What You Need to Know about BIPA

The use of our biometric information—fingerprints, face scans, and other details that are uniquely ours—has been rapidly increasing over the past decade. As private companies collect, share, and misuse this information without consumers’ consent or even their knowledge, these companies have made billions from individuals’ private details. 

In response to the alarming rise in the use and abuse of biometric information, Illinois passed the Biometric Information Privacy Act (BIPA) in 2008. This law is designed to defend the privacy rights of consumers and provide legal recourse and compensation for those whose rights have been violated. 

Wallace Miller represents clients in BIPA class action lawsuits against companies across the state. In a world where privacy violations are increasingly common, we’re proud to stand up for consumers’ rights. Learn more about what BIPA means for you as a potential class member and your options for legal recourse. 

Timeline

August 2, 2024 – Governor J.B. Pritzker has signed SB 2979 into law, amending the provisions of the Illinois Biometric Information Privacy Act (BIPA). Among other things, the amendments limit the damages available under BIPA from a per-scan to a per-person basis and clarifies that electronic signatures satisfy consent requirements.  

For plaintiffs, this doesn’t change the viability of their BIPA claims. However, this amendment may reduce potential payouts, especially in class actions cases, and provides companies more opportunities to argue that they obtained proper consent.

April 2024 — More than 3,000 class actions have been filed against private companies under BIPA. 

February 2023 — The Illinois Supreme Court holds that a five-year statute of limitations applies to BIPA cases. 

October 2022 — The first jury trial in a BIPA case has been decided in favor of the plaintiff in Rogers v. BNSF Railway Company. The court awarded more than $200 million in compensation. 

December 2019 — Almost 300 BIPA litigations have been filed in Illinois. 

2019 — In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that BIPA plaintiffs are entitled to compensation for the violation of their privacy without alleging actual injury. 

2016 — The first class-wide lawsuit is approved under BIPA. 

2008 — Illinois becomes the first state to pass biometric laws. 

What are biometric identifiers?

Biometric information refers to an individual’s unique physical characteristics that can be used to verify their identity. BIPA defines biometric identifiers as personal physical measurements such as: 

• Retinal or iris scans 

• Fingerprints 

• Voiceprints 

• Face geometry 

• DNA 

These identifiers pose unique privacy challenges. Unlike a compromised password or stolen credit card number, you can’t change your iris scan or your fingerprint. This makes these identifiers particularly susceptible both to identity theft and to misuse by private companies. 

The Illinois Biometric Information Privacy Act (BIPA)

In 2008, Illinois became the first state to pass a biometric data privacy law supporting the position that individuals should be in charge of their own personal information. Led by the ACLU of Illinois and supported unanimously by the Illinois legislature, the Biometric Information Privacy Act (BIPA) aims to prevent private entities from collecting and using biometrics without the knowledge or consent of individuals. 

BIPA requires that any entity that collects biometric data comply with certain legal requirements and provides for a private right of action for individuals when those requirements are not met. BIPA allows consumers to recover significant compensation from companies who violate the Act—$1,000 for each negligent violation (or a violation without the intent to cause harm) and $5,000 for each intentional or reckless violation (or a violation in which harm was caused intentionally).

Though other states have since passed biometric privacy laws, BIPA remains arguably the strongest biometric data privacy act in the country. Consumers in Illinois have unique tools with which to hold companies accountable and receive recompense for the violation of their personal privacy. 

Defending individuals’ biometric data

In October 2022, Rogers v. BNSF Railway Company became the first BIPA case to go to trial. Richard Rogers, a truck driver, alleged that his employer scanned drivers’ fingerprints for ID verification when they visited rail yards—but did not obtain consent or even tell the drivers their fingerprints were being collected. 

In a victory for plaintiffs, the court ruled that BNSF Railway Company violated BIPA, and permitted a class of 45,600 people to recover damages. At a value of $5,000 for each violation, the overall award came to $228 million. 

Understanding biometric privacy laws

Consumers across Illinois may be eligible to participate in a biometric class action lawsuit if their rights have been violated. With the recent increase in litigation, several questions as to the scope and function of the law have been addressed by state and district courts. 

Under the law, “any person aggrieved” by a BIPA violation is entitled to file a civil lawsuit. While there has been some debate as to the definition of an “aggrieved person,” the Illinois Supreme Court ruled in 2019 that the violation alone—rather than proof of injury, as required for most civil cases—is enough to make someone eligible for compensation. 

The Supreme Court also ruled in 2023 to apply a five-year “catchall” statute of limitations to lawsuits brought under BIPA. 

What is a violation of biometric information?

BIPA sets strict limits on the collection, use, disclosure, and retention of biometric data regulated by the act. Illinois law requires companies that collect biometric data to: 

• Inform the individual in writing what data is being collected and stored; 

• Inform the individual in writing the specific purpose of the data; 

• Inform the individual in writing about the length of time for which the data will be stored and used; and 

• Receive written consent from the individual that they have read and agreed to these terms. 

In addition, companies are barred from selling or profiting from the biometric data of consumers. If they collect or use this data, they must have a publicly available written policy that includes guidelines on the permanent destruction of this information after a set time span. Private companies cannot identify or track people using facial recognition without their consent, and must protect biometric information as strictly as they do other confidential information. 

Meet Wallace Miller

The team of attorneys and legal professionals at Wallace Miller have dedicated their careers to protecting the rights of plaintiffs and consumers. From pharmaceutical giants to multinational corporations, our team works to hold powerful interests accountable when they cause harm. 

Have your biometric details been collected or used by a private entity in Illinois? Reach out to Wallace Miller for a free and confidential discussion of your legal options.