Main Menu
Download Print

Client Alert: Biometric Information Privacy Act

Photo of

Action Items

What Is BIPA?

The Illinois Biometric Information Privacy Act (“BIPA”)1 was enacted in 2008 to regulate private entities’ collection, storage, use, and transmission of biometric identifiers and biometric information.2 Biometric information includes, for example, fingerprints or retina, voice, or face scans. BIPA requires anyone who collects, captures, purchases, obtains, shares, or discloses biometric information – including employers – to first inform the person, disclose the purpose and duration of the storage, and obtain informed written consent.

BIPA violations can result in a $1,000 penalty for each negligent violation, a $5,000 penalty for each willful or reckless violation, and the payment of an opponent’s attorneys’ fees and litigation costs. While two other states have implemented similar laws, Illinois is currently the only state to provide a private right of action. The area is quickly evolving, however, and other states may follow suit.

Recent Illinois Supreme Court Decision — Actual Harm Not Required

On January 25, 2019, in Rosenbach v. Six Flags Entertainment Corporation, the Illinois Supreme Court held that a violation of BIPA’s notice, consent, disclosure, or other requirements is enough for a person to be “aggrieved” under the statute. Consequently, plaintiffs need not suffer actual harm, such as improper disclosure of their biometric information, to bring a BIPA claim.3 It is unclear what effect the Rosenbach case will have on cases pending in federal court.

The Illinois Supreme Court decision appears to have already led to an increase in BIPA lawsuits, and the number will likely continue to rise. Employers that require employees to use fingerprints for timekeeping or security measures have become a common class action target. Increasingly, consumers have also sued companies in a wide range of industries for alleged BIPA violations.

With the recent flood of BIPA claims, disputes over BIPA-related insurance coverage are also on the rise and are growing in complexity and scope. In early January 2019, for example, an insurer filed suit in Illinois state court arguing that it has no duty under a commercial general liability policy to defend or indemnify its policyholder – a grocery chain – in an underlying biometric privacy suit.4

What Can You Do?

Be Proactive & Assess Compliance Risks

Check Your Insurance Coverage

We Can Help You

If you are concerned that BIPA’s reach could impact your business and you would like assistance in reviewing your Company’s BIPA exposure, implementing a compliance plan, or determining your insurance coverage, or if you would like help notifying and dealing with your insurer about a possible BIPA issue, please contact us.

1 Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq.
2 While biometric identifiers and biometric information are defined separately under BIPA, for simplicity, we refer to both collectively as “biometric information.”
3 Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186.
4 Westfield Insurance Co. v. Caputo's New Farm Produce Inc., 2019-CH-00232 (Cook County).

Back to Page

We use cookies on our website to improve functionality and performance, analyze website traffic and enable social media features. By continuing to use our website, you agree to our use of cookies.