Seyfarth Synopsis: The Illinois Supreme Court has held that a plaintiff may sue for mere violation of BIPA, regardless of injury. The ruling will likely greatly increase the potential exposure of companies in actions alleging violations of the Act and makes strict compliance with the Act significantly importantAccordingly, businesses using or licensing biometric technology in Illinois or collecting or receiving biometric data on individuals in Illinois must take immediate compliance measures or else face the potential of significant liability and damages in class action litigation.

The Illinois Biometric Information Privacy Act

As biometric technology has become more advanced and affordable, more businesses have begun implementing procedures and systems that rely on biometric technology for various purposes including for consumer transactions, identity verification, user authentication, payment processing, and other safety and security purposes.  BIPA regulates the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”  BIPA creates a limited right of action for “person[s] aggrieved by a violation” of its terms. A person may recover actual damages or statutory damages of $1,000 for a negligent violation and $5,000 for an intentional or reckless violation.  The act potentially implicates any business using biometric technology in Illinois or collecting, receiving, using, or possessing biometric data on an individual in Illinois even if that collection, receipt, use, or possession occurs outside of Illinois.

Requirements of the BIPA

Notice and Consent:  BIPA prohibits companies from collecting employees’ biometric information until the company notifies the employee in writing that the information is being collected. The notice must inform the employee of the “specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored and used.” 740 ILCS § 14/15(b).  Likewise, before collecting the biometric information, a company must obtain a “written release” from the employee enabling it to collect and store the information.  A “written release” is defined as “informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.”

Written Policy: BIPA also requires companies to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting them has been satisfied or within three years of the employee’s last interaction with the employer, whichever occurs first.  The policy must be publicly available for review.

Disclosure to Third Parties:  In addition, a company may not disclose biometric information to a third party unless the disclosing company obtains consent for disclosure from the employee; the disclosure completes a financial transaction requested by the employee; the disclosure is required by law; or the disclosure is required by a valid warrant or subpoena.

Standard of Care:  Last, BIPA requires that a company use “the reasonable standard of care” within its industry for storing, transmitting and protecting biometric information and act “in a manner that is the same as or more protective than the manner in which the [company] stores, transmits and protects other confidential and sensitive information.”

The Facts

Plaintiff had purchased a season pass for her son to attend an amusement park.  As part of the registration process, Plaintiff’s son had to provide his personal information and thumbprint, which was scanned into Defendants’ biometric data capture system and linked to his season pass card.  Defendants used its pass cards in combination with collected thumbprints to verify consumers’ identity for admission.

After Plaintiff’s son visited Defendants’ park, she filed a putative class action against them, alleging that their registration and admission processes violated BIPA.  Plaintiff alleged that she and her son were not given proper notice regarding Defendants’ fingerprint collection; that she and her son did not consent in writing to Defendants’ collection, storage, or use of her son’s fingerprint; and that Defendants did not have a written policy that complied with the BIPA.

Defendants moved to dismiss the complaint, arguing that Plaintiff’s son was not “aggrieved” as required to assert a claim under the BIPA because he had not suffered any actual or threatened injury.  But the trial court denied Defendants’ motion to dismiss.

Defendants appealed, and, in late 2017, the Illinois Appellate Court reversed the trial court’s ruling.  The Illinois Appellate Court held that a plaintiff is not “aggrieved” merely because a defendant violated the statute but rather, to be aggrieved, a plaintiff must show some injury or adverse effect arising from the violation.  Plaintiff then appealed to the Illinois Supreme Court.

The Illinois Supreme Court’s Decision

The Illinois Supreme Court reversed, holding that a person is aggrieved by a mere violation of BIPA.  The court reasoned that “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.”  The court declared that “[n]o additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”

The court explained that BIPA vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.  The court viewed these procedural protections as particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.  The court opined that “[w]hen a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.  This is no mere ‘technicality.’  The injury is real and significant.”

What The Decision Means For Businesses

The decision will make it significantly easier for individuals to assert causes of action and seek damages for mere non-compliance of BIPA’s requirements – absent any allegations of harm or injury.  In that regard, the decision makes it of utmost importance that companies take strict measures to comply with BIPA’s requirements regardless of how or why it is using biometric technology or possessing biometric data on individuals in Illinois (including individuals whose presence is transitory or temporary, such as for employment or tourism).  As the Illinois Supreme Court noted, “[w]hatever expenses a business might incur to meet the law’s requirements are likely to be insignificant,” in light of the potential for “liability for failure to comply with [BIPA’s] requirements.”  Accordingly, the decision gives companies “the strongest possible incentive to conform to the law and prevent problems before the occur and cannot be undone.”