What is BIPA and why should I care about it?

The Biometric Information Privacy Act (BIPA) was first introduced by Illinois in 2008. Versions of it followed in Texas in 2009 and then Washington in 2017. But what is it and why does it matter?

What is BIPA?

Broadly, BIPA requires the informed consent of the collection of biometric data prior to collection, prohibits companies from profiting from biometric data, permits only a limited right to disclose the data, mandates protection obligations and retention guidelines, and creates a private right of action for any individuals harmed by violators of BIPA.

This is important to employers, for example, as it covers and regulates private employer usage of biometric identifiers and data, like fingerprint data. It’s worth noting that local and state governments (and their employees) are exempted from this regulation.

What states are currently affected?

Illinois was the first state to pass a BIPA in 2008 and Texas followed soon afterwards in 2009. Washington enacted a version of BIPA in 2017 but there are more distinctions noted by Washington’s version – specifically, it doesn’t provide a private cause of action and it may be enforced solely by the state attorney general.

In Illinois, for example, employers attempting to use biometric identifiers or data must –

  • inform employees in writing about the collection/storage of their biometric data
  • inform employees of the specific purpose for collecting/storing and potentially using the data
  • receive a written release from the employee with their sign-off on the collection/storage of the employees’ data

Illinois employers may not sell, lease, trade or profit from employees’ biometric data and it is the first state with standards on storing, transmitting and protecting biometric data. The two standards are that the storage of the biometric data must meet reasonable standard of care within the employer’s industry and it must also meet the standard for what the employer is using when it comes to storing or collecting other confidential/sensitive data, like HR and personnel files.

Importantly, BIPA gives every single resident in the state of Illinois the right to sue a private employer or company who breaches the requirements set by the Act.

How BIPA has affected Internet companies

BIPA isn’t just about employers, however. There have already been several cases relating to BIPA –

  • In re Facebook Biometric Information Privacy Litigation
    • In 2015, Labaton Sucharow filed a class action complaint on behalf of Illinois Facebook users alleging violations of Facebook against BIPA. Facebook users in Illinois alleged that Facebook violated BIPA when it scanned images of their faces in order to run the Tag Suggestion feature – all done without consent. Facebook moved to dismiss the case and the dismissal was rejected. This case is ongoing.
    • It’s worth noting that BIPA authorizes damages of $1k per violation for negligent violations of the law and $5k per violation for intentional, reckless, or willful violations. Damages in the Facebook case could amount to millions or potentially even billions.
  • Rivera v. Google, Inc.
    • In 2016, Joseph Weiss and Lindabeth Rivera sued Google alleging that, through the Google Photos face grouping feature, Google had collected and retained biometric data without consent. Citing precedent based on the U.S. Supreme Court’s 2016 Spokeo, Inc. v. Robins decision, the court granted Google’s motion to dismiss. For a more in-depth breakdown, check out Eric Goldman’s overview.
  • Monroy v. Shutterfly, Inc
    • In 2017, Alejandro Monroy filed a class action alleging that a photo of him was uploaded by a Shutterfly customer to the site and the uploader was prompted to tag his face with his name, and then additional information was extracted (which Monroy did not consent to). Shutterfly moved to dismiss and the dismissal was rejected. This case is ongoing.
  • Sekura v. L.A. Tan
    • In 2018, a Cook County Circuit Court judge approved a settlement in the case of Sekura v. L.A. Tan over L.A. Tan’s storage of customer’s fingerprint data. The plaintiffs alleged that the company, which used customer fingerprint scans as their ID for membership to the salon, violated BIPA by failing to obtain written consent and not revealing plans for using, storing, or destroying the data in the event that a customer canceled their membership or a salon closed. There was no claim that data was sold or lost, just that the data was not handled in the way that BIPA dictates.
    • L.A. Tan established a $1.5 million fund from which all persons whose fingerprints were scanned at an Illinois L.A. Tan salon between November 13th, 2013 and August 11th, 2016 qualify for approximately $125. L.A. Tan denied any wrongdoing and maintained that it did not violate any laws, but established the fund to end the lawsuit and expenses associated with litigation.

Why should I care?

Employers should be aware of the ramifications of requesting, storing and transmitting biometric data of their employees.

More importantly, as we are seeing with the resulting cases, purveyors of websites and Internet platforms must be aware of how their technology, such as facial recognition technology, impacts users currently in the states of Illinois, Texas and Washington (and possibly more states in the near future).

It’s also unclear how far the definition of biometric data might be extended as future technologies come online.