Biometric Data

Subscribe to Biometric Data
Fingerprint scanner, illustrating concept of biometrics

The Illinois Supreme Court’s Ruling

On January 25, 2019, the Illinois Supreme Court issued its long awaited opinion in Rosenbach v. Six Flags Entertainment Corp, ruling that the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) does not require an actual injury for a plaintiff to be considered “aggrieved” under the Act. The ruling, which was widely anticipated based on the court’s comments during oral argument, is widely expected to open the flood gates on class actions brought under BIPA, given the statutory damages available to plaintiffs. Indeed, in the first week since the ruling, at least 10 new BIPA class actions have been filed.

Under BIPA, parties that possess biometric identifiers (i.e. fingerprints, retina scans and voice recognition) are prohibited from (i) selling, leasing, trading or otherwise profiting from such identifiers; and (ii) otherwise disclosing or disseminating such information unless the individual consents to such disclosure. BIPA imposes penalties of $1,000 per negligent violation of the Act and $5,000 (or actual damages, whichever is greater) for intentional or reckless violations. Second, BIPA allows for the recovery of reasonable attorneys’ fees and costs, including expert witness fees.

What Next?

The court’s ruling stands at odds with the Northern District of Illinois’ recent decision in Rivera v. Google, in which that court ruled that, unless a party suffers an actual injury, it does not satisfy the “injury in fact” requirement of Article III standing to pursue a BIPA claim in Federal Court. Consequently, expect all future BIPA cases going forward to be filed in Illinois state courts.

While the Illinois Supreme Court’s ruling opens the door for an onslaught of BIPA litigation, certain defenses to such actions remain untested and will surely be litigated. For one, expect the issue of whether a plaintiff has consented to the use of his or her biometric information to be hotly contested. For plaintiffs who are employees, that likely means arguing over a company’s policies contained in a handbook or employment agreement. Indeed, employers would be well served to review their policies and agreements to specifically address its potential collection of employees’ biometric information.

Another line of defense may rest in a defendant’s ability to remove a case to federal court and then have it dismissed. If successful, a defendant could avoid liability to a plaintiff who does not suffer an actual injury if it can successfully use the parties’ diversity jurisdiction to remove the case and then argue that the plaintiff lacks Article III standing.

One thing is for sure – expect Illinois state courts to become a hotbed of BIPA litigation.

Jeffrey L. Widman writes:

Fingerprint scanner, illustrating concept of biometricsIn 2008, the Illinois legislature enacted the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) to provide standards of conduct for private entities in connection with the collection and possession of “biometric identifiers and information.” BIPA regulates the collection, use, safeguarding, handling, storage, retention and destruction of such biometric identifiers. Biometric identifiers include retina and iris scans, fingerprints, voiceprints, and scans of hands and faces. It does not include writing samples, signatures, photographs, physical descriptions or biological materials used for medical or scientific purposes.

BIPA’s Requirements

Significantly, BIPA does not prohibit the collection or purchase of biometric identifiers. Instead, BIPA requires private entities to develop written policies to establishing a retention schedule and guidelines for the destruction of such biometric identifiers. BIPA also imposes a set of guidelines with which the entities that do possess such biometric identifiers must comply. These include requirements that such entities:

  • Inform individuals in writing that the information is being collected or stored;
  • Inform individuals in writing of the purpose and length of time for which the information is being collected and stored; and
  • Obtain written consent from individuals whose biometric information is collected;

BIPA also prohibits entities that possess biometric identifiers from (i) selling, leasing, trading or otherwise profiting from such identifiers; and (ii) otherwise disclosing or disseminating such information unless the individual consents to such disclosure, the disclosure completes a financial transaction authorized by the individual, the disclosure is required by municipal, state or federal law or the disclosure is required in response to a warrant or subpoena.

The Recent Onslaught of BIPA Class Actions

Although BIPA provides a private right of action to individuals aggrieved by a violation of the Act, plaintiff’s attorneys essentially ignored BIPA from 2008 through 2016 and few lawsuits were brought on behalf of aggrieved individuals. However, in the past year, more than 30 class actions have been filed in Illinois for purported BIPA violations. Why the trend? For one, BIPA imposes penalties of $1,000 per negligent violation of the Act and $5,000 (or actual damages, whichever is greater) for intentional or reckless violations. Second, BIPA allows for the recovery of reasonable attorneys’ fees and costs, including expert witness fees. Accordingly, BIPA is a prime target for members of the plaintiff’s bar.

Although there is little case law interpreting BIPA, the Illinois Appellate Court issued its first opinion in December 2017 addressing the Act. In Rosenbach v. Six Flags Entertainment Corp., 2017 IL App. (2d) 170317, the court, citing several Federal Court decisions, dismissed a plaintiff’s BIPA claim for failure to state a claim due to the her inability to cite actual damages. In so holding, the Court focused on whether an individual is “aggrieved” (as required by BIPA) if he or she alleges that biometric information was collected without consent, but does not allege actual injury. In dismissing the case, the appellate court found that mere technical violations are not actionable since a plaintiff is not “aggrieved” as the plain language of BIPA requires. While the opinion may deter some cases from being filed, it certainly leaves the door open for claims of actual damage and we expect BIPA cases to continue to be filed in the near future.

Jeffrey L. Widman is a partner in the firm’s Litigation Department, based in its Chicago office.

On July 23, 2017, Washington State will become the third state (after Illinois and Texas) to statutorily restrict the collection, storage and use of biometric data for commercial purposes. The Washington legislature explained its goal in enacting Washington’s new biometrics law:

The legislature intends to require a business that collects and can attribute biometric data to a specific uniquely identified individual to disclose how it uses that biometric data, and provide notice to and obtain consent from an individual before enrolling or changing the use of that individual’s biometric identifiers in a database.

— Washington Laws of 2017, ch. 299 § 1.  (See complete text of the new law here).

Washington’s new biometrics act governs three key aspects of commercial use of biometric data:

  1. collection, including notice and consent,
  2. storage, including protection and length of time, and
  3. use, including dissemination and permitted purposes.

The law focuses on “biometric identifiers,” which it defines as

data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.

— Id. § 3(1).

The law excludes all photos, video or audio recordings, or information “collected, used, or stored for health care treatment, payment or operations” subject to HIPAA from the definition of “biometric identifiers.” Id.  It also expressly excludes biometric information collected for security purposes (id. § 3(4)), and does not apply to financial institutions subject to the Gramm-Leach-Bliley Act.  Id. § 5(1).  Importantly, the law applies only to biometric identifiers that are “enrolled in” a commercial database, which it explains means capturing a biometric identifier, converting it to a reference template that cannot be reconstructed into the original output image, and storing it in a database that links the biometric identifier to a specific individual.  Id. §§ 2, 3(5).

Statutory Ambiguity Creates Confusion

Biometric data
Copyright: altomedia / 123RF Stock Photo

Unfortunately, ambiguous statutory language, combined with rapidly-advancing technology, virtually guarantees confusion in each of the three key aspects of the new law.

Regarding collection, the new law states that a company may not “enroll a biometric identifier in a database for a commercial purpose” unless it: (1) provides notice, (2) obtains consent, or (3) “provid[es] a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”  Id. § 2(1).  Confusingly, the law does not specify what type of “notice” is required, except that it must be “given through a procedure reasonably designed to be readily available to affected individuals,” and its adequacy will be “context-dependent.”  Id. § 2(2).

If consent is obtained, a business may sell, lease or disclose biometric data to others for commercial use.  Id. § 2(3).  Absent consent, a business may not disclose biometric data to others except in very limited circumstances listed in the statute, including in litigation, if necessary to provide a service requested by the individual or as authorized by other law. Id. However, the new law may ultimately be read by courts or regulators as including a “one disclosure” exception because it says disclosure is allowed to any third party “who contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose” inconsistent with the new law.  Id.

The new law also governs the storage of biometric identifiers.  Any business holding biometric data “must take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers that are in the possession or control of the person.”  Id. § 2(4)(a).  Moreover, businesses are barred from retaining biometric data for any longer than “reasonably necessary” to provide services, prevent fraud, or comply with a court order.  Id. § 2(4)(b).  Here too the law fails to provide certainty, e.g., it sets no bright-line time limits on retention after customer relationships end, or how to apply these rules to ongoing but intermittent customer relationships.

The Washington legislature also barred companies that collect biometric identifiers for using them for any other purpose “materially inconsistent” with the original purpose they were collected for unless they first obtain consent.  Id. § 2(5).  Confusingly, even though notice alone is enough to authorize the original collection, it is not sufficient by itself to authorize a new use.

Interestingly, the new Washington law makes a violation of its collection, storage or use requirements a violation of the Washington Consumer Protection Act (the state analog to Section 5 of the FTC Act).  Id. § 4(1).  However, it specifically excludes any private right of action under the statute and provides for enforcement solely by the Washington State Attorney General, leaving Illinois’s Biometric Information Privacy Act as the only state biometrics law authorizing private enforcement.  Id. § 4(2).

Washington’s new law was not without controversy.  Several state legislators criticized it as imprecise and pushed to more specifically detail the activities it regulates; proponents argued that its broad language was necessary to allow flexibility for future technological advances. Ultimately, the bill passed with less than unanimous approval and was signed into law by Washington’s governor in mid-May.  It takes effect on July 23, 2017.  A similar, but not identical, Washington law takes effect the same day governing the collection, storage and use of biometric identifiers by state agencies.  (See Washington Laws of 2017, ch. 306 here).