Over the past few years, a number of big tech companies — including Facebook, Google, and Snapchat — have settled class action lawsuits alleging they violated the privacy of Illinois residents. Because of these lawsuits, many Chicagoans have received payments to compensate them for the harm they suffered, and everyone in the state has benefited from companies crafting policies that keep private information safer than it might otherwise be.
A few Vaziri Law LLC clients who were notified they could financially benefit from these lawsuits reached out to us before deciding to submit a claim to ask if the money they were being offered was legitimate. We are always happy to answer a question like this for our clients, but we realized it would also be helpful to draft a blog post about the underlying law that is responsible for all this litigation.
Illinois’ Biometric Information Privacy Act
In 2008, Illinois policymakers became concerned that the biometric data of state residents — things like fingerprints, iris scans, and collections of facial geometry — would soon be bought and sold by companies that had little regard for the fact that what they were buying and selling was someone’s physical identity.
The initial fear was sparked by the bankruptcy of a fingerprint-scanning payment company called Pay By Touch, which was used in Jewel-Osco grocery stores in the Chicago area. But as lawmakers looked into this technology, they realized fingerprints were just the tip of the iceberg. This still-emerging technology is being used in new ways every day.
In order to protect Illinois residents, a very broad law that could be adapted to fit new technology was passed. At its core, the Biometric Information Privacy Act (BIPA):
- Requires companies to get permission from people before collecting biometric data;
- Sets guidelines for how companies that gather and store biometric data should protect that information; and
- Prohibits companies from selling, trading, or otherwise transferring the biometric data of Illinois residents.
It does this by mandating that:
- A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.
- No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first:
- informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
- informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
- receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.
- No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.
- No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless:
- the subject of the biometric identifier or biometric information or the subject’s legally authorized representative consents to the disclosure or redisclosure;
- the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject’s legally authorized representative;
- the disclosure or redisclosure is required by State or federal law or municipal ordinance; or
- the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
- A private entity in possession of a biometric identifier or biometric information shall:
- store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry; and
- store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
Other states have since followed suit, passing similar laws, but what continues to set the BIPA apart is its enforcement mechanism. Instead of relying on the state attorney general or a similar government official to take action when a violation is suspected, the law allows private citizens to bring a civil lawsuit against the alleged offender.
Companies found to have “intentionally or recklessly” violated BIPA may owe up to $5,000 for each violation; those found to have violated the law due to negligence may owe up to $1,000 per violation. These fines can really add up when a class of plaintiffs decides to band together to hold an alleged BIPA violator accountable. And they may increase even more once the Illinois Supreme Court decides Cothron v. White Castle and clarifies whether a victim is injured each time a private entity collects or discloses biometric information or only the first time it happens.
Fueled by Passion. Built on Trust.
There are practical solutions for victims of traditional identity theft. There are ways to protect yourself if you find your Social Security number, bank information, or credit card details have fallen into the wrong hands. This information can be changed, reissued, and the situation can be resolved. However, there is an inherent and unavoidable risk when it comes to biometric data, which is quite literally mapped in your DNA. There is no clear recourse for victims if this information isn’t properly secured.
The Biometric Information Privacy Act is a powerful tool that is forcing companies to be more thoughtful about the biometric data they collect. Illinois residents should be grateful that it is available to us, and should not hesitate to bring a lawsuit if they believe someone is illegally collecting or misusing their biometric data. The Illinois Supreme Court recently ruled in Tims v. Black Horse Carriers that plaintiffs have five years after a violation to bring these suits.
The Vaziri Law LLC team is here to assist anyone who has questions about the BIPA, a proposed settlement, or class actions in general. Please do not hesitate to contact us if we can be of assistance.