Continuing the trend of recognizing Illinois’ Biometric Information Privacy Act (“BIPA”) as a muscular privacy-protective statute, the Illinois Appellate Court for the First District has ruled that the most common statutory violations of BIPA are subject to a five-year statute of limitations. BIPA imposes several duties on companies that collect, store or use biometric data—e.g., fingerprints, facial geometry scans—from Illinois residents. Prevailing plaintiffs may recover liquidated damages ranging from $1,000 to $5,000 for each BIPA violation (plus attorneys’ fees), and these provisions incentivize plaintiffs’ lawyers to bring BIPA claims as class actions.

Continue Reading Illinois Appellate Court Affirms 5-Year Statute of Limitations Period for Certain BIPA Claims

As class actions brought under Illinois’ Biometric Information Privacy Act (“BIPA”) proceed through litigation, defendants have made a variety of arguments attempting to push courts to define the limits of the somewhat vague statute. The Illinois Supreme Court’s 2019 decision in Rosenbach v. Six Flags Entertainment Corp. was the first opinion to provide interpretive guidance of BIPA, and specifically, what type of injury is required for a person to have standing to bring a private right of action under the statute. (We explain BIPA and the Rosenbach opinion here.)
Continue Reading Is BIPA Preempted? – Illinois Appellate Court Considers Workers’ Compensation Exclusivity Question

After Illinois passed its Biometric Information Privacy Act in 2008 (“BIPA”), other states have begun enacting legislation regulating business activities relating to biometric information. Texas and Washington were next, followed by California in 2018. Now, Massachusetts has proposed legislation regulating the use of a consumer’s personal and biometric information.

Bill SD.341, “an Act relative to consumer data privacy,” draws much of its language from the California Consumer Privacy Act of 2018 (“CCPA”), and also has some parallels to BIPA. However, there are several differences between the Bill and BIPA worth noting.
Continue Reading Proposed Massachusetts Consumer Data Privacy Law Takes Lessons From Illinois’ Biometric Law

In the aftermath of the Illinois Supreme Court’s Rosenbach decision, Illinois employers have faced a wave of class action litigation filed under the Biometric Information Privacy Act (“BIPA”). Employers hoping for relief from the statute’s private right of action must wait for another day (or another session) as Senate Bill 2134 (“SB 2134”) did not report out of committee by the March 28, 2019 deadline.
Continue Reading The Potential For Stemming BIPA Suits Waits Another Day

The Illinois Supreme Court recently handed down its much-anticipated decision in Rosenbach v. Six Flags Entertainment Corporation et al., clarifying what makes someone “aggrieved” and able to bring a claim under the Illinois Biometric Information Privacy Act (“BIPA”). We have addressed this issue in prior blogs, including here and here. The Supreme Court has now held an individual need not allege some actual injury or adverse effect to be “aggrieved” and have statutory standing. An individual can state a BIPA claim simply by alleging an entity’s failure to follow the statute’s notice and consent requirements.
Continue Reading Actual Injury Unnecessary to Sue Under Illinois Biometric Law

On November 20, 2018, the Illinois Supreme Court heard oral arguments in Rosenbach v. Six Flags Entertainment Corp. and Great America LLC to decide whether a technical violation of Illinois’ Biometric Information Privacy Act (BIPA), 740 ILCS 14 et seq., without some additional injury, is enough to give an individual standing to sue under the Act.

As explained in further detail here, BIPA establishes certain notice-and-consent requirements that private entities must follow if they are going to collect, store, and use biometric identifiers and information, such as fingerprints. BIPA also creates a private right of action for individuals who are “aggrieved” by a violation of the act. In recent years, there has been a huge upswing in the number of cases filed under BIPA. The main issue these cases encounter early on is whether a company’s mere technical violation of the notice-and-consent requirements is enough to make a plaintiff “aggrieved,” and therefore have standing to sue, or if additional injury is required.


Continue Reading The Fight Over Standing Under the Biometric Information Privacy Act Continues in Illinois High Court

In recent years, the use of biometrics in business has been growing. In the employment context, for example, some employers use biometric time clocks, which allow employees to “clock in” with a fingerprint or iris scan. Unlike a password or social security number, however, an individual’s biometric identifier or information cannot be changed or replaced if compromised. In the event of a data breach, individuals may have no recourse against identity theft, due to the biologically unique nature of biometrics.
Continue Reading Actual Injury Required to Sue Under Illinois Biometric Information Privacy Act