The Illinois Biometric Privacy Act (BIPA) went into effect in 2008 and imposes requirements and restrictions on private sector businesses which collect or otherwise obtain biometric information, including fingerprints, retina scans, and facial geometry scans from individuals. Among other requirements, businesses must receive written consent from individuals before obtaining their biometric data, and they must disclose their policies for usage and retention of the information. For negligent violations, individuals can recover the greater of $1,000 or their actual losses. For reckless violations, the baseline award increases to $5,000. This article will discuss a recent Illinois Rosenbach v. Six Flags Entertainment Corp., Supreme Court decision addressing the application of BIPA.i A general overview of BIPA will provide helpful context to our analysis.
The Illinois Biometric Information Privacy Act as codified in 740 ILCS 14/1, et. seq. Section 5 (c) sets forth the following:
- Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.
The provisions of the Act shall not be construed to apply to a contractor, subcontractor, or agent of a State agency or local unit of government when working for the State agency or local unit of government.ii
“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. “Confidential and sensitive information” means personal information which can be used to uniquely identify an individual or an individual’s account or property. Examples of confidential and sensitive information include, but are not limited to, a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a PIN number, a pass code, a driver’s license number, or a social security number. “Private entity” means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include a State or local government agency. A private entity does not include any court of Illinois, a clerk of the court, or a judge or justice thereof. “Written release” means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.iii
Retention, Collection, Disclosure, and Destruction of Biometric Information
A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. The private entity must make the policy available when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.
No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first: 1) informs the subject or the subject’s authorized representative in writing a biometric identifier or biometric information is being collected/stored; 2) informs the subject/subject’s representative in writing of the specific purpose and length of the term the biometric information will be collected, stored, and used; and 3) receives a written release.
No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information. No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless: 1) the subject/representative consents to the disclosure or redisclosure; 2) the subject/representative completes a financial transaction; 3) the disclosure or redisclosure is required by applicable law or ordinance; or 4) the disclosure or redisclosure is made pursuant to an order of the court.
A private entity in possession of a biometric identifier or biometric information shall: 1) store, transmit, and protect the information from disclosure in accordance with the standard of care within the particular industry; 2) store, transmit, and protect from disclosure with the same or greater degree it exercises in protecting other sensitive and confidential information.iv
Right of Action
Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. A prevailing party may recover for each violation: 1) liquated damages of $1,000 or actual damages, whichever is greater, for a negligent violation by the offending party; 2) liquated damages of $5,000 or actual damages, whichever is greater, for a reckless violation by the offending party; 3) reasonable attorney fees and costs, including expert witness fees and other litigation expenses, and 4) other relief the court may deem appropriate.v
Rosenbach v. Six Flags Entertainment Corp.vi
In this class action, plaintiff Stacy Rosenbach alleged Six Flags violated BIPA when it required her son to scan his fingerprint in order to use his season pass. Plaintiff alleged Six flags never informed her about the fingerprint requirement when she bought the pass, and they never provided a policy detailing how they would use or store her son’s biometric information. There was no claim she or her son suffered any actual harm or damages from the alleged violations of the Act. However, BIPA allows “aggrieved” individuals to bring suit when an entity violates the requirements for handling their biometric data.
On January 25, 2019, the Illinois Supreme Court held private individuals may bring suit even if the only harm was a violation of their legal rights. The court determined anyone whose rights under BIPA were violated qualifies as “aggrieved,” and rejected defendant’s argument the violation needs to cause some type of actual harm. Since the Illinois legislature did not define “aggrieved,” the court reasoned the word should have its ordinary and customary meaning, i.e., the denial of a legal right. The court found in passing BIPA, the Illinois legislature decided individuals have rights of privacy and control over their individual biometric data. Thus, when an individual’s defined BIPA rights are violated, they are considered “aggrieved” within the context of the statute. The court went on to conclude: “Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced.”
A failure to follow the statutory procedures for handling biometric information can expose businesses to liability, regardless of whether anyone suffers actual harm. Therefore, when businesses collect biometric data in Illinois, they should ensure their practices comply with BIPA. Businesses need to confirm whether biometric data is being captured as defined under Illinois law. Under the BIPA, “biometric information” is any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual, such as a fingerprint.
Before collecting biometric data, companies generally must provide notice and obtain written consent from the individual. Biometric information of customers, clients, or employees should be collected and maintained for a lawful purpose directly related to an organization’s functions and activities for which it was collected in the first place. The collection of biometric data should be necessary and not excessive for achieving this purpose. Due to the sensitivity of biometric data, if this lawful purpose can be achieved by collecting other data or less sensitive biometric data, then only that data should be collected. Under the BIPA, biometric identifiers and biometric information must be permanently destroyed when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the entity collecting it, whichever occurs first. If the biometric information is accessible to or stored by a third-party service provider, the company should obtain written assurances from the service provider concerning such things as minimum safeguards, record retention, and breach response.
i Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197.
ii 740 ILL. COMP. STAT. ANN. 14/25
iii 740 ILL. COMP. STAT. ANN. 14/10
iv 740 ILL. COMP. STAT. ANN. 14/15
v 740 ILL. COMP. STAT. ANN. 14/20
vi Rosenbach., 2019 IL 123186, 129 N.E.3d 1197.