A Brief BIPA Checklist
Biometric data is regulated under various state data security and privacy laws. For example, biometric data is defined kin the California Consumer Privacy Act (CCPA), and falls within that statute’s definition for personal information. Biometric data also is included in the definition for “private information” under the SHIELD Act. Illinois’s Biometric Information Privacy Act (BIPA), which protects Illinois residents, perhaps packs the greatest punch because, unlike other statutes, it contains a private cause of action with a low threshold for liability.
Under BIPA, “[n]o private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.” The statute also imposes informed notice and consent requirements on any private organization that collects, retains, or uses biometric data. The statute requires that the organization:
- Inform the data subject in writing that biometric data is collected and stored;
- Inform the data subject in writing the specific purpose and length that biometric data is collected, stored, and used;
- Receive from the data subject a written release for the collection, storage, and use of the biometric data; and
- Publish a retention schedule and guidelines for the destruction of biometric data once it is no longer needed and/or the data subject no longer has a relationship with the organization.
BIPA also prohibits the disclosure of biometric data unless (1) the data subject consents, (2) the disclosure completes a financial transaction authorized by the data subject, or (3) the disclosure is required by law or legal process.
Violation of the statute entitles a prevailing party to recover for each violation: (1) $1,000 or actual damages, whichever is greater, for a negligent breach, (2) $5,000 or actual damages, whichever is greater, for an intentional or a reckless breach, (3) reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses, and (4) injunctive relief. The threshold to show an injury is low. Last year, the Supreme Court of Illinois held that the mere violation of any right under BIPA entitles a plaintiff (and any putative class member) to recovery of statutory damages. Rosenbach v. Six Flags Entertainment Corporation, 129 N.E.3d 11971206 (Ill. 2019). Subsequently, the United States Court of Appeals for the Ninth Circuit held that allegations of violation of BIPA satisfied Article III standing requirements for a “concrete” injury. Patel v. Facebook, Incorporated, 932 F.3d 1264, 1275 (9th Cir. 2019). The Facebook litigation subsequently settled in January 2020 for $550 million.
Most BIPA litigation arises out of the employment context – for instance, where an employer uses fingerprint scans to track employee time. To help mitigate against BIPA, we recommend the following:
- Employers review, audit, and update their practices and employee manuals regarding the use of employee biometric data. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection in writing.
- Establish a publicly-available (i.e., post on the organization’s website) written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
- Review and amend your organization’s written data privacy and security program (you should have one by now) to ensure that proper safeguards are in place, including contractual liability shifting, for any biometric data collected, stored, or used.
- Train employees on policies and procedures regarding biometric data.
- Consult with competent data privacy and security (cybersecurity) counsel to ensure that policies and practices comply with relevant laws.
If you have any questions about this or need more information, contact Joshua A. Mooney (firstname.lastname@example.org; 215.864.6345).