The Illinois Biometric Information Privacy Act (“BIPA”) prohibits private sector companies and institutions from collecting biometric data from citizens in the state or online, no matter where a business is based. Biometric data includes a wide range of highly sensitive personal identifiers such as retina or iris scans, fingerprints, voice prints, hand scans or face geometry. Illinois enacted BIPA largely in response to the increased use of biometric information in financial transactions. Unlike other identifiers, a person cannot change their biometric information once compromised and persons with compromised biometric information are more likely to be victims of identity theft.
The law has now had its day in court, so to speak, resulting in a massive award that will send shockwaves through the privacy, legal, and business communities.
Under BIPA, biometric information cannot be collected, sold, shared, or otherwise traded without the informed consent of Illinois citizens. Informed consent means that Illinois citizens must be informed of the specific purpose and length of time for which a biometric identifier or biometric information is being collected, stored, and used. Failure to obtain informed written consent to collect and use biometric data can result in significant liability under the BIPA.
Written consent also must be obtained each time a business or employer elects to use the biometric data in a new way. For example, if an employee has already consented to their employer’s request to use their thumbprint for building access, the employer must obtain new consent to use fingerprints in a different way, such as to track timecards.
Any person whose biometric data is used in violation of BIPA possesses a private right of action against the offending party, and may recover the following for each violation:
On October 12, 2022, a federal jury, in the first ever BIPA case to go to trial, found that one of the largest freight railroad networks in North America had violated BIPA numerous times. In this case, the company had scanned truck drivers’ fingerprints for identity verification purposes whenever they visited rail yards to pick up and drop off loads. The jury found that the railroad recklessly or intentionally violated BIPA 45,600 times – the estimated number of drivers whose fingerprints were scanned – which calculates to $228 million in damages.
Prior to the trial, the railroad argued that it was not the proper defendant. Specifically, the company contended that it had contracted with a vendor that installed and maintained the automated system used by the truck drivers. At trial, the railroad urged the jury to find that the vendor was the responsible party, alleging that it relied on the vendor to understand and apply the law and had no ability to control the vendor’s technology. Since BIPA permits damages only for negligent, reckless, or intentional violations, the railroad contended that it acted reasonably by contracting with an industry expert for its security needs. The railroad further asserted that it had put the vendor on notice of this obligation because the contract between the parties explicitly required the vendor to comply with the law.
The jury was unpersuaded by the railroad’s arguments and sided with the plaintiffs. The plaintiffs argued that: (a) the railroad had the ability to direct the vendor’s actions; and (b) the railroad "intentionally ignored the law" by continuing the same practices even after the lawsuit was filed in March 2019.
The outcome of this case illustrates how juries may calculate damages in BIPA suits going forward, as well as how companies may be liable for BIPA non-compliance even when they contract with third party vendors for biometric information collection and processing.
BIPA regulates how “private entities” collect, use, and share “biometric information” and “biometric identifiers” and imposes certain security requirements.
A “private entity” is defined as any individual, partnership, corporation, limited liability company, association, or other group, however organized. BIPA excludes certain types of entities, including financial institutions subject to the Gramm-Leach-Bliley Act of 1999, governmental entities and agencies, and contractors to governmental entities or agencies.
“Biometric information” means any information, “regardless of how it is captured, converted, stored, or shared,” based on an individual’s biometric identifier used to identify an individual.
“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.
Private entities in possession of biometric data must develop a written public policy establishing a retention schedule and guidelines for permanently destroying biometric data. The statute also provides that the destruction must be completed within three (3) years of the individual's last interaction with a private entity. In other words, once that individual has left employment, the biometric information or biometric identifier must be permanently destroyed as promptly as possible.
BIPA prohibits private entities from obtaining biometric information without informed written consent prior to the collection of biometric information.
BIPA prohibits private entities in possession of biometric information from selling, leasing, trading or otherwise profiting from biometric data.
Private entities in possession of biometric data may not “disclose, redisclose, or otherwise disseminate” it unless consent is obtained, or the disclosure is required for specific purposes, such as the disclosure is necessary to complete a financial transaction, required by law, or pursuant to a valid warrant or subpoena.
A private entity in possession of biometric data must use reasonable standards of care applicable to the entity’s industry and in a similar, if not more protective, manner as the entity uses for other confidential and sensitive information.
While cyber insurance generally affords privacy liability coverage for third-party claims alleging violations of privacy laws such as BIPA, not all cyber policies are created equally. Some cyber policies provide coverage for these claims by specifically including biometrics in what constitutes personal or confidential information and expanding the breadth of coverage for wrongful collection claims. In some instances, however, such coverage is limited to defense costs only. Further, some cyber policies do not include wrongful collection as a wrongful act and/or have strict wrongful collection exclusions.
The use of biometric information is accelerating across practically every industry sector as businesses look to enhance identity management and improve security screenings. Given this development, state and local governments are responding by increasingly regulating the use of biometric data. Issues around its collection, processing, and use are likely to continue to generate litigation in the years ahead. While states such as such as Texas and Washington, and New York City, also have BIPA statutes, Illinois remains the only state with a private right of action for now.
Given the dramatic damages award provided by the Illinois jury, all businesses should evaluate whether they collect biometric data and assess whether BIPA applies to them. If BIPA applies, they should take steps to comply with the law promptly, including providing notice, obtaining written consent, and adhering to BIPA’s retention, disclosure, and security requirements. The best protection against liability under BIPA is compliance with the law.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
Executive Vice President – Cyber Development & Regulatory Leader
