Enacted in 2008, Illinois’ Biometric Information Privacy Act (740 ILCS 14/1 or BIPA), generally requires companies to obtain a person’s consent before collecting, capturing, or purchasing a person’s “biometric identifier” or “biometric information.” Since late 2015, at least six cases have been filed alleging claims under the statute, and the first reported settlement was approved for $1.5 million dollars on December 1, 2016. While Illinois and Texas are currently the only states with such laws on the books, five other states have pending biometric legislation in committee review.
The increase in cases filed in the last 14 months and potential new legislation in other states strongly suggest that companies should assess the biometric information its products or services collect, as updates may be needed for notice, consent, and data retention policies and practices.
Recent Case Law Developments
Most of the cases involving BIPA claims have been decided on the basis of whether the information at issue constitutes “biometric identifiers” or “biometric information” under the statute, or whether the plaintiffs’ allegations sufficiently confer Article III standing. A recent ruling in the Northern District of Illinois, interpreting the definition of “biometric identifiers,” allows a class action against Google Inc. to proceed. See Rivera v. Google Inc., No. 1:16-cv-02714 (N.D. Ill. Feb. 27, 2017).
While Google argued that the images at issue were excluded from BIPA because they are derived from photographs, and only facial scans done in person qualify as biometric identifiers, the Court rejected that reasoning, stating that “if Goggle simply captured and stored the photographs and did not measure and generate scans of face geometry, then there would be no violation of the Act.” Rivera, slip op. at 15. After the plaintiffs’ filed a second amended complaint, Google asked the Northern District on March 9 to amend its February 27, 2017 decision and stay the proceedings while the Seventh Circuit decides whether to grant Google’s application for an appeal.
In January, a district court in New York dismissed a lawsuit involving BIPA, finding that the procedural violations of the notice and consent provisions are not by themselves, sufficient to confer standing. See Vigil v. Take-Two Interactive Software, Inc., No. 15-8211 (S.D.N.Y. Jan. 30, 2017). The Court’s reasoning in Vigil was similar to the conclusions reached in McCollough v. Smarte Carte, Inc., No. 16 C 03777, 2016 WL 4077108, at *4 (N.D. Ill. Aug. 1, 2016), where the Court granted defendant’s motion to dismiss on lack of standing, finding that failure to obtain prior written consent to retain fingerprint data was not a concrete harm.
Pending Legislation in Other States
Because Illinois provides a private cause of action, unlike Texas’ statute which only allows for enforcement through the attorney general, BIPA serves as the model for other states enacting biometric laws. Other states considering such legislation include:
Similar to BIPA, the bill prohibits the collection of an individual’s biometric data without proper notice and consent, requires timely disposal after the data is no longer needed, and provides for a private right of action.
This bill takes a very different approach compared to BIPA, focusing only on prohibiting the use of facial recognition for marketing purposes.
Illinois has recently proposed an amendment that would prohibit companies from requiring a person or customer to provide biometric identifier/information as a condition for the provision of goods or services, except to the extent necessary to conduct background checks or implement security protocols.
The amendment would not apply to companies that provide medical services, law enforcement agencies or governmental agencies.
If enacted, the legislation prohibits a private entity from collecting, storing, and using a person’s biometric data without a person’s consent and establishes procedures for the sale, disclosure, protection, and disposal of biometric information.
Like BIPA, the bill would regulate the collection, retention, and use of biometric information by individuals and private entities. The bill grants aggrieved persons a private right of action.
While its core purpose appears similar to BIPA, several limitations narrow the bills overall effect. For example, the bill carves out an exception to any notice and consent requirements when biometric data is collected and stored “in furtherance of a security purpose.”
The bill also provides that the prohibitions on disclosure and retention of biometric identifiers do not apply to disclosure or retention of biometric identifiers “that have been unenrolled” (a term suggesting anonymized or de-identified biometric data). Like Texas, the bill would not provide a private right of action.
Key Implications for Businesses
BIPA was passed in part because the Illinois legislature anticipated that companies would increasingly use biometric data to facilitate financial transactions, and unlike other personally identifiable information, cannot realistically be changed if subject to theft. The legislature’s predictions were accurate as biometric information is utilized not only to process financial transactions, but to gain entry to cars and buildings, to pass airport security, and to login-in to accounts on mobile devices.
While the proposed legislation has not been passed yet, in any of the five states, there is a clear trend emerging to adopt state-level biometric legislation. As a result, businesses must ensure that its notice, consent, and disposal policies and procedures align with currently enacted legislation and are agile and amenable to updates as other states may endorse similar biometric statutes.