The Illinois Biometric Information Privacy Act (“BIPA”)

The following guest blog post was contributed by our cyber partners at Resilience.

One of the principal topics in the privacy-law news over the past year has been the developments in litigation brought under BIPA, the Illinois statute governing the collection and maintenance of biometric information. Although BIPA is the most prominent biometric-privacy statute, other states have passed or are in the process of enacting similar statutes, and thus these developments are potentially relevant to companies that might not be subject to Illinois law. Recent litigation has only served to emphasize the importance of ensuring compliance with these statutes, because a company found liable in a BIPA class action faces potentially business-ending damages.

BIPA regulates the collection, sale, disclosure, storage, and destruction of biometric data, most prominently retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. BIPA requires that an individual give his or her consent before biometric data are collected or disclosed and it creates a private right of action for those whose biometric data have been collected or disclosed without the proper consents. To date, BIPA plaintiffs have generally been either (a) employees who used biometric time clocks, e.g., fingerprint swipes to clock in, or (b) consumers, e.g., cosmetics purchasers using the “selfie” camera on their smartphones to see what a particular makeup would look like on their faces.

BIPA provides for statutory damages in the amount of $1,000 per negligent violation and $5,000 per reckless or intentional violation. A recent ruling from the Illinois Supreme Court adopted the pro-plaintiff view that each scan counts as a separate violation. Given that employees typically use biometric time clocks multiple times per day, this ruling greatly increases the exposure of companies that are not BIPA-compliant. The only BIPA class-action jury trial to date resulted in a $228 million verdict, and that was delivered before the Supreme Court’s ruling, under a one-violation-per-class-member approach.

BIPA’s statutory-damages provisions present the risk of catastrophic, even existential, liability for a company found to be in violation (especially under the recent per-scan, rather than per-plaintiff, interpretation “violation”). But companies can protect themselves against potential BIPA liability by ensuring that they (a) obtain adequate consent before collecting any biometric information, (b) securely store any biometric information that they do collect in compliance with BIPA, and (c) have an adequate privacy policy in place.

There are a number of proactive measures that can help companies reduce or eliminate their exposure to BIPA liability. To start, companies should ask themselves the following questions to determine if they have exposure to BIPA or similar statutes. Some considerations in determining whether a company might have BIPA exposure include:

• Does the company collect, store, or use biometric information, which is unique physical or behavioral characteristics (such as fingerprint or voice patterns), from employees or consumers?

• Does the company provide advance written notice of its methods and purposes of collecting, storing, and using biometric information?

• Does the company obtain affirmative written consent for the collection, storage, or use of biometric information in advance?

• Does the company have specific protocols for the maintenance, retention, and deletion of biometric information in its possession, custody, or control?

These examples are merely illustrative, however, and are not intended to represent the full scope or depth of a BIPA-compliance review, and companies should engage with privacy counsel for further assistance specific to their particular needs. Our panel of Resilience Service Providers includes privacy counsel with significant experience litigating BIPA claims and advising clients on compliance with BIPA and similar statutes in other states. We are ready, willing, and able to recommend and introduce our insureds to these professionals, to assist them in building cyber resilience, including by taking steps to maintain BIPA compliance.

Daniel Raccuia
U.S. Digital Assets Claims Counsel
Resilience

This material is provided for informational purposes only. Accordingly, this material should not be viewed as a substitute for the guidance and recommendations of a trained professional. Arceo Labs, Inc. d/b/a Resilience and its affiliates and subsidiaries (collectively, “Resilience”) does not endorse any coverage, systems, processes, or protocols addressed herein. To the extent that this material contains any examples, please note that they are for illustrative purposes only. This material is not intended to establish any standard of care, to serve as legal advice appropriate for any factual situation, or to provide an acknowledgment that any factual situation is covered by Resilience products. This material is not intended as a solicitation for purchase of insurance coverage. Resilience partnered with Hylant to provide this material. The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.