Biometric Information Privacy Act

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The Biometric Information Privacy Act (BIPA) was passed by the Illinois General Assembly on October 3, 2008. Codified as 740 ILCS/14 and Public Act 095-994, the BIPA guards against the unlawful collection and storing of biometric information.[1] When Illinois passed the law in 2008, it became the first U.S. state to regulate the collection of biometric information.[2] Washington and Texas have since passed similar laws.[3] However, the BIPA remains the only law in the U.S. that allows private individuals to file a lawsuit for damages stemming from a violation.[4] The Act prescribes $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless.[5] Because of this damages provision, the BIPA has spawned several class action lawsuits.[6]


The BIPA requires companies doing business in Illinois to comply with a number of requirements pertaining to the collection and storage of biometric information. These include a requirement that companies:

  • Obtain consent from individuals if the company intends to collect or disclose their personal biometric identifiers.
  • Destroy biometric identifiers in a timely manner.
  • Securely store biometric identifiers.[7]

Legislative History[edit]

Senate Bill 2400, which eventually became the Biometric Information Privacy Act, was introduced by State Senator Terry Link on February 14, 2008; it passed both Houses of the Illinois General Assembly on July 10, 2008 and was approved by then-Governor Rod Blagojevich on October 3, 2008.[8] The purpose of the Act was to establish standards of conduct for private entities that collect or possess biometric information.[9] In 2016, Senator Link proposed and later withdrew an amendment to the Act that would have limited the Act's application to biometrics collected in public.[10]

Notable Cases[edit]

As biometric technology advances, there have been a number of lawsuits related to data collection methods, as well as various levels of protection over data. Using fingerprints as ways of clocking in and clocking out of work is an example of a technology that fights what is known as "buddy punching" or the practice of using somebody else to clock in for another worker at a job. In Illinois, the Biometric Information Protection Act law allows people to sue employers for mishandling biometric data. According to the Cook County Record, "In Illinois, both the parent company of Mariano's supermarkets and the Intercontinental Hotel Group have been hit with class action lawsuits alleging they improperly collected and stored employee fingerprints and other biometric data."[11]

Federal Court Cases[edit]

In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016)

  • Illinois Facebook users alleged that the social media platform violated the BIPA when it scanned images of their faces, without consent, in order to run its Tag Suggestions feature; a California federal court certified the class in 2018.[12]

Monroy v. Shutterfly, Inc., No. 16 C 10984, 2017 WL 4099846 (N.D. Ill. Sept. 15, 2017)

Rivera v. Google, Inc., 238 F. Supp. 3d 1088 (N.D. Ill. 2017)

  • Google users sued the company for violating the BIPA, alleging that it created and stored scans of users' faces on its Google Photos service, without user consent. On February 27, 2017, Northern Illinois District Court Judge Edmond E. Chang denied a motion to dismiss the lawsuit[14] but on December 29, 2018 the lawsuit was dismissed for lack of standing.[15]

State Court Cases[edit]

Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186

  • Six Flags was sued for collecting park-goers thumbprints without informed consent. The Illinois Court of Appeals ruled that a mere technical violation of the BIPA was insufficient to maintain an action, because it did not necessarily mean a party was "aggrieved," as required by the statute.[16] This was reversed by the Illinois Supreme Court which ruled that users do not need to prove an injury (such as identity fraud of physical harm) in order to sue; the mere violation of the act was sufficient to collect damages.[17]

Additionally, an employee of the NorthShore University HealthSystem has sued the company for allegedly collecting worker fingerprints without their consent, in violation of the Illinois Biometric Information Privacy Act. In Cook County Circuit Court, the employee alleged "that the defendant scanned and digitally collected his fingerprints without consent, for use with a biometric employee punch clock."[18]


On December 1, 2016 the first settlement involving the BIPA was approved by a judge in Cook County, Illinois.[19] The class action lawsuit was against L.A. Tan Enterprises, Inc. and settled for $1.5 million, which included between $125 and $150 for each class member who filed a claim.[20]


There is currently a bill (SB3053) pending before the Illinois legislature to amend the BIPA. The bill proposes to exempt private entities from the BIPAs requirements under a number of circumstances, including (1) if the biometric information is used "exclusively for employment, human resources, fraud prevention, or security purposes," (2) if the company "does not sell, lease, trade or similarly profit" from the biometric information, or (3) if the company protects biometric information at least as securely as it secures other sensitive information.[21]

SB3053 is viewed by privacy advocates as an attempt to entirely gut the BIPA.[22][23][24] It has received significant opposition from many groups that advocate for digital privacy rights, including the Electronic Frontier Foundation.[25]

During Facebook founder Mark Zuckerberg's testimony before Congress on April 10, 2018, in the aftermath of Facebook's scandal with Cambridge Analytica, Senator Dick Durbin questioned Zuckerberg about Facebook's support for SB3053.

Related State-Level Bills and Laws[edit]

There are a number of similar bills that have been introduced in states across the country.[26] These include:

  • Michigan, 2017 Bill Text MI H.B. 5019
  • New Hampshire, 2017 Bill Text NH H.B. 523 (amended and passed in 2018 as NH H.B. 523)[27]
  • Alaska, 2017 Bill Text AK H.B. 72
  • Montana, 2017 Bill Text MT H.B. 518


  1. ^ "Public Act 0994 95TH GENERAL ASSEMBLY". Retrieved 2018-05-07.
  2. ^ "Federal court in Illinois rules biometric privacy lawsuit against Google can proceed". Illinois Policy. 2017-03-08. Retrieved 2018-05-14.
  3. ^ Loeb; Stiehl, Loeb LLP-Jason P.; Goldberg, Mark J.; Emmerman, Ross D. "New Biometric Information Privacy Cases Reveal Breadth of Potential Exposure for Companies | Lexology". Retrieved 2018-05-07.
  4. ^ Loeb; Stiehl, Loeb LLP-Jason P.; Goldberg, Mark J.; Emmerman, Ross D. "New Biometric Information Privacy Cases Reveal Breadth of Potential Exposure for Companies | Lexology". Retrieved 2018-05-14.
  5. ^ "740 ILCS 14/ Biometric Information Privacy Act". Retrieved 2018-05-14.
  6. ^ "Biometric Privacy Litigation: The Next Class Action Battleground". Retrieved 2018-05-14.
  7. ^ Schwartz, Adam (2018-04-10). "New Attack on the Illinois Biometric Privacy Act". Electronic Frontier Foundation. Retrieved 2018-05-14.
  8. ^ "LRB Digest Indices" (PDF). Retrieved 2018-05-23.
  9. ^ "Westlaw Sign In | Thomson Reuters". Retrieved 2018-05-23.
  10. ^ "Facebook-backed lawmakers are pushing to gut privacy law". The Verge. Retrieved 2018-05-23.
  11. ^ Minnis, Glenn (2018-03-02). "Employers facing surge in class action suits over storage, use of employee fingerprints, other biometrics". Cook County Record. Retrieved 2018-10-08.
  12. ^ "Facebook Users Win Class Cert. In Face Scan Privacy Row". Law360. April 16, 2018. Retrieved 2019-10-29.
  13. ^ "Monroy v. Shutterfly, Inc., No. 1:2016cv10984 - Document 39 (N.D. Ill. 2017)". Justia Law. Retrieved 2019-02-11.
  14. ^ Bilyk, Jonathan. "Judge won't short-circuit class action accusing Google Photos of breaking IL biometric privacy law". Retrieved 2018-05-23.
  15. ^ "Rivera et al v. Google LLC., No. 1:2016cv02714 - Document 207 (N.D. Ill. 2018)". Justia Law. Retrieved 2019-02-11.
  16. ^ "Recent Illinois Appellate Court Ruling Could End The Recent Flood Of Class Action Lawsuits Against Employers Under Illinois' Biometric Information Privacy Act". Littler Mendelson P.C. 2018-01-09. Retrieved 2018-05-23.
  17. ^ Schwartz, Jennifer Lynch and Adam (2019-01-25). "Victory! Illinois Supreme Court Protects Biometric Privacy". Electronic Frontier Foundation. Retrieved 2019-02-11.
  18. ^ Torres, Louie. "NorthShore University HealthSystem allegedly collected worker fingerprints without consent". Retrieved 2018-10-08.
  19. ^ "First Settlement Reached Under Illinois Biometric Law". Retrieved 2018-05-14.
  20. ^ "Winston & Strawn". Winston & Strawn. Retrieved 2018-05-23.
  21. ^ "Illinois SB3053 | 2017-2018 | 100th General Assembly". LegiScan. Retrieved 2018-05-14.
  22. ^ "Facebook-backed lawmakers are pushing to gut privacy law". The Verge. Retrieved 2018-05-14.
  23. ^ Marotti, Ally. "Proposed changes to Illinois' biometric law concern privacy advocates". Retrieved 2018-05-14.
  24. ^ "Biometric Information Privacy". Technology Safety. Retrieved 2018-05-14.
  25. ^ Schwartz, Adam (2018-04-10). "New Attack on the Illinois Biometric Privacy Act". Electronic Frontier Foundation. Retrieved 2018-05-14.
  26. ^ "Biometric Information Protection: The Stage is Set for Expansion of Claims". Retrieved 2018-05-14.
  27. ^ "Establishing a committee to study the use and regulation of biometric information". Act of May 17, 2018. New Hampshire State Legislature.