Sydney Mann
Associate Editor
Loyola University Chicago School of Law, JD 2025
Illinois has been a leader in enacting state-wide data privacy laws regarding biometric data. Passed unanimously in 2008 by Illinois legislature, the Biometric Information Privacy Act was an initiative led by the ACLU of Illinois. The goal of BIPA, as outlined by the ACLU, is to provide individuals control over their biometric data and prohibits private companies from collecting such data unless they can meet certain standards. Organizations may collect biometric data so long as they inform the consumer in writing what data is being stored and the specific purpose and length of time for which the data will be collected, stored, and used. Also, organizations must obtain the consumer’s written consent.
But what is considered ‘biometric data? And, how has the Illinois judiciary further interpreted the legislation, such that businesses are subject to complying with Illinois state precedents? As the user data economy continues to flourish, BIPA – and any subsequent laws that follow it – will require businesses to reconsider their data collection policies and disclosures or face costly litigation as a consequence.
What is biometric data?
Biometrics, as defined by the United States Department of Homeland Security, are the “unique physical characteristics, such as fingerprints, that can be used for automated recognition.” The array of biological metrics that can be analyzed is vast, extending from hand and fingerprints to a person’s voice and facial vein patterns. Biological metrics “is the measurement and statistical analysis of an individual’s physical and behavioral characteristics.” By collecting biological data from a user, businesses and organizations aim to increase security and convenience to employees and product consumers.
However, with this information, some data collectors may use it for tracking or other analytical purposes unrelated to site of collection. Nevertheless, unlike other forms of personal information like a user’s phone number or email, biometrics cannot be changed if compromised because they are associated with one’s permanent, physical features. Thus, the level of care organizations use in securing this type of data should be extraordinarily high given the consequence of if (and when) it falls into the wrong hands.
Given the intimate nature of biometric data and the duty of care owed to its protection, a practical inquiry is why collect such data in the first place. Many of us have become accustomed to unlocking our phones through facial recognition, so biometric data has been largely adopted because of consumer convenience in the at-home enviornment. However, biometric data has also been widely adopted by employers to create workplace efficiency. For example, biometric data can be collected for employee timekeeping via fingerprints or hand scans to punch in and out of one’s shift, retina scans for building access, and facial recognition to access employer-provided workplace equipment. Under BIPA, before an employer collects this data, it must provide written notice to the employee as to what specific data is being collected, the reason why it is being collected, and how long the employer will use or retain it for. Also, the employer must receive an employee’s written release and develop a publicly available written policy that includes their retention schedule and destruction process.
BIPA is one of the oldest state-enacted biometric data privacy laws, but Illinois is not the only state with their eye on the impact of collecting sensitive data, especially in the employer-employee context. California, New York, Oregon, and Texas all have either privacy or labor laws that contain specific requirements for employers that collect biometric identifiers from their employees. Other states including Colorado, Utah, Virginia, and Washington also have biometric privacy laws, but they are more limited in the employment sphere.
With no federal law presiding the Illinois judiciary, along with all aforementioned states, are left to decide on their own, how these laws play out case-by-case.
What the Court is saying about BIPA
In February 2023, the Illinois Supreme Court issued an opinion regarding BIPA in Cothron v. White Castle System which clarified, and in some respected gave broad interpretation, to the State’s law. In a 4-3 decision, the Court held that BIPA claims accrue each time biometric data is collected or transmitted – not just the first time. Cothron v. White Castle System, Inc., 216 N.E.3d 918, 926 (Ill. 2023). In Cothron, the plaintiff was a manager of a White Castle restaurant in Illinois who brought suit over the alleged unlawful collection and disclosure of her biometric data under BIPA.
The Illinois Supreme Court looked to the plain language of the statute, that it demonstrated the frequency of the violations was with every transmission or scan of biodata. This decision sent shockwaves throughout the business and legal community, given that BIPA applies to all private entities that have operations within the State of Illinois. As more cases arise, the Illinois Supreme Court can further interpret other aspects of the statute, further restricting how organizations collect this form of information.
All in all, the Biometric Information Privacy Act has certainly set Illinois apart in the state-law-privacy race. The State seems to understand the impact if this type of data collection processes were to go unregulated, and the Illinois Supreme Court decision in Cothron, appears to show that the judiciary is also in alignment with this goals. As time moves on, it remains to be seen whether other states, or even the federal government, will follow suit in the protection of such sensitive consumer data.