Member Article

Over the last several years, the emphasis on privacy and data protection has grown significantly. With the amount of data collected by companies and technology skyrocketing, the need to protect personal information has been at the forefront of states’ legislative agendas. While all 50 states now have breach notification statutes, states are now taking a closer look at issues such as tracking online behavior and the use of biometric data. What used to be futuristic props in sci-fi media, face and fingerprint scanners, are now part of everyday life and consumer transactions. Despite the increase in the use of biometric data, only three states, Washington, Texas and Illinois have passed legislation addressing biometric data.

Illinois’ law, the Biometric Information Privacy Act (“BIPA”), has caused the most stir of the three. Enacted in 2008, it was the first statute of its kind and has been considered the strictest. BIPA is the only biometric data law that allows a private right of action for violations in the collection, use, storage, retention and destruction of biometric information, such as fingerprints and hand or face scans, among other things. When an individual proves to be a “person aggrieved” by a violation, the individual may recover liquidated damages up to $5,000 for each BIPA violation.

This private right of action has led to a new wave of litigation, most recently in the context of employment, brought by employees. With over a hundred cases filed in the last three years, litigation over BIPA has made its way to several Federal District Courts, including the Northern District of California case, In re Facebook Biometric Information Privacy Litigation. Courts are split on whether private litigants who have suffered no actual injury from a violation of BIPA can be deemed a “person aggrieved” and are entitled to the statutory damages allowed under BIPA. With discrepancies amongst the federal courts and the Second District Illinois Appellate Court, which held that an individual is not aggrieved by mere technical violations of BIPA, the Illinois Supreme Court decided to hear the case of Rosenbach v. Six Flags Entertainment Corp. to resolve the issue.

In Rosenbach, a consumer brought a claim for violations of BIPA against the theme park, which collected biometric data in connection with registering for a season pass without the requisite consent under BIPA. The consumer did not experience any actual harm and his biometric information had not been improperly disclosed. The Illinois Appellate Court ruled that to state a cognizable claim under BIPA, a plaintiff must allege more than a mere failure to comply with BIPA’s notice and consent provisions. The case was taken to the Illinois Supreme Court and arguments were heard on November 20, 2018.

During oral arguments, the Justices’ questions centered around the definition of the term ''aggrieved'' and whether the security of data was ensured when consent is not requested. The Justices’ drilled Six Flags’ counsel on whether the statute covers an aggrieved person for a mere technical violation. Illinois Supreme Court Chief Justice Lloyd A. Karmeier asked, whether a "company [could] continue to violate the law without impunity," if "aggrieved" was interpreted to not include technical violations of the statute? The Court also referenced the Illinois First District Appellate Court's decision in Sekura v. Krishna Schaumburg Tan Inc., which, unlike the Rosenbach appellate decision, found harm when a technical BIPA violation occurred. While the Justices questions are not conclusive of their decision in the matter, their questions suggested BIPA could allow for technical violations even though there are no actual damages. The matter was taken under advisement and a decision is expected in early 2019.

Regardless of the Illinois Supreme Court’s ruling, it is recommended that private entities review their BIPA compliance and take the following steps with respect to biometric data:

1. Notice & Consent. Ensure you have proper notice and consent provided to individuals upon the collection of biometric data.
2. Public Policy. Develop and publicly post a biometric data policy describing how biometric data is collected, processed, how long it is retained, and how it is destroyed.
3. Follow the Retention Schedule. Ensure that biometric data is being retained and destroyed pursuant to the stated retention policy and destruction procedures.
4. Address Third-Party Vendors. Review how biometric data is shared and used by vendors, such as timekeeping, payroll, or equipment vendors. Ensure these vendors have the appropriate notice, consents, policies, and technical safeguards in place.
5. Technical Security Safeguards. Review information systems safeguards, including the use of encryption and access control with respect to biometric information.

Dykema’s Privacy and Data Security group routinely helps both domestic and international clients not only address the pressing issues of today, but also anticipate and plan for swift regulatory changes. If you have questions on how Illinois’ Biometric Law may impact your organization, please contact Cinthia G. Motley,Ashley S.A. Jackson, or your Dykema relationship attorney.