An Illinois Supreme Court ruling on February 17, 2023 opened the door to astronomical damages under the Illinois Biometric Information Privacy Act (“BIPA”). Enacted in 2008, BIPA provides for a private right of action against an entity that collects or discloses a person’s biometric identifier without opt-in consent.
Data privacy laws have made significant breakthroughs in recent years, making it a top priority for businesses. From the adoption of the European Union’s General Data Protection Regulation (GDPR) in 2016 to the enactment of the California Consumer Privacy Act (CCPA) in 2018 and the latest ballot approval of the California Privacy Rights Act (CPRA) in 2020, we continue to see data privacy laws develop and garner interest from consumers, businesses, and legislators alike.
Specific biometric privacy laws, in particular however, are often overshadowed by more general data privacy laws. As we discussed in our prior article, biometrics are physical and behavioral human characteristics (i.e., face, eye, fingerprint, and voice features) that can be used to digitally identify a person. As the collection and use of biometric data become more common in daily life and its applications in different industries continue to expand, new privacy considerations will emerge in this field. Biometrics laws, in their own right, require separate recognition because of the nuanced application of these specific laws.
The United States does not have a single, comprehensive federal law governing biometric data. Recently, we have seen an increasing number of individual states focus on this issue, and the recent introduction of legislation in a number of states specifically aimed at protecting the collection, retention, and use of biometric data. In Part I, we summarize some of the legislative activity on biometric laws from 2020. We will describe other noteworthy legislation to monitor for 2021 in Part II.…
On October 13. 2020, White Castle System, Inc. petitioned the United States Court of Appeals for the Seventh Circuit for permission to seek an interlocutory appeal pursuant to 28 U.S.C. § 1292(b). This petition arises out of the United States District Court for the Northern District of Illinois’ opinion on White Castle’s motion for judgment on the pleadings issued on August 7, 2020. The matter hinged on whether repeated collection of the same biometric information from an employee without prior consent constituted separate violations of the Illinois Biometric Information Privacy Act (BIPA).
Summary of District Court’s Cothron v. White Castle Opinion
In the district court’s opinion, Judge Tharp held that “[a] party violates Section 15(b) [of the BIPA] when it collects, captures, or otherwise obtains a person’s biometric information without prior informed consent.” Judge Tharp continued, “[t]his is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection.” Similarly, Judge Tharp held that BIPA requires that dissemination of information without consent, even if to the same third party as previously disseminated, is an additional violation of the BIPA.…