Illinois Biometric Information Privacy Act (BIPA)

Subscribe to Illinois Biometric Information Privacy Act (BIPA)

On February 17, 2023, the exposure risk of a company found to be violating Illinois’ Biometric Information Privacy Act (BIPA) increased to a potentially crippling amount. What was previously commonly understood to entail a maximum of $1,000 per negligent (or $5,000 for reckless) violation per plaintiff now authorizes a $5,000 fine per instance of collection, turning—for example—the nonconsensual use of an employee’s fingerprint for clocking in and out of work multiple times per day to 1,040 violations of BIPA per year if a full-time employee clocks in and/or out just four times each day, potentially resulting in estimated damages of $1,040,000 for negligent violations or $5,200,000 for reckless violations

Continue Reading BIPA Ahead: A New Ruling Introduces a Staggering Depth Beneath the Tip of the BIPA Iceberg

Illinois continues to be a hotbed of privacy litigation, in large part due to Illinois’s landmark Biometric Information Privacy Act (BIPA), which was enacted in 2008. Despite the flood of cases in the wake of Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), this is only the first BIPA class action lawsuit to proceed to trial. On October 12, 2022, in Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.), a federal jury in Chicago found in favor of a class of more than 44,000 truck drivers who alleged that BNSF Railway Company (BNSF) violated BIPA by unlawfully scanning employee fingerprints for identity verification purposes without giving notice and obtaining their prior written permission. U.S. District Judge Kennelly entered a judgment against BNSF for $228M in damages. This case highlights many important considerations for organizations deploying biometric technologies in Illinois, including the potential for vicarious liability for a vendor’s actions, and provides valuable insight into how damages in BIPA cases are calculated. This decision from the Illinois court demonstrates that defendants can face significant civil liability in BIPA litigation, and companies using or collecting biometric information should be aware of these risks.

Continue Reading First-Ever BIPA Trial – Jury Awards Staggering $228M in Damages

In a unanimous decision issued on February 3, 2022, the Illinois Supreme Court held in McDonald v. Symphony Bronzeville Park that the Illinois State Workers’ Compensation Act (“WCA”) did not bar claims under the Illinois’ Biometric Information Privacy Act (“BIPA”). In doing so, the court eliminated one significant defense commonly raised in such cases, since many BIPA class actions are brought in the context of employment (many of which were stayed pending the decision in McDonald). Critically, though, the decision does not preclude other potential defenses including claims of federal preemption.

BIPA is one of the most actively litigated privacy statutes in the United States. Among other things, it requires that businesses obtain consent prior to collecting biometric information (fingerprints, facial geometry information, iris scans and the like), issue a publicly available data retention policy, and refrain from certain data sales and disclosures. Because BIPA provides for a private right of action along with statutory damages of $1,000 to $5,000 per violation, it has proved fertile ground for the plaintiff’s bar.

Continue Reading Illinois Supreme Court Finds Illinois Biometric Information Privacy Act Not Preempted By State Workers’ Compensation Law

As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.

Continue Reading Closing out the 12 Days of Data: What to Expect in 2022

Cyber SecurityAs we stand at the beginning of 2021 and a new presidential administration, we look back on the year behind us. Hindsight is always 2020, and 2020 may be best viewed in hindsight.  We saw rapid changes in the privacy space, prompted in part by the global COVID-19 response. Infrastructure and services across multiple sectors continue to rely on data and digital platforms to function. Five prominent developments shaped the data privacy environment in 2020.

Continue Reading Privacy Year in Review: 2020’s Hottest Topics

On August 8, 2019, a panel of the Ninth Circuit Court of Appeals affirmed a California district court’s decision allowing plaintiffs to proceed on claims against Facebook under the Illinois Biometric Information Privacy Act (“BIPA”), 740 Ill. Comp. Stat. 14/  (2008). Patel v. Facebook, Inc., 2019 U.S. App. LEXIS 23673. The ruling marks the first federal appellate court decision affirming a broad Article III standing precedent for plaintiffs asserting claims under BIPA – which may impact both BIPA cases as well as data breach cases under the California Consumer Privacy Act (“CCPA”). The appeals court also held that the potential for large statutory damages did not constitute grounds to refuse to certify the proposed class.

Continue Reading Ninth Circuit Affirms Ruling that Plaintiffs Have Article III Standing in Illinois Biometric Privacy Class Action