Photo of Richard Hu

Richard is a regulatory attorney and litigator who helps companies resolve complex gaming law, data privacy and healthcare issues affecting their businesses. His experience includes data privacy, commercial litigation, labor and employment litigation and compliance, regulatory compliance defense, healthcare regulatory litigation and compliance, and medical cannabis licensing and compliance.

On Jan. 25, 2019, the Illinois Supreme Court issued a landmark opinion in Rosenbach v. Six Flags Entertainment Corporation, a case brought under the Illinois Biometric Information Privacy Act (“BIPA”). 740 ILCS 14/1 et seq. The court reversed the decision of the Illinois appellate court and held that a plaintiff may bring a lawsuit under BIPA as an “aggrieved” party based upon a defendant’s violation of the statutory requirements of BIPA and without the plaintiff being required to show actual damages.

The court’s decision has important ramifications for the many lawsuits that have already been brought under BIPA and opens the way for plaintiffs to seek BIPA’s liquidated damages and injunctive relief based upon technical violations of the statute.


Continue Reading

The Background of the Law

Of late, the U.S. private sector has been abuzz with the European Union’s new General Data Protection Regulations and the implementation of the same. However, savvy companies cannot forget that state legislatures have been for some time enacting statutes aimed at protecting its residents in how businesses use and disseminate their personal information. In 2008, Illinois became one of the first states to be mindful of the uniqueness of biometrics with the passage of the Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/5, et seq. BIPA provides standards of conduct for private entities in connection with the collection, use, retention, and destruction of “biometric identifiers” and “biometric information.” A “biometric identifier” is defined as a retina or iris scan, fingerprint, voiceprint, or scan of a person’s hand or face geometry while “biometric information” is defined as “any information … based on an individual’s biometric identifier used to identify an individual,” 740 ILCS 14/10. Under BIPA, a private entity in possession of such identifiers and information must establish written policies regarding their retention and destruction and cannot obtain such data unless it: (1) informs the subject of the collection; (2) informs the subject of the specific purpose for the collection and how long the data would be stored; and (3) receives written consent from the subject. 740 ILCS 10/15(b). Importantly, BIPA also provides a private cause of action for “[a]ny person aggrieved by a violation” of the statute and the greater of $1,000 in liquidated damages or actual damages for negligent violations and the greater of $5,000 in liquidated damages or actual damages for intentional or reckless violations. 740 ILCS 14/20(1) and (2). The statute also provides for reasonable attorneys’ fees and costs. 740 ILCS 14/20(3).

While initially dormant, BIPA became the focal point for a flurry of class action lawsuits starting in 2015 against social media websites that used facial recognition for photo tagging purposes. More recently, it has been used increasingly against employers who had timekeeping systems that required fingerprinting scans. At that time, many companies were unaware that BIPA even existed or that it could apply to the technology they were using.


Continue Reading