stylized long exposure photograph of moving traffic
Share
  • Download PDF 

Illinois Supreme Court Ruling Sparks Increase in Biometric Privacy Litigation

As the use of biometric identifiers for timekeeping, handheld devices, and security grows, so does state regulation and litigation. Illinois, Washington, and Texas are examples of states that regulate the collection, use, and retention of biometric identifiers such as fingerprints, voiceprint, eye retinas, iris scans, full hand, or facial geometry scans. A recent Illinois Supreme Court ruling and the subsequent flood of litigation regarding compliance with Illinois’s Biometric Information Privacy Act (BIPA) highlights the urgent need to review biometric compliance protocol.

BIPA requires companies to develop a written retention and destruction policy related to biometric information and make the policy available to the public. Companies must also make written disclosures and obtain authorization from an individual before collecting biometric data.

BIPA was enacted in 2008, and a renewed interest in BIPA lawsuits followed a 2019 decision from the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corporation. The Court held a plaintiff does not need to show actual injury to recover statutory damages under BIPA.  Rather, mere procedural violations of the statute, such as the failure to obtain written authorization or to publicly post a retention policy, were sufficient to support damages.   Any procedural violation provides the “aggrieved” individual with a private right of action to recover liquidated damages of $1,000 for each negligent violation and $5,000 for each reckless violation of BIPA, along with reasonable attorneys’ fees and costs.

Companies can reduce potential exposure by implementing the following:

  • Ensure proper retention and destruction policies are in place and publicly available.
  • Ensure all biometric information destruction policies comply with the applicable timelines set forth in the statute.
  • Ensure all notice and authorization forms are distributed before biometric identifiers are collected or disseminated to third-parties.

Early investment in proper biometric identifier notifications, authorizations, policies, and procedures may save time and money in the long run.

The Transportation Brief®

A quarterly newsletter of legal news for the clients and friends of Scopelitis, Garvin, Light, Hanson & Feary

News from Scopelitis is intended as a report to our clients and friends on developments affecting the transportation industry. The published material does not constitute an exhaustive legal study and should not be regarded or relied upon as individual legal advice or opinion.

stylized long exposure photograph of moving traffic

Illinois Supreme Court Ruling Sparks Increase in Biometric Privacy Litigation

As the use of biometric identifiers for timekeeping, handheld devices, and security grows, so does state regulation and litigation. Illinois, Washington, and Texas are examples of states that regulate the collection, use, and retention of biometric identifiers such as fingerprints, voiceprint, eye retinas, iris scans, full hand, or facial geometry scans. A recent Illinois Supreme Court ruling and the subsequent flood of litigation regarding compliance with Illinois’s Biometric Information Privacy Act (BIPA) highlights the urgent need to review biometric compliance protocol.

BIPA requires companies to develop a written retention and destruction policy related to biometric information and make the policy available to the public. Companies must also make written disclosures and obtain authorization from an individual before collecting biometric data.

BIPA was enacted in 2008, and a renewed interest in BIPA lawsuits followed a 2019 decision from the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corporation. The Court held a plaintiff does not need to show actual injury to recover statutory damages under BIPA.  Rather, mere procedural violations of the statute, such as the failure to obtain written authorization or to publicly post a retention policy, were sufficient to support damages.   Any procedural violation provides the “aggrieved” individual with a private right of action to recover liquidated damages of $1,000 for each negligent violation and $5,000 for each reckless violation of BIPA, along with reasonable attorneys’ fees and costs.

Companies can reduce potential exposure by implementing the following:

  • Ensure proper retention and destruction policies are in place and publicly available.
  • Ensure all biometric information destruction policies comply with the applicable timelines set forth in the statute.
  • Ensure all notice and authorization forms are distributed before biometric identifiers are collected or disseminated to third-parties.

Early investment in proper biometric identifier notifications, authorizations, policies, and procedures may save time and money in the long run.

News from Scopelitis is intended as a report to our clients and friends on developments affecting the transportation industry. The published material does not constitute an exhaustive legal study and should not be regarded or relied upon as individual legal advice or opinion.