Senior Content Marketing Manager
June 9, 2023•6 min read
Illinois’s Biometric Information Privacy Act (BIPA) protects biometric data, which refers to unique physical or biological features that can be used to identify an individual. Examples of biometric data include:
BIPA gives individuals in Illinois more power to control their biometric data, prohibiting private entities from collecting and processing it without written notification. This notification must cover:
In contrast to most U.S. state privacy laws, BIPA does include a private right of action, which allows individuals to pursue legal action on their own behalf. This means that individuals in Illinois may recover statutory damages when companies beholden to BIPA fail to honor their rights under the law.
BIPA stipulates a $1000 fine per negligent violation and a $5000 fine per violation deemed by the courts to be intentional or reckless.
There have been numerous class-action lawsuits as a result of BIPA’s private right of action. One of the most high-profile cases in recent years was against Facebook, on account of the facial-recognition based “Tag Suggestions” feature. We'll cover this case in greater detail below.
With biometric privacy lawsuits becoming increasingly common, it's important that companies take the appropriate steps to ensure compliance. Among the states that do have biometric privacy laws, the Illinois BIPA is the most mature. And, with the most established legal precedent, cases alleging BIPA violations tend to have an easier time in court.
To remain compliant with BIPA, organizations need to:
These steps are a good starting point for ensuring your company's compliance with the Illinois Biometric Information Privacy Act, but as always, be sure to consult your legal counsel when determining your compliance strategy.
Facebook's recent biometric information privacy litigation revolved around a 2015 class-action lawsuit, Patel et al. vs Facebook, which accused the tech giant of improperly collecting and storing the biometric data of its Illinois users without appropriate notice and consent.
The lawsuit focused on Facebook's "Tag Suggestions" feature, with plaintiffs claiming the feature “harvested and stored users’ facial data from photos without asking for consent or providing notice.”
Under the final settlement ruling, Facebook was ordered to pay $650 million to over 1.6 million Illinois residents, who will each receive at least $345.
In 2019, Facebook made its automatic facial recognition tagging feature opt-in only, in an effort to address the privacy issues highlighted by the class action. Then, in 2020, Facebook proposed a $550 million settlement, but this was rejected by a judge as insufficient.
Though a $650 million fine may seem steep, BIPA’s mandate of $5000 per purposeful violation combined with Facebook’s massive user base could have resulted in a multi-billion dollar fine. Commentators have noted this is likely why Facebook moved to settle.
Though Facebook is one of the most high-profile biometric privacy cases to date, several other BIPA lawsuits have been filed in recent years.
In 2020, the American Civil Liberties Union (ACLU) and several other non-profits accused Clearview AI of violating BIPA by unlawfully collecting biometric data from billions of social media images without obtaining consent from the individuals in the photos.
No stranger to controversial press, Clearview AI settled the lawsuit in 2022—agreeing to not sell its facial recognition database to most US companies or provide its software to government agencies in Illinois for five years.
Though the company did not admit to any wrongdoing, Clearview AI must now provide an online "opt-out" form on its website that allows Illinois residents to block their face from appearing in search results.
The case against Clearview AI highlights how a single state privacy law can have far-reaching impacts on civil rights protections for Americans nationwide.
In 2022, a class-action lawsuit was filed against Google in Illinois over data privacy concerns regarding the Google Photos app.
The lawsuit claimed Google had violated the Illinois Biometric Information Privacy Act by collecting and analyzing facial data without:
Google Photos has a tool that groups photos of similar faces together by using facial geometry data to determine similarities and differences between people. However, Google failed to inform users that their biometric data was being collected.
As part of the settlement, claimants who appeared in pictures on Photos between May 1st, 2015 and April 25th, 2022, will receive a payment ranging from $200 to $400—for a total settlement of $100 million. The final approval hearing for this settlement is scheduled for September 28th, 2023.
TikTok has faced multiple biometric privacy lawsuits, the most high-profile one being settled in 2022 to the tune of $92 million. The result of 21 different lawsuits, mainly filed on behalf of minors as young as six, and citing violations of both BIPA and the California Privacy Rights Act (CPRA)—this settlement applies to 89 million TikTok users across the U.S.
The suit accused the app of using facial recognition technology to harvest personal data from users without their consent and sharing it with third parties, including some based in China.
According to the plaintiff’s lawyers, TikTok had "clandestinely vacuumed up" huge amounts of personal, identifiable data, including information from video drafts that had not been published on the platform. Prosecutors also alleged that the app’s creators had gone to great lengths to hide this illegal data collection, obscuring the source code so as to limit investigations into potential misconduct.
Similar to Facebook’s run-in with biometric lawsuits, TikTok reportedly decided that settling these lawsuits was a safer bet than taking them on in open court.
As of 2023, Illinois, Texas, and Washington have enacted legislation to protect biometric privacy. Four other states (Nevada, New York, Maine, and Maryland) have active biometric privacy laws—though they have yet to be enacted.
Enacted in 2001, the Texas Capture or Use of Biometric Identifier Act (CUBI) requires prior information and consent from the concerned person before capturing their biometric identifiers for commercial purposes.
There is no comprehensive federal law regulating the collection and use of personal data or biometric data in the United States.
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.
Senior Content Marketing Manager