Seyfarth Synopsis: Over the last few years, Illinois companies have quickly become aware of the risks associated with the state's unique biometric privacy law. Originally passed in 2008, the Illinois Biometric Information Privacy Act ("BIPA") made Illinois the first state to enact a policy governing the collection and storage of biometric data resulting in a surge of class action lawsuits filed by employees and consumers alleging that their biometric data was improperly collected for timekeeping, security, and consumer transactions. While filing activity under the statute remained silent for nearly a decade following its enactment, the recent explosion of class actions in Illinois under the BIPA has since made biometric privacy compliance a top priority for many employers. In today's blog, we examine this novel class action trend and provide a comprehensive analysis of the class action filing history of claims under the BIPA including the volume of class action filings, a breakdown of jurisdictions in which class actions are filed, who is filing, and the primary industries facing class actions.

Background Of The BIPA

As biometric technology has become more practical and affordable, businesses have gradually begun to utilize these innovative tools for various beneficial purposes, such as implementing biometric time clocks to prevent "buddy punching," facilitate consumer transactions, and for restricting access to secure areas. Accordingly, the BIPA was enacted by the Illinois state legislature as a reaction to the increased use of biometric technology due to the sensitive nature of biometric identifiers and associated data.

The BIPA regulates the collection, capture, and storage of "biometric identifiers," such as fingerprints, voiceprints, retina/iris scans, and scans of hand or face geometry. Specifically, the statute prohibits an entity from collecting biometric information unless it first: (1) informs individuals in writing that his or her biometric data is being captured; (2) outlines the purpose and period of time for which the data will be utilized; and (3) receives a written release from individuals consenting to the collection. Outside of these guidelines, the BIPA also includes regulations requiring a compliant, publically-available written policy, prohibits disclosure of biometric data to third-parties absent consent, and mandates a "standard of care" that businesses must adhere to in protecting biometric data.

While other states have also implemented biometric privacy statutes, the BIPA is unique because it provides a private right of action, and therefore allows plaintiffs to recover liquidated damages and attorneys' fees for violation of the statute. Under the BIPA, "[a]ny person aggrieved by a violation" can recover "liquidated damages of $1,000 or actual damages, whichever is greater" for negligent violations, and "liquidated damages of $5,000 or actual damages, whichever is greater" for intentional or reckless violations.

Since the BIPA was the first biometric privacy statute of its kind, there were still a few important questions to be answered regarding the interpretation of the law. Namely, the most pressing threshold issue was whether individuals need to sustain actual damages in order to qualify as a "person aggrieved" in order to asserts claims under the BIPA. As we blogged HERE, this question was answered in the negative by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019). In Rosenbach, the Illinois Supreme Court held that a person does not need to allege any actual injury or adverse effect, beyond technical violations of the statute in order to state a claim.

Download >> Biometric Privacy Class Actions By The Numbers: Analyzing Illinois' Hottest Class Action Trend

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.