 that would be the most similar BIPA, which was called the Florida Biometric Information Privacy Act. The Florida act provided a private right of action and instituted the same penalties as BIPA. However, it failed in committee.
How can companies maintain compliance with BIPA?
While recent caselaw surrounding BIPA has caused some confusion, there are ways companies can ensure overall compliance with the law. First, the company should obtain consent in writing from all employees and saying, for example, how the data is recorded, how it will be used, and how it is stored. Second, the company should have a written policy within the company that details how it will retain and destroy data, and even who will have access to such data.