Biometric privacy litigation is on the rise in Illinois. In just a six week period, more than 15 class actions have been filed under Illinois’s Biometric Information Privacy Act (BIPA) – compared to just a handful of cases in all prior years. What is BIPA? What are the cases about? Most importantly, how can you avoid the risks to your organization?
What is BIPA?
BIPA, which was passed in 2008, regulates the use of “biometric identifiers or information” by private entities operating in Illinois. It protects an individual’s retina or iris scans, fingerprints, voiceprints or scans of hand or face geometries (“Biometric Identifiers”). These pieces of information are increasingly being used in businesses control access to physical facilities (for example, in data centers), sensitive IT systems and other areas.
If an organization is in possession of any biometric identifier, the law imposes three main obligations:
- The organization must develop, and make available to the public, a written policy establishing a retention and destruction schedule for Biometric Identifiers collected by the organization;
- The organization must, prior to collecting the Biometric Identifier, inform the subject that the information is being collected, explain the retention and destruction schedule and get a signed release from the subject; and
- The organization must protect the Biometric Identifiers using a “reasonable standard of care.”
What Are The Cases About?
In general, the cases are all class action lawsuits that allege that the defendants are in violation of BIPA because they have either: 1) not developed their retention schedule and made it publicly available; or 2) not obtained the proper informed, signed releases from the subjects prior to collecting their Biometric Identifiers. The statute includes a statutory damage of $1,000-$5,000 per violation (or actual damages, which are rare) and the possibility of an attorney’s fees award.
What Can Your Organization Do?
Organizations can reduce their risk of litigation exposure by adopting a compliant retention schedule and making it publicly available, obtaining informed consent before collecting Biometric Identifiers and reviewing their data security protocols for Biometric Identifiers. Now is the time to address these issues. If the past is any indication, this litigation trend only appears to be gaining steam, not slowing down.