Biometric Data Privacy Law

The U.S. Court of Appeals upheld a dismissal of a case in which two Illinois residents sued a video company, under the Illinois Biometric Information Privacy Act (BIPA). Images of the two people had been created to be used in a videogame. Both players had agreed to the game's conditions that contained a notice about the recording of their facial features. The players sued, contending the company had failed to provide them with written notice, protect their privacy and had stored their information indefinitely. The federal court rejected the argument, noting the two individuals had not suffered harm and knew their likenesses would be recorded after giving their consent.

The Illinois Biometric Information Privacy Act (BIPA) governs the collection, storage, and use of biometric information, as defined by the statute, requiring notice and written consent before a person’s biometric information is collected. BIPA also prohibits private entities from selling biometric information, restricts the disclosure thereof, and requires reasonable care be taken in storing or transmitting biometric identifiers and information. BIPA allows any “person aggrieved” by a statutory violation to sue for the greater of either actual damages or “liquidated damages” of $1,000 for a negligent violation or $5,000 for an intentional or reckless violation. Reasonable attorneys’ fees and injunctive relief are also available.

At last report, more than two dozen putative class actions have been filed in Illinois courts, almost all of which are against employers alleging BIPA violations in connection with fingerprint scans used for time-keeping purposes. No industry is immune; recent class actions name retailers, a fast-food franchise, a trucking company, a nursing home, an airline cargo handling company, major U.S. airlines, a hotel chain, an ambulance company, a food manufacturer, and a supermarket chain.