BIPA Reminder.

Advances in biometric technologies emerged following the widespread use of computer systems in the late 20th Century.[1] In 2010, Facebook launched a feature that used facial recognition technology to guess who was in your picture by using your network of friends.[2] In 2013, Apple introduced Touch ID, a fingerprint sensor used to unlock devices.[3] The Coronavirus pandemic may accelerate the adoption of biometric solutions. Companies that have had to transition to a remote workforce may soon find themselves in a position to have to upgrade their network security. Likewise, companies that have had to adopt web-based solutions for customer engagement may evaluate long-term solutions to improve the online customer experience. Considering the foregoing, it is important to renew attention to the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/ et seq.

The Illinois General Assembly enacted the Biometric Information Privacy Act in 2008[4] with the intent of serving public welfare, security, and safety by regulating the collection, storage, use and destruction of biometric identifiers and information.[5] The General Assembly stated that “[t]he use of biometrics is growing in the business and security screening sectors.”[6] Unlike other unique identifiers, such as social security numbers, biometric identifiers are biologically unique to the person.[7] Once compromised, the person has no recourse.[8] Companies found to be in violation of BIPA are subject to statutory penalties and other relief.[9]

Despite having been enacted in 2008, many technology-based companies remained unaware of BIPA until 2015, when a series of class action lawsuits were filed against Facebook.[10] The number of BIPA-related lawsuits has grown exponentially since then. BIPA litigation is likely to increase in the future, as biometric technology becomes more readily accessible. Many of the cases currently in litigation relate to time clocks that use an employee’s fingerprint to facilitate the process of clocking in-and-out. Others, such as the recent case filed against Google, concern voiceprints and face recognition technology.

On April 2, 2020, Clinton Farwell filed a class action lawsuit alleging, among other things, that Google had violated BIPA.[11] Farwell alleged his children, who attended a primary school in Illinois, where provided access to Google Chromebooks that came preinstalled with Google’s “G Suite for Education” platform.[12] The Chromebooks included features that required Farwell’s children to speak into an audio recording device and look into the Chromebook camera, at which point Google allegedly collected a recording of the children’s voice and face geometry.[13] Farwell alleged Google violated BIPA by collecting his children’s biometric identifiers and information, and of others similarly situated, without first obtaining the requisite consent required under BIPA.[14] Farwell seeks, in part, on behalf of the putative class: (1) $1,000 in statutory damages for each violation of BIPA, (2) $5,000 in statutory damages for each violation to BIPA that was committed intentionally or recklessly and (3) reasonable attorneys’ fees.[15]

BIPA was the first law of its kind to impose requirements on businesses that collect or otherwise obtain biometric information. It has received much scrutiny following the Illinois Supreme Court’s Rosenbach’s decision in January 2019, when the Court held that a plaintiff need not alleged an “actual injury” beyond violation of his or her rights under BIPA to qualified as an “aggrieved person.”[16] Amendments to BIPA have been proposed that would have curbed the wave of BIPA litigation, but those proposals have failed.[17] Pending further legislative action, it is critical that businesses collecting biometrics have the appropriate policies in place to comply with BIPA.