HOME

TheInfoList



Click Here for Items Related To - Biometric Information Privacy Act
OR:
Biometric Information Privacy Act on:   [Wikipedia]   [Google]   [Amazon]

Illinois set forth the Biometric Information Privacy Act on October 3, 2008, in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. Notably, the Act does not apply to government entities. While Texas and Washington are the only other states that implemented similar biometric protections, BIPA is the most stringent. The Act prescribes $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. Because of this damages provision, the BIPA has spawned several
class action A class action, also known as a class-action lawsuit, class suit, or representative action, is a type of lawsuit where one of the parties is a group of people who are represented collectively by a member or members of that group. The class actio ...
lawsuits.


Provisions

The BIPA requires companies doing business in
Illinois Illinois ( ) is a U.S. state, state in the Midwestern United States, Midwestern United States. Its largest metropolitan areas include the Chicago metropolitan area, and the Metro East section, of Greater St. Louis. Other smaller metropolita ...
to comply with a number of requirements pertaining to the collection and storage of biometric information. These include a requirement that companies: * Obtain consent from individuals if the company intends to collect or disclose their
personal Personal may refer to: Aspects of persons' respective individualities * Privacy * Personality * Personal, personal advertisement, variety of classified advertisement used to find romance or friendship Companies * Personal, Inc., a Washington, ...
biometric identifiers. * Destroy biometric identifiers in a timely manner. * Securely store biometric identifiers.


Standing

BIPA is the only law in the U.S. that provides a private right of action to any individual who is aggrieved by a violation. However, in order to litigate a BIPA action in federal court, the aggrieved person must have federal constitutional standing otherwise known as Article III standing. Generally, Article III standing requires that a plaintiff suffer an injury to a legally protected interest that is causally connected to the defendant's conduct and such injury will likely be addressed by a court's decision.


Legislative history

Senate Bill 2400, which eventually became the Biometric Information Privacy Act, was introduced by State Senator
Terry Link Terry Link (born March 20, 1947) is an American politician who represented the 30th district in the Illinois Senate from 1997 until his resignation in 2020. The 30th district includes all or part of the municipalities of Beach Park, Buffalo Gro ...
on February 14, 2008; it passed both Houses of the Illinois General Assembly on July 10, 2008, and was approved by then-Governor
Rod Blagojevich Rod Blagojevich ( , born December 10, 1956), often referred to by his nicknames "Blago" or "B-Rod", is an American former politician, political commentator, and convicted felon who served as the 40th governor of Illinois from 2003 to 2009, when ...
on October 3, 2008. The purpose of the Act was to establish standards of conduct for private entities that collect or possess biometric information. In 2016, Senator Link proposed and later withdrew an amendment to the Act that would have limited the Act's application to biometrics collected in public.


Proposed Federal Regulation


The National Biometric Information Privacy Act

On October 3, 2020, Senator
Jeff Merkley Jeffrey Alan Merkley (born October 24, 1956) is an American politician serving as the junior United States senator from Oregon since 2009. A member of the Democratic Party, Merkley served as the 64th speaker of the Oregon House of Representatives ...
introduced the National Biometric Information Privacy Act of 2020 (Senate Bill 4400). While the Act contains provisions similar to BIPA it is more expansive than BIPA. If passed, the Bill would be the first of its kind to regulate biometric information on a national scale.


Notable cases

As biometric technology advances, there have been a number of lawsuits related to data collection methods, as well as various levels of protection over
data In the pursuit of knowledge, data (; ) is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted ...
. Using
fingerprint A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfac ...
s as ways of clocking in and clocking out of work is an example of a technology that fights what is known as "buddy punching" or the practice of using somebody else to clock in for another worker at a job. In Illinois, the Biometric Information Protection Act law allows people to sue employers for mishandling biometric data. According to the ''Cook County Record'', "In Illinois, both the parent company of Mariano's supermarkets and the Intercontinental Hotel Group have been hit with class action lawsuits alleging they improperly collected and stored employee fingerprints and other biometric data."


Federal court cases

''In re Facebook Biometric Info. Privacy Litig.'', 185 F. Supp. 3d 1155 (N.D. Cal. 2016) * Illinois
Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
users alleged that the social media platform violated the BIPA when it scanned images of their faces, without consent, in order to run its Tag Suggestions feature; a California federal court certified the class in 2018. ''Monroy v. Shutterfly, Inc.'', No. 16 C 10984, 2017 WL 4099846 (N.D. Ill. Sept. 15, 2017) *
Shutterfly Shutterfly, LLC. is an American photography, photography products, and image sharing company, headquartered in Redwood City, California. The company is mainly known for custom photo printing services, including books featuring user-provided ima ...
users claimed that the company violated the BIPA when it scanned uploaded digital photos using
facial recognition software A facial recognition system is a technology capable of matching a human face from a digital image or a video frame against a database of faces. Such a system is typically employed to authenticate users through ID verification services, and wo ...
. On September 15, 2017, Northern Illinois District Court Judge Joan B. Gottschall denied a
motion to dismiss In United States law, a motion is a procedural device to bring a limited, contested issue before a court for decision. It is a request to the judge (or judges) to make a decision about the case. Motions may be made at any point in administrativ ...
the lawsuit. ''Rivera v. Google, Inc.'', 238 F. Supp. 3d 1088 (N.D. Ill. 2017) *
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
users sued the company for violating the BIPA, alleging that it created and stored scans of users' faces on its
Google Photos Google Photos is a photo sharing and storage service developed by Google. It was announced in May 2015 and spun off from Google+, the company's former social network. As of June 1, 2021, in its free tier, any newly uploaded photo and video c ...
service, without user consent. On February 27, 2017, Northern Illinois District Court Judge Edmond E. Chang denied a motion to dismiss the lawsuit but on December 29, 2018, the lawsuit was dismissed for lack of
standing Standing, also referred to as orthostasis, is a position in which the body is held in an ''erect'' ("orthostatic") position and supported only by the feet. Although seemingly static, the body rocks slightly back and forth from the ankle in the s ...
. ''McDonald v. Symphony Bronzeville Park LLC'', N.E.3d (Ill. App. Ct. Sept. 18, 2020). * A nursing home violated BIPA when it collected an employee's biometric data for time tracking purposes without disclosing or obtaining consent from the employee. The Illinois Supreme Court will determine whether the Worker's Compensation Act provides employers with a defense against BIPA claims by their employees.


State court cases

''Rosenbach v. Six Flags Entm't Corp.'', 2019 IL 123186 *
Six Flags Six Flags Entertainment Corporation is an American amusement park corporation, headquartered in Arlington, Texas. It has properties in Canada, Mexico, and the United States. Six Flags owns the most theme parks and waterparks combined of any amu ...
was sued for collecting park-goers thumbprints without informed consent. The Illinois Court of Appeals ruled that a mere technical violation of the BIPA was insufficient to maintain an action, because it did not necessarily mean a party was "aggrieved," as required by the statute. This was reversed by the
Illinois Supreme Court The Supreme Court of Illinois is the state supreme court, the highest court of the State of Illinois. The court's authority is granted in Article VI of the current Illinois Constitution, which provides for seven justices elected from the five ap ...
which ruled that users do not need to prove an injury (such as identity fraud or physical harm) in order to sue; the mere violation of the act was sufficient to collect damages. Additionally, an employee of the
NorthShore University HealthSystem NorthShore University HealthSystem (formerly Evanston Northwestern Healthcare or ENH) is an integrated healthcare delivery system serving patients throughout the Chicago metropolitan area. NorthShore encompasses six hospitals, as of late 2021 — ...
has sued the company for allegedly collecting worker fingerprints without their consent, in violation of the Illinois Biometric Information Privacy Act. In
Cook County Circuit Court The Circuit Court of Cook County is the largest of the 24 judicial circuits in Illinois as well as one of the largest unified court systems in the United States — second only in size to the Superior Court of Los Angeles County since that court ...
, the employee alleged "that the defendant scanned and digitally collected his fingerprints without consent, for use with a biometric employee punch clock."


Settlements

On December 1, 2016, the first settlement involving the BIPA was approved by a judge in
Cook County Cook County is the most populous county in the U.S. state of Illinois and the second-most-populous county in the United States, after Los Angeles County, California. More than 40% of all residents of Illinois live within Cook County. As of 20 ...
, Illinois. The class action lawsuit was against L.A. Tan Enterprises, Inc. and settled for $1.5 million, which included between $125 and $150 for each class member who filed a claim. In February 2021, Judge
James Donato James Joseph Donato (born July 29, 1960) is a United States district judge of the United States District Court for the Northern District of California. Biography Donato was born on July 29, 1960, in Pasadena, California. He received a Bachelor ...
approved a $650 million settlement in the federal ''In re Facebook Biometric Info. Privacy Litig.'' case, praising the settlement as "a major win for consumers in the hotly contested area of digital privacy." Two class members have appealed the settlement to the
United States Court of Appeals for the Ninth Circuit The United States Court of Appeals for the Ninth Circuit (in case citations, 9th Cir.) is the U.S. federal court of appeals that has appellate jurisdiction over the U.S. district courts in the following federal judicial districts: * District ...
.


Challenges

There was a bill (SB3053) pending before the Illinois legislature to amend the BIPA. The bill proposed to exempt private entities from the BIPAs requirements under a number of circumstances, including (1) if the biometric information is used "exclusively for employment, human resources, fraud prevention, or security purposes," (2) if the company "does not sell, lease, trade or similarly profit" from the biometric information, or (3) if the company protects biometric information at least as securely as it secures other sensitive information. The bill never got out of committee, and expired 2019. SB3053 was viewed by privacy advocates as an attempt to entirely gut the BIPA. It received significant opposition from many groups that advocate for digital privacy rights, including the
Electronic Frontier Foundation The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in San Francisco, California. The foundation was formed on 10 July 1990 by John Gilmore, John Perry Barlow and Mitch Kapor to promote Internet ci ...
. During
Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
founder
Mark Zuckerberg Mark Elliot Zuckerberg (; born ) is an American business magnate, internet entrepreneur, and philanthropist. He is known for co-founding the social media website Facebook and its parent company Meta Platforms (formerly Facebook, Inc.), o ...
's testimony before
Congress A congress is a formal meeting of the representatives of different countries, constituent states, organizations, trade unions, political parties, or other groups. The term originated in Late Middle English to denote an encounter (meeting of a ...
on April 10, 2018, in the aftermath of Facebook's
scandal A scandal can be broadly defined as the strong social reactions of outrage, anger, or surprise, when accusations or rumours circulate or appear for some reason, regarding a person or persons who are perceived to have transgressed in some way. Th ...
with
Cambridge Analytica Cambridge Analytica Ltd (CA), previously known as SCL USA, was a British political consulting firm that came to prominence through the Facebook–Cambridge Analytica data scandal. It was started in 2013, as a subsidiary of the private intelli ...
, Senator
Dick Durbin Richard Joseph Durbin (born November 21, 1944) is an American lawyer and politician serving as the senior United States senator from Illinois, a seat he has held since 1997. A member of the Democratic Party, Durbin has served as the Senate Dem ...
questioned Zuckerberg about Facebook's support for SB3053. T


Related state-level bills and laws

There are a number of similar bills that have been introduced in states across the country. These include: * Michigan, 2017 Bill Text MI H.B. 5019 * New Hampshire, 2017 Bill Text NH H.B. 523 (amended and passed in 2018 as NH H.B. 523) * Alaska, 2017 Bill Text AK H.B. 72 * Montana, 2017 Bill Text MT H.B. 518 *New York, 2021 Assembly Bill 27 & Senate Bill 1933.


Foreign equivalents

On May 25, 2018, the EU effectuated the General Data Protection Regulation (
GDPR The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in partic ...
), one of the world's strongest data protection regulations to date.{{Cite web, last=Fisher, first=Sandra L., date=2020, title=Encyclopedia of Electronic HRM, url=https://ris.utwente.nl/ws/files/221637852/Encyclopedia_of_Electronic_HRM_Frontmatter.pdf, url-status=live, archive-url=https://web.archive.org/web/20211021181634/https://ris.utwente.nl/ws/files/221637852/Encyclopedia_of_Electronic_HRM_Frontmatter.pdf, archive-date=2021-10-21, access-date=, website=University of Twente Research Information System (RIS)


References

Illinois statutes