The Illinois Biometric Privacy Act (“BIPA”)

A Potential Existential Threat to Companies Doing Business in Illinois  

Lawyers are always on the lookout for “the next big thing.” It may be here. In 2008, Illinois became the first state to enact a biometric privacy law that prohibits private companies from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s biometric information without informing and receiving written consent. Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (West 2018) (“BIPA”). Biometric information protected under BIPA includes facial-recognition technology, fingerprint scans, iris and retina scans, palm-print readings, and voiceprints. BIPA seeks to safeguard the heightened risk of identity theft when biometrics are linked to finances and other personal information.  

The exponential growth in the use of biometric data in the last decade has increased companies potential BIPA exposure and caught the attention of the plaintiffs’ class action bar. Possibly due to the novelty of BIPA, many companies – including some of the biggest in the world including Facebook – apparently failed to appreciate the scope and onerous penalties imposed by the statute. The result is that in the last five years BIPA has emerged as an existential threat to any company that does business in Illinois. 

While states like Texas and Washington have enacted similar biometric privacy laws, BIPA is unique in that it creates a private right of action with onerous liquidated statutory fines. Anyone who violates BIPA may be subject to $1,000 fines per negligent violation, $5,000 fines per intentional or reckless violation, and attorneys’ fees and costs all with no cap. Maryland and other states have followed Illinois’ lead by including a private right of action in their biometric information privacy laws.  

BIPA litigation increased dramatically in around 2017. Currently, there are reportedly 2,000 class action lawsuits. BIPA lawsuits have resulted in some dramatic settlements. In 2020, Meta (formerly Facebook) settled a BIPA class action suit for $650M. Other huge payouts under BIPA include BNSF Railway’s settlement of $228 million for collecting truck drivers’ fingerprints without consent and TikTok’s $92 million class action settlement for collecting users’ faceprints without consent.  

More recently, on February 17, 2023, in Cothron v. White Castle System, Inc., the Illinois Supreme Court, in a 4 to 3 opinion, held that causes of action under BIPA “apply to every capture and use of a person’s fingerprint or hand scan.” In other words, BIPA claims accrue each and every single time a business scans a person’s biometric information. White Castle had introduced a system that required its employees to scan their fingerprints to access their pay stubs and computers. Thus, there was an independent BIPA violation every single time a worker scanned its fingerprints. White Castle had argued that allowing recovery of “each violation” could potentially result in “astronomical” damage awards that could constitute “annihilative liability.” The Court rejected White Castle’s argument and held that “where statutory language is clear, it must be given effect, even though the consequences may be harsh, unjust, absurd, or unwise.” Ultimately, the Court deferred to the Illinois legislature: “[W]e continue to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature.”  Estimates of White Castles’ liquidated BIPA damages approach or exceed $17B. 

Given the ever-increasing use of biometric data by companies of all sizes, it is fair to speculate that we are only at the beginning of the BIPA litigation tsunami. While the Illinois Supreme Court notes that it is the responsibility of the legislature to amend the statute, past experience suggests that it may be a long wait and a lot of companies may be crippled or bankrupted in the meantime. The best proxy for this situation is the Federal Telephone Consumer Protection Act of 1991 (“TCPA”), which imposed non-discretionary damages of $500 to $1500 for each uninvited business fax, robocall and text message with no cap. 47 U.S.C. Sec. 227. There was an expectation that Congress would soften the inflexible TCPA penalties. However, thirty years later, no material changes to the damage provisions have been made.   

Insurance: In the past two years, there are more than a dozen state and federal opinions addressing insurance coverage issues posed by BIPA.  In May 2021, the Illinois Supreme Court ruled on the seminal Illinois insurance coverage case for underlying actions alleging violations of BIPA. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978. The Court determined the insurer had a duty to defend because the disclosure of fingerprint data to a third party constitutes “publication” as required for “personal injury” coverage under the general liability policy. Additionally, the Illinois Supreme Court concluded coverage was not excluded by the policy’s distribution of material in violation of statutes exclusion, because it excluded coverage for statutes that regulate the method of communication, not the dissemination of information, like BIPA.  Since the ruling in West Bend the courts are nearly split as to whether insurers have a duty to defend underlying actions that allege BIPA violations.  The most common exclusions impeding coverage are the following: employment-related practices exclusion, distribution of material in violation of statute exclusion and access or disclosure of confidential or personal information exclusion.