How Cases Relating to the Illinois Biometric Information Privacy Act (BIPA) are Shaping Biometric Privacy in the U.S.

The Illinois Biometric Information Privacy Act (BIPA), which was enacted in 2008, continues to garner attention because businesses have increasingly begun to implement biometric security measures. Collecting personal information without consent via biometrics and transmitting the data to third parties (again without consent) directly violates BIPA. Failure to obtain that consent is becoming a serious issue for a number of businesses.

The main focus of the Illinois BIPA is to protect individuals, specifically employees, from the potential consequences of employer use of biometric technology and permits courts, in their discretion, to award damages for violations of the Act. In February 2023, the Illinois Supreme Court issued two important decisions involving the BIPA.

In the first case, Tims v. Black Horse Carriers, Inc., the court found that there was a five-year statute of limitations for BIPA claims. As a result of this decision, the number of actionable claims under the Act twill likely increase significantly as will the amount of damages non-compliant businesses will be required to pay.

In the second case, Cothron v. White Castle System, Inc., the court found that a claim accrues under the Act each time biometric data is gathered without consent. This means that each scan and transmission of personal data – even if it’s daily or more often than that – will count toward the damages. This obviously can lead to dire consequences for non-compliant businesses. For example, based on the Court’s ruling, the damages in Cothron may exceed $17 billion. It should come as no surprise that a damage award of this size could ruin all but the biggest companies. However, the court also found that no part of the Act called for the “financial destruction” of a business. The court therefore urged the legislature to review their intent for handling potentially ruinous monetary damages.

It is clear that these rulings may have severe impacts for businesses accused of non-compliance for years to come. While this rulings concern Illinois and its BIPA, it’s worth noting that this sort of regulation is expected to spread. Right now, Illinois, Texas, and Washington are the only states that have biometric specific laws, with Illinois being the only one that gives individuals a private right of action. However, since the start of 2023, at least 15 biometric privacy laws have been proposed in 11 other states (including Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont, and Washington).

Since we can expect that the majority of these new regulations will be based on Illinois’ BIPA in some fashion, you may want to consider preparing your business for compliance by, among other things:

• Reviewing the technology in your workplace to identify when and where biometric information is gathered.
• Updating employee handbooks and workplace policies to share how this technology is being used.
• Obtaining appropriate consent every time biometric information is collected, in compliance with BIPA.
• Documenting the consent given and ensuring it matches what you’ve outlined in your employee handbooks and workplace policies.
• Reviewing your business insurance policies for potential coverage gaps regarding data privacy claims.

Finally, you should, of course, consider consulting a lawyer who is knowledgeable about the specific BIPA that applies to your business so that you can ensure that you are fully compliant.

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.