The Background of the Law
Of late, the U.S. private sector has been abuzz with the European Union’s new General Data Protection Regulations and the implementation of the same. However, savvy companies cannot forget that state legislatures have been for some time enacting statutes aimed at protecting its residents in how businesses use and disseminate their personal information. In 2008, Illinois became one of the first states to be mindful of the uniqueness of biometrics with the passage of the Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/5, et seq. BIPA provides standards of conduct for private entities in connection with the collection, use, retention, and destruction of “biometric identifiers” and “biometric information.” A “biometric identifier” is defined as a retina or iris scan, fingerprint, voiceprint, or scan of a person’s hand or face geometry while “biometric information” is defined as “any information … based on an individual’s biometric identifier used to identify an individual,” 740 ILCS 14/10. Under BIPA, a private entity in possession of such identifiers and information must establish written policies regarding their retention and destruction and cannot obtain such data unless it: (1) informs the subject of the collection; (2) informs the subject of the specific purpose for the collection and how long the data would be stored; and (3) receives written consent from the subject. 740 ILCS 10/15(b). Importantly, BIPA also provides a private cause of action for “[a]ny person aggrieved by a violation” of the statute and the greater of $1,000 in liquidated damages or actual damages for negligent violations and the greater of $5,000 in liquidated damages or actual damages for intentional or reckless violations. 740 ILCS 14/20(1) and (2). The statute also provides for reasonable attorneys’ fees and costs. 740 ILCS 14/20(3).
While initially dormant, BIPA became the focal point for a flurry of class action lawsuits starting in 2015 against social media websites that used facial recognition for photo tagging purposes. More recently, it has been used increasingly against employers who had timekeeping systems that required fingerprinting scans. At that time, many companies were unaware that BIPA even existed or that it could apply to the technology they were using.
The Current State of Confusion
While seemingly straightforward, BIPA has now become a source of conflict between two Illinois appellate courts as to what constitutes being “aggrieved” for a private cause of action. Notably, BIPA does not define “aggrieved.” On one hand, defendants have argued and some courts have agreed that to be “aggrieved,” a party must allege actual harm or adverse consequences from a violation of the statute, such as financial loss, identity theft or injury to their right to privacy. See e.g., Rosenbach v. Six Flags Entm’t Corp., 2017 IL App (2d) 170317, ¶ 23; Dixon v. Washington and Jane Smith Cmty. – Beverly, 2018 WL 244 5292, * 11 (N.D. Ill. May 31, 2018); McCollough v. Smarte Carte, Inc., 2016 WL 4077108, * 4 (N.D. Ill. Aug. 1, 2016). On the other hand, plaintiffs have argued and some courts have agreed that to be “aggrieved,” a party need only to allege that there was a violation of the statute’s notice and consent requirements, e.g. a technical violation. See e.g., Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175, ¶ 50; Monroy v. Shutterfly, Inc., 2017 WL 4099846, * 8 (N.D. Ill. Sept. 15, 2017); In re Facebook Biometric Information Privacy Litigation, 2018 WL 1794295, * 7 (N.D. Cal. Apr. 16, 2018).
In Rosenbach, the Second District Appellate Court turned to federal and state case law from outside its jurisdiction, which found that alleging a technical violation did not meet the definition of being “aggrieved” and that “aggrieved” and “injured” are nearly synonymous. 2017 IL App (2d) 170317 at ¶ 21-22 (referencing McCollough, 2016 WL 4077108 and Ayudria v. McGlone Mortgage Co., 334 Wis.2d 480 (2011)). At the end, the Rosenbach court went back to the text of BIPA and concluded that “[i]f the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word ‘aggrieved’ and stated that every violation was actionable.” 2017 IL App (2d) 170317, at ¶ 23.
Whereas, in Sekura, the First District Appellate Court first analyzed the text of BIPA, but reached the exact opposite conclusion, that “[i]f the drafters had intended to limit the pool of plaintiffs to those plaintiffs who had been both aggrieved by a violation of the Act and aggrieved by some additional harm or injury, they could have easily stated that.” 2018 IL App (1st) 180175, at ¶ 50. The Sekura court also found support for its interpretation in its understanding of the purpose of BIPA – to “prevent any harm from occurring in the first place” to encourage participation in biometrics – which would not be served by forcing a person to wait until after “irretrievable harm” had occurred before suing. Id. at ¶ 59.
In May 2018, the Illinois Supreme Court accepted an appeal of the Rosenbach decision for review. The state’s highest court, however, is not expected to render a decision until early 2019. Until then, companies should expect prudent plaintiffs to begin alleging a resultant harm where possible, such as a harm to their right to privacy or mental anguish. Companies should be cognizant of BIPA’s requirements and the collection, storage, or use of biometric identifiers or information as part of their business processes (e.g. for time management or security access), even historical use. If a company collects any biometric information, using facial recognition, fingerprints or other biometric data of any employees or consumers in Illinois, you should take measures to ensure that the correct policies and procedures are in place to be in compliance with BIPA and also to minimize any risks associated with past collection practices.
For more information on this and other privacy matters, please contact me or any member Taft’s Privacy and Data Security Team.