Recently, the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA) has received a lot of attention after the Illinois Supreme Court’s decision earlier this year in Rosenbach v. Six Flags Entertainment Corp., where the Court held that a plaintiff need not allege an “actual injury or adverse effect, beyond violation of his or her rights under the Act [BIPA], in order to qualify as an aggrieved person.” We previously discussed the implications of this ruling and the resulting concerns surrounding the collection and use of biometric information and technology by companies operating in Illinois here as well as BIPA’s implications for employers here.
We previously explained that because of the implications of the Rosenbach case it would be worth watching whether the Illinois legislature reacted following the ruling—not only for companies operating in Illinois but also looking ahead to how other states would handle biometric privacy laws. Lo and behold, we did not have to wait long!
A bill introduced in the Illinois state legislature, SB2134, would amend BIPA to remove the private right of action which, if passed, would avoid not only future outcomes like the Rosenbach case, but also curtail the growing wave of BIPA litigation. The proposed amendment would instead provide for enforcement authority with the Illinois Attorney General and Department of Labor as follows:
- First, any violation of BIPA would constitute a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act and may be enforced by the Illinois Attorney General.
- Second, under the amendment, BIPA enforcement authority is provided to the Illinois Department of Labor (DOL) for violations that result from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes. Employees and former employees may file complaints with the DOL alleging a BIPA violation by submitting a signed, completed complaint form within one year of the date of violation.
While the proposed amendments would not impact the hundreds of employers currently defending BIPA class action lawsuits in Illinois, they would curtail future class actions and provide some clarity going forward. Under the current statutory scheme, employers are already seeking clarity from the courts and state legislature regarding, among other things, the statute of limitations for BIPA violations; application of the statutory damage provisions; and whether the conversion of biometric identifiers to mathematical equations by the current technologies implicates BIPA. Stay tuned.
In addition, another BIPA amendment, HB3024, was introduced in the Illinois state legislature and would amend BIPA to expand the definition of “biometric identifier” to include an “electrocardiography result from a wearable device.” The amendment does not define what constitutes a “wearable device,” but device manufacturers, health care providers, and other industry stakeholders should keep an eye on the progression of this amendment and potential implications for collection, use, maintenance, and destruction of ECG results from wearable devices, particularly with regard to interaction with other health information privacy and security laws.
For example, BIPA requires a written, publicly available retention and destruction schedule and destruction of biometric identifiers and biometric information at the earlier of: (1) the initial purpose for collecting or obtaining such identifiers or information has been satisfied; or (2) within three years of the individual’s last interaction with the entity. This destruction timeframe does not jibe with traditional health care record retention timeframes for commercial or federal health care program reimbursement, risk management and medical malpractice, or continuity of care purposes. In addition, BIPA prohibits entities from, among other things, collecting or obtaining biometric identifiers/information unless the entity first: (1) informs the individual in writing that a biometric identifier/information is being collected or stored; (2) informs the individual in writing of the retention timeframe; and (3) receives a written release. BIPA also prohibits re-disclosure without first following a similar process. These processes do not mesh with HIPAA’s standard use and disclosure obligations for treatment, payment, and health care operations.
As BIPA makes its way into the traditional health information space, the industry will need to consider how to mesh BIPA’s obligations into industry-standard health information privacy and security compliance programs and patient care practices.