Understanding the Biometric Information Privacy Act

Published on: | by

The Biometric Information Privacy Act (BIPA) is a landmark Illinois law that regulates the collection, use, and storage of biometric data. Enacted in 2008, BIPA provides some of the most stringent protections for biometric privacy in the United States. With the increasing use of biometric technology—such as fingerprint scanning, facial recognition, and retina scans—lawsuits under BIPA have surged, leading to significant rulings in both state and federal courts. This article explores the key rules and regulations of BIPA, recent court cases, and the broader implications of biometric data privacy enforcement.

Key Rules and Regulations Under BIPA

1. Scope of the Law

BIPA applies to private entities that collect, use, or store biometric identifiers or biometric information.

  • Biometric identifiers include retina scans, iris scans, fingerprints, voiceprints, and facial geometry.
  • Biometric information refers to data derived from biometric identifiers used for identification.

2. Core Requirements

Under BIPA, companies must:

  • Obtain written consent from individuals before collecting biometric data.
  • Inform individuals about the purpose and duration of data storage.
  • Develop a publicly available policy outlining retention and destruction guidelines.
  • Refrain from selling, leasing, or profiting from biometric data.
  • Store and transmit biometric data securely using industry-standard protections.

3. Private Right of Action

One of BIPA’s most unique aspects is that it grants individuals the right to sue for violations. Each violation can result in statutory damages:

  • $1,000 per negligent violation
  • $5,000 per intentional or reckless violation

This private right of action has led to a wave of class action lawsuits and multimillion-dollar settlements.

Court Cases

1. Cothron v. White Castle (2023)

  • Court: Illinois Supreme Court
  • Issue: Whether each unauthorized biometric scan constitutes a separate BIPA violation.
  • Ruling: The court ruled that each scan is a separate violation, significantly increasing liability for companies that routinely collect biometric data without proper consent.
  • Impact: This ruling has expanded potential damages for companies facing BIPA claims, leading to higher settlement values and risk assessments.

2. Tims v. Black Horse Carriers (2023)

  • Court: Illinois Supreme Court
  • Issue: The statute of limitations for BIPA claims.
  • Ruling: The court ruled that a five-year statute of limitations applies to all BIPA claims.
  • Impact: Companies now face a longer risk exposure period for lawsuits, making compliance even more critical.

3. Rogers v. BNSF Railway Co. (2022)

  • Court: U.S. District Court (Northern District of Illinois)
  • Issue: Whether a company can be held liable for biometric data collection through third-party vendors.
  • Ruling: A jury found BNSF liable for $228 million in damages for failing to obtain written consent from truck drivers scanned by third-party biometric systems.
  • Impact: This case demonstrates that companies can be held accountable for third-party biometric violations within their operations.

4. In Re: Facebook Biometric Information Privacy Litigation (2020)

  • Court: U.S. District Court (Northern District of California)
  • Issue: Facebook’s facial recognition feature allegedly violated BIPA.
  • Outcome: Facebook agreed to a $650 million settlement for failing to obtain consent before scanning users’ faces for tagging suggestions.
  • Impact: This remains one of the largest BIPA settlements and set a precedent for large-scale biometric privacy litigation.

5. Boone, et al. v. Snap Inc. (2023)

  • Court: U.S. District Court (Northern District of Illinois)
  • Issue: Whether Snap Inc.’s use of facial recognition and biometric data in its Lenses and Filters feature violated BIPA.
  • Ruling: The lawsuit alleged that Snap failed to obtain user consent before collecting biometric identifiers. While Snap argued that its technology did not store biometric data in a way covered by BIPA, the court allowed the case to proceed.
  • Impact: This case highlights growing scrutiny of social media and tech companies using biometric technology, emphasizing the need for explicit user consent and compliance with biometric privacy laws.

Future Implications and Compliance Strategies

With courts interpreting BIPA strictly and allowing large damage awards, companies must take proactive steps to ensure compliance. Best practices include:

  • Implementing clear consent procedures for biometric data collection.
  • Conducting regular audits to ensure compliance with retention and security policies.
  • Updating privacy policies to reflect biometric data handling practices.
  • Ensuring third-party vendors comply with BIPA requirements to mitigate liability.

As biometric technology expands into new industries—including healthcare, retail, and financial services—the impact of BIPA will continue to grow. Companies operating in Illinois (or serving Illinois residents) must stay vigilant to avoid costly litigation and reputational damage.

Conclusion

BIPA remains one of the strongest biometric privacy laws in the U.S., with courts consistently favoring consumer protections over corporate interests. The surge in lawsuits and multimillion-dollar settlements signals increased legal risks for companies collecting biometric data. As biometric privacy laws continue to evolve, businesses must prioritize compliance, transparency, and security to mitigate the risks associated with biometric data collection. Please contact our law firm to speak with a qualified internet and technology attorney regarding your questions.