Photo license: Piqsels CC0 public domain
Facebook recently agreed to pay a $550 million settlement to the plaintiffs in a high profile class action lawsuit brought against the social media network. This lawsuit arose out of Facebook’s alleged violation of an Illinois statute, the Biometric Information Privacy Act, commonly known as BIPA.
BIPA is a consumer privacy statute enacted by the Illinois legislature in 2008. The purpose of the act is to require companies and corporations that obtain, use and store biometric data of their employees to do so only with the prior consent of their employees. Biometric data is a general term used to refer to any computer data that is created during a biometric process. This includes generally samples, models, fingerprints, and all verification or personal identification data.
Biometric data is unique and personal, and the Illinois legislature recognized the need for entities that gather such information to do so only in accordance with strict rules. Misappropriated biometric information presents serious risks of identity fraud, and could result in fraudulent financial transactions and security screenings. 740 ILCS 14/5(a).
In an effort to balance the risks of harm and the recognized value in collecting biometric information, the Illinois legislature mandated that written consent be obtained prior to collecting biometric information. BIPA requires entities to obtain written consent prior to collecting, using or storing biometric information. BIPA also requires that entities who collect biometric information disclose why their information is being stored and how long it will be stored. The BIPA also imposes a duty on collectors to secure this data in a reasonable manner.
On January 25, 2019, the Illinois Supreme Court issued a significant ruling under BIPA in the case of Rosenbach v. Six Flags. In Rosenbach, the plaintiff accused the Six Flags theme park of violations of the consent clauses in the BIPA when they required the plaintiff to give his thumbprint in order to obtain a season pass. The Illinois Supreme Court ruled that collecting the thumbprint–which is biometric information– caused legal damages, even though there was no other injury or an adverse effect beyond the violation of their rights under the BIPA. The Illinois Supreme Court ruling in Rosenbach clarified that when one has his or her biometric information collected, it is not necessary to then be the victim of fraud or misappropriation in order to have a claim against the entity who collected the biometric information.
Another case, McDonald v. Symphony Bronzeville Park, LLC, et al. No. 2017-CH-11311 (Cir. Ct. Cook Cty. June 17, 2019), is now on appeal to determine whether individuals who rights under BIPA have sustained an injury that is governed by the Illinois worker’s compensation act preempts BIPA claims.
Employers have valid reasons for collecting biometric information, and are permitted to do so in Illinois, provided that they comply with the requirements set forth in the BIPA. If you have had biometric information gathered by your employer or another entity, and you were not asked to provide your consent, you may have a claim.
Please contact our office at 312-357-1431 if you would like to discuss any questions or if you believe you have a claim.