With an ever growing interest in the protection of biometric information, laws that protect biometric information are now getting their time to shine. Perhaps, none has garnered more attention and has had a greater impact recently than the Biometric Information Privacy Act (BIPA).
What is the BIPA?
BIPA was enacted in 2008 with the purpose of addressing the collection of biometric information of Illinois residents by businesses. BIPA applies to a business that is considered a private entity under its definition. A private entity is defined as, “any individual, partnership, corporation, limited liability company, organization or other groups, however organized.” State and local government agencies, any courts of Illinois, court clerks, judges, or justices are not considered private entities under BIPA. There are two important exceptions under BIPA for financial institutions or affiliates of financial institutions governed by the Gramm-Leach-Bliley Act of 1999 as well as contractors, subcontractors, and agents working for a State agency or local government.
BIPA defines biometric information as any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric identifiers under BIPA include but are not limited to retina and iris scans, fingerprints, voiceprints, hand scans and face geometry.
However, what sets BIPA apart from other biometric laws is the Private Right of Action, which allows any aggrieved person to file a lawsuit against a covered entity. Under this private right of action, a covered business may be liable for up to $1000 per negligent violation, up to $5000 per intentional or reckless violation as well as litigation costs.
Why Does it Matter Now?
While enacted in 2008, BIPA gained real traction in 2015 with the initiation of several class action lawsuits against internet giant Facebook (now Meta) and Six Flags in 2019. However, recent cases may lay the foundation for how lawsuits under the BIPA will be brought moving forward.
Rogers v. BNSF Railway Co.
A plaintiff class of truck drivers claimed that their biometric information was collected by BNSF, a railroad operator, without written notice and consent, a violation of Section 15(b) of BIPA. The truck drivers, who regularly picked up and delivered from BNSF’s rail yards, argued that BNSF captured their fingerprint information using an Auto-Gate system. Despite BNFS’ argument that they outsourced the maintenance and operation of biometric information to a third party, the jury returned a verdict in favor of the plaintiff class in October 2022. The judge entered judgment against BNSF in the amount of $228 million.
This was the first jury trial case that involved claims under BIPA and may signal the risks involved for companies to take similar matters to trial.
Tims v. Black Horse Carriers, Inc.
The plaintiff class of employees alleged that their employer, Black Horse Carrier, unlawfully collected, processed, and disclosed employee fingerprints through the company’s finger-scanning time clock, which violates Sections 15(a) – 15(e). The Illinois Appellate Court determined that certain claims under BIPA are subject to a one-year or five-year statute of limitations. The Appellate Court’s decision was appealed and then argued before the Illinois Supreme Court on September 22, 2022.
The final decision from the Illinois Supreme Court landed on February 2, 2023, finding that the five-year statute of limitations period should be applied to all BIPA claims.
With the use of private right of action under BIPA becoming more prevalent, covered entities that collect or process biometric information may want to pay close attention to the violations outlined in these cases. The court decisions may provide guidance as to how covered entities might consider structuring their compliance programs in 2023 and avoid falling into similar pitfalls.