Technology Giants Facing Historical BIPA Violations  

Carén Oliver

Associate Editor

Loyola University Chicago School of Law, JD 2024


A settlement has been reached in a $100 million dollar class action lawsuit against Google impacting an estimated 1.4 million Illinois resident users. The order comes as a result of Rivera, et al. v. Google LLC , where users photographs appeared in the storage application service, known as Google Photos, without having acquired proper consent nor provided notice to its users. Google is only one of many technology giants joining trending litigation in violation of the Biometric Information Privacy Act (BIPA).  While this settlement  is one of the largest in Illinois to date, one can expect there to be more class-action lawsuits on the way.

BIPA protections

BIPA was enacted in 2008. The landmark legislation has transformed the ways in which businesses are permitted to collect biometric information from its consumers. BIPA forces businesses to take vital steps to protect its consumers biometric information to avoid monetary penalties and punitive damages. The legislation allows Illinois citizens to exercise the laws private right of action against parties they felt have violated their privacy rights pursuant to the Act. BIPA’s comprehensive set of rules have several critical components including requiring prior informed consent, permitting a limited right to disclosure, mandating protection obligations and retention guidelines, prohibiting profiting from biometric data, and providing statutory damages of up to $1,000 per negligent violation, and up to $5,000 per intentional or reckless violation.

BIPA impact

Facebook, reached a $650 million class-action settlement  as a result of violating BIPA when it failed to obtain consent by its users to implement a new facial-recognition technology that stored user images enabling a tag feature.  This facial tag feature allowed for an auto populated option to tag an individual on any given uploaded photo based on store biometrics. What was once a beneficial Facebook feature turned into one of the largest privacy violation settlements in history.

What began as a focus on facial recognition technology has expanded to other technologies including fingerprint recognition, handprint recognition, key stroke recognition, and voice prints. Companies have taken advantage of automated finger printing systems to require employees to have their fingerprints or handprint collected, capturing the biometric data of its employees as an authentication method for clocking in and out. Subway is one of many companies facing the repercussion of not following proper standards and procedures to meet the requirements of BIPA by capturing and storing employee fingerprints without proper consent nor adequate notice.

 BIPA violations

While the use of biometrics is a growing method used within the business and security screening sectors with the intention to streamline financial transactions and security screenings, companies are skating a fine line in violating user privacy rights. The information is being used beyond the scope of its original intent but to enhance consumer marketing. Consumer information is being collected under the impression of convenience without being notified that their biometric information is being stored to better tailor marketing strategies on behalf of the companies involved. Companies have often secured the latest technology to keep up with the latest trends, however they have failed to secure proper protocols. Many do not have written policies governing the retention and permanent destruction of biometric information, informing its users in writing that their biometric information is being collected or stored, providing in writing the specific purpose and length of time for which their users biometric information is being stored and used, nor obtaining their written consent.

While legislature has a ways to go, it is evident that companies like Clearview AI, who agreed to stall its facial databases in the United States, are shifting the focus in their business model, in an attempt to comply with BIPA. The numerous pending litigations involving BIPA violations, demonstrate a clear need for regulatory experts as trusted advisors in the industry to assist in bridging business goals with its compliance responsibilities. Regardless of the threat of a lawsuit, consumers are entitled to full autonomy over their biometric information, and companies need to make efforts to improve protections for consumers.