The Background of the Law
Of late, the U.S. private sector has been abuzz with the European Union’s new General Data Protection Regulations and the implementation of the same. However, savvy companies cannot forget that state legislatures have been for some time enacting statutes aimed at protecting its residents in how businesses use and disseminate their personal information. In 2008, Illinois became one of the first states to be mindful of the uniqueness of biometrics with the passage of the Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/5, et seq. BIPA provides standards of conduct for private entities in connection with the collection, use, retention, and destruction of “biometric identifiers” and “biometric information.” A “biometric identifier” is defined as a retina or iris scan, fingerprint, voiceprint, or scan of a person’s hand or face geometry while “biometric information” is defined as “any information … based on an individual’s biometric identifier used to identify an individual,” 740 ILCS 14/10. Under BIPA, a private entity in possession of such identifiers and information must establish written policies regarding their retention and destruction and cannot obtain such data unless it: (1) informs the subject of the collection; (2) informs the subject of the specific purpose for the collection and how long the data would be stored; and (3) receives written consent from the subject. 740 ILCS 10/15(b). Importantly, BIPA also provides a private cause of action for “[a]ny person aggrieved by a violation” of the statute and the greater of $1,000 in liquidated damages or actual damages for negligent violations and the greater of $5,000 in liquidated damages or actual damages for intentional or reckless violations. 740 ILCS 14/20(1) and (2). The statute also provides for reasonable attorneys’ fees and costs. 740 ILCS 14/20(3).
While initially dormant, BIPA became the focal point for a flurry of class action lawsuits starting in 2015 against social media websites that used facial recognition for photo tagging purposes. More recently, it has been used increasingly against employers who had timekeeping systems that required fingerprinting scans. At that time, many companies were unaware that BIPA even existed or that it could apply to the technology they were using.