Retina scanning, facial recognition, and fingerprint sensors were all once limited to James Bond movies and Sci-fi novels; today, this technology is a fundamental tool that businesses use to track attendance, protect information, and monitor productivity of its employees. The ease of use and growth in popularity of these tools, however, has been met with privacy concerns regarding the collection, storage, and scope of use of this most sensitive information. These concerns have led states to adopt legislation for the stated purpose of protecting privacy rights.
The Biometric Privacy Act (BIPA)
The earliest example of a biometric privacy act is the Biometric Information Privacy Act (BIPA), passed in Illinois in 2008. Notably, BIPA does not prohibit the use of or collection of biometric data but rather establishes a series of requirements meant to protect it. BIPA requires a private entity that collects biometric information to inform the individuals from whom they collect the information why they are collecting the data and for how long and must obtain a sufficient written release from that individual. Second, BIPA states that biometric data cannot be sold, traded, leased, or used for profit in any manner. Third, the biometric data cannot be shared without the individual’s consent unless required by law. Lastly and most importantly, the BIPA creates a private right of action that allows an individual to enforce violations of the statute; BIPA provides remedies of $5,000 for each willful violation and $1,000 for each negligent violation.
BIPA in action: Rosenbach v. Six Flags Entertainment Corp.
Recent Illinois Court decisions have fueled a nationwide debate surrounding the inclusion of the private right of action in proposed legislation. Specifically, it once was thought that an individual must show actual harm in order to have standing under BIPA. The Illinois Supreme Court, however, unanimously disagreed.
In Rosenbach v. Six Flags Entertainment Corp., a mother sued on behalf of her 14-year old son alleging violations of BIPA after her son was required to scan his thumb in order to receive a season pass at the Gurnee Six Flags location, without being informed why his biometric data was collected and for how long it would be stored. The plaintiff's mother contended it was this lack of information that violated the Act. Six Flags argued that it could not be held liable unless the plaintiff could demonstrate an actual injury or adverse effect beyond mere violation of his or her rights under the statute. The Illinois Supreme Court unanimously held that a person need not have sustained actual damages to bring a claim under the state and that a private entity that collects biometric information potentially is liable for mere technical violations of BIPA.
Beyond Illinois: state biometric privacy laws
BIPA is an example to other states considering biometric privacy legislation, several of which have already followed Illinois' lead. Texas and Washington have passed biometric privacy laws, and the California Consumer Privacy Act goes into effect on January 1, 2020. Additionally, Arizona, Florida, and Massachusetts have proposed legislation addressing biometric privacy. The debate centers on whether to allow only a state’s attorney general to enforce the privacy act or create a private right of action allowing individuals to enforce the act on their own or via class action.
Looking ahead: businesses implications
The Rosenbach ruling has left private entities doing business in Illinois vulnerable to consumer claims under BIPA for collection of biometric data. We already have seen a drastic increase in the number of BIPA lawsuits filed, and anticipate that these lawsuits will proceed beyond the initial pleading stages, surviving motions to dismiss.
This is an area that needs to be monitored in order to protect businesses from unknowingly exposing themselves to increased liability. If states around the country adopt the Illinois approach, this could lead to wide reaching implication for businesses that collect biometric information.