Illinois Biometric Information Privacy Act

The Illinois Supreme Court’s Ruling

On January 25, 2019, the Illinois Supreme Court issued its long awaited opinion in Rosenbach v. Six Flags Entertainment Corp, ruling that the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) does not require an actual injury for a plaintiff to be considered “aggrieved” under the Act. The ruling, which was widely anticipated based on the court’s comments during oral argument, is widely expected to open the flood gates on class actions brought under BIPA, given the statutory damages available to plaintiffs. Indeed, in the first week since the ruling, at least 10 new BIPA class actions have been filed.

Under BIPA, parties that possess biometric identifiers (i.e. fingerprints, retina scans and voice recognition) are prohibited from (i) selling, leasing, trading or otherwise profiting from such identifiers; and (ii) otherwise disclosing or disseminating such information unless the individual consents to such disclosure. BIPA imposes penalties of $1,000 per negligent violation of the Act and $5,000 (or actual damages, whichever is greater) for intentional or reckless violations. Second, BIPA allows for the recovery of reasonable attorneys’ fees and costs, including expert witness fees.

What Next?

The court’s ruling stands at odds with the Northern District of Illinois’ recent decision in Rivera v. Google, in which that court ruled that, unless a party suffers an actual injury, it does not satisfy the “injury in fact” requirement of Article III standing to pursue a BIPA claim in Federal Court. Consequently, expect all future BIPA cases going forward to be filed in Illinois state courts.

While the Illinois Supreme Court’s ruling opens the door for an onslaught of BIPA litigation, certain defenses to such actions remain untested and will surely be litigated. For one, expect the issue of whether a plaintiff has consented to the use of his or her biometric information to be hotly contested. For plaintiffs who are employees, that likely means arguing over a company’s policies contained in a handbook or employment agreement. Indeed, employers would be well served to review their policies and agreements to specifically address its potential collection of employees’ biometric information.

Another line of defense may rest in a defendant’s ability to remove a case to federal court and then have it dismissed. If successful, a defendant could avoid liability to a plaintiff who does not suffer an actual injury if it can successfully use the parties’ diversity jurisdiction to remove the case and then argue that the plaintiff lacks Article III standing.

One thing is for sure – expect Illinois state courts to become a hotbed of BIPA litigation.

Jeffrey L. Widman writes:

Fingerprint scanner, illustrating concept of biometricsIn 2008, the Illinois legislature enacted the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) to provide standards of conduct for private entities in connection with the collection and possession of “biometric identifiers and information.” BIPA regulates the collection, use, safeguarding, handling, storage, retention and destruction of such biometric identifiers. Biometric identifiers include retina and iris scans, fingerprints, voiceprints, and scans of hands and faces. It does not include writing samples, signatures, photographs, physical descriptions or biological materials used for medical or scientific purposes.

BIPA’s Requirements

Significantly, BIPA does not prohibit the collection or purchase of biometric identifiers. Instead, BIPA requires private entities to develop written policies to establishing a retention schedule and guidelines for the destruction of such biometric identifiers. BIPA also imposes a set of guidelines with which the entities that do possess such biometric identifiers must comply. These include requirements that such entities:

  • Inform individuals in writing that the information is being collected or stored;
  • Inform individuals in writing of the purpose and length of time for which the information is being collected and stored; and
  • Obtain written consent from individuals whose biometric information is collected;

BIPA also prohibits entities that possess biometric identifiers from (i) selling, leasing, trading or otherwise profiting from such identifiers; and (ii) otherwise disclosing or disseminating such information unless the individual consents to such disclosure, the disclosure completes a financial transaction authorized by the individual, the disclosure is required by municipal, state or federal law or the disclosure is required in response to a warrant or subpoena.

The Recent Onslaught of BIPA Class Actions

Although BIPA provides a private right of action to individuals aggrieved by a violation of the Act, plaintiff’s attorneys essentially ignored BIPA from 2008 through 2016 and few lawsuits were brought on behalf of aggrieved individuals. However, in the past year, more than 30 class actions have been filed in Illinois for purported BIPA violations. Why the trend? For one, BIPA imposes penalties of $1,000 per negligent violation of the Act and $5,000 (or actual damages, whichever is greater) for intentional or reckless violations. Second, BIPA allows for the recovery of reasonable attorneys’ fees and costs, including expert witness fees. Accordingly, BIPA is a prime target for members of the plaintiff’s bar.

Although there is little case law interpreting BIPA, the Illinois Appellate Court issued its first opinion in December 2017 addressing the Act. In Rosenbach v. Six Flags Entertainment Corp., 2017 IL App. (2d) 170317, the court, citing several Federal Court decisions, dismissed a plaintiff’s BIPA claim for failure to state a claim due to the her inability to cite actual damages. In so holding, the Court focused on whether an individual is “aggrieved” (as required by BIPA) if he or she alleges that biometric information was collected without consent, but does not allege actual injury. In dismissing the case, the appellate court found that mere technical violations are not actionable since a plaintiff is not “aggrieved” as the plain language of BIPA requires. While the opinion may deter some cases from being filed, it certainly leaves the door open for claims of actual damage and we expect BIPA cases to continue to be filed in the near future.


Jeffrey L. Widman is a partner in the firm’s Litigation Department, based in its Chicago office.

A number of employers in Illinois are involved in pending class action litigation regarding violations of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (the “BIPA”). The BIPA, which was enacted in 2008, addresses the collection, use and retention of biometric information by private entities. Any information that is captured, stored, or shared based on a person’s biometric identifiers, such as fingerprints, iris scans, or blood type, is considered “biometric information.” The Illinois Legislature enacted the BIPA because biometric information is unlike any other unique identifier in that it can never be changed, even once it has been compromised.

The BIPA requires that, before a private entity can obtain and/or possess an individual’s biometric information, it must first inform the individual, or the individual’s legally authorized representative, in writing of the following: (1) that biometric information is being collected or stored; (2) the specific purpose for the collection, storage, and use of the biometric information; and (3) the length of time for the collection, storage, and use of the biometric information. Furthermore, before collecting any biometric information, the private entity must receive a written release for the collection of the biometric information from the individual or the individual’s legally authorized representative after the above notice has been given.

The BIPA additionally requires the private entity to develop a written policy that establishes a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. That policy must be made available to the public. The collected information must be destroyed once “the initial purpose for collecting or obtaining such information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.” 740 ILCS 14/15. In the pending cases, the private entity employers failed to obtain informed written consent prior to the collection, storage, and use of fingerprints and other biometric information. The employers also failed to publish any data retention and deletion policies for the biometric information.

The BIPA also restricts a private entity’s right to sell, lease, trade or otherwise profit from a person’s biometric identifier or biometric information. An employer who adheres to the requirements of the BIPA will be able to avoid class action litigation on this issue and maintain compliance with industry standards.