Understanding the Illinois Biometric Information Privacy Act

• The Illinois Biometric Information Privacy Act (BIPA) protects biometric data, including fingerprints, facial scans, and retinal scans, of individuals living within Illinois.

• Passed in 2008, BIPA has been amended several times, with the most recent amendment occurring in 2019. 

• BIPA is one of the strongest biometric privacy laws in the country and, in recent years, has provided the legal basis for an increasing number of biometric privacy lawsuits. 

• Below we’ll explore BIPA’s requirements and scope, four recent cases involving BIPA violations, and the state of play with other state biometric privacy laws. 

• What is the Illinois Biometric Information Privacy Act?

• How to comply with the Illinois Biometric Information Privacy Act

• Facebook's biometric information privacy litigation

• In the news: Other biometric privacy lawsuits

• What other states have biometric privacy laws?

Illinois’s Biometric Information Privacy Act (BIPA) protects biometric data, which refers to unique physical or biological features that can be used to identify an individual. Examples of biometric data include:

• Fingerprints

• Palmprints

• Voice data

• Facial scans

• Iris scans 

• DNA sequences

• Typing patterns

BIPA gives individuals in Illinois more power to control their biometric data, prohibiting private entities from collecting and processing it without written notification. This notification must cover:

• The type of data being collected or stored

• The intended purpose

• How long it will be collected, used, and stored

In contrast to most U.S. state privacy laws, BIPA does include a private right of action, which allows individuals to pursue legal action on their own behalf. This means that individuals in Illinois may recover statutory damages when companies beholden to BIPA fail to honor their rights under the law.

BIPA stipulates a $1000 fine per negligent violation and a $5000 fine per violation deemed by the courts to be intentional or reckless.

There have been numerous class-action lawsuits as a result of BIPA’s private right of action. One of the most high-profile cases in recent years was against Facebook, on account of the facial-recognition based “Tag Suggestions” feature. We'll cover this case in greater detail below.

With biometric privacy lawsuits becoming increasingly common, it's important that companies take the appropriate steps to ensure compliance. Among the states that do have biometric privacy laws, the Illinois BIPA is the most mature. And, with the most established legal precedent, cases alleging BIPA violations tend to have an easier time in court.

To remain compliant with BIPA, organizations need to:

• Obtain individual consent before collecting or disclosing biometric data

• Disclose in writing what data is being collected and how long it will be stored

• Establish systems for deleting biometric data in a timely manner

• Ensure third parties are not selling biometric data collected by your company

• Establish reasonable safeguards for collecting, transmitting, and storing biometric data

• Obtain consent before sharing someone's biometric information

• Ensure your biometric data privacy policies and procedures are up-to-date

These steps are a good starting point for ensuring your company's compliance with the Illinois Biometric Information Privacy Act, but as always, be sure to consult your legal counsel when determining your compliance strategy.

Facebook's recent biometric information privacy litigation revolved around a 2015 class-action lawsuit, Patel et al. vs Facebook, which accused the tech giant of improperly collecting and storing the biometric data of its Illinois users without appropriate notice and consent.

The lawsuit focused on Facebook's "Tag Suggestions" feature, with plaintiffs claiming the feature “harvested and stored users’ facial data from photos without asking for consent or providing notice.”

Under the final settlement ruling, Facebook was ordered to pay $650 million to over 1.6 million Illinois residents, who will each receive at least $345.

In 2019, Facebook made its automatic facial recognition tagging feature opt-in only, in an effort to address the privacy issues highlighted by the class action. Then, in 2020, Facebook proposed a $550 million settlement, but this was rejected by a judge as insufficient. 

Though a $650 million fine may seem steep, BIPA’s mandate of $5000 per purposeful violation combined with Facebook’s massive user base could have resulted in a multi-billion dollar fine. Commentators have noted this is likely why Facebook moved to settle.

Though Facebook is one of the most high-profile biometric privacy cases to date, several other BIPA lawsuits have been filed in recent years. 

In 2020, the American Civil Liberties Union (ACLU) and several other non-profits accused Clearview AI of violating BIPA by unlawfully collecting biometric data from billions of social media images without obtaining consent from the individuals in the photos.

No stranger to controversial press, Clearview AI settled the lawsuit in 2022—agreeing to not sell its facial recognition database to most US companies or provide its software to government agencies in Illinois for five years.

Though the company did not admit to any wrongdoing, Clearview AI must now provide an online "opt-out" form on its website that allows Illinois residents to block their face from appearing in search results.

The case against Clearview AI highlights how a single state privacy law can have far-reaching impacts on civil rights protections for Americans nationwide.

In 2022, a class-action lawsuit was filed against Google in Illinois over data privacy concerns regarding the Google Photos app.

The lawsuit claimed Google had violated the Illinois Biometric Information Privacy Act by collecting and analyzing facial data without:

• notifying users

• getting "informed" consent, or

• sharing data retention policies with the public 

Google Photos has a tool that groups photos of similar faces together by using facial geometry data to determine similarities and differences between people. However, Google failed to inform users that their biometric data was being collected. 

As part of the settlement, claimants who appeared in pictures on Photos between May 1st, 2015 and April 25th, 2022, will receive a payment ranging from $200 to $400—for a total settlement of $100 million. The final approval hearing for this settlement is scheduled for September 28th, 2023.

TikTok has faced multiple biometric privacy lawsuits, the most high-profile one being settled in 2022 to the tune of $92 million. The result of 21 different lawsuits, mainly filed on behalf of minors as young as six, and citing violations of both BIPA and the California Privacy Rights Act (CPRA)—this settlement applies to 89 million TikTok users across the U.S. 

The suit accused the app of using facial recognition technology to harvest personal data from users without their consent and sharing it with third parties, including some based in China. 

According to the plaintiff’s lawyers, TikTok had "clandestinely vacuumed up" huge amounts of personal, identifiable data, including information from video drafts that had not been published on the platform. Prosecutors also alleged that the app’s creators had gone to great lengths to hide this illegal data collection, obscuring the source code so as to limit investigations into potential misconduct.

Similar to Facebook’s run-in with biometric lawsuits, TikTok reportedly decided that settling these lawsuits was a safer bet than taking them on in open court. 

As of 2023, Illinois, Texas, and Washington have enacted legislation to protect biometric privacy. Four other states (Nevada, New York, Maine, and Maryland) have active biometric privacy laws—though they have yet to be enacted.

Enacted in 2001, the Texas Capture or Use of Biometric Identifier Act (CUBI) requires prior information and consent from the concerned person before capturing their biometric identifiers for commercial purposes.

There is no comprehensive federal law regulating the collection and use of personal data or biometric data in the United States.

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

• Biometric Privacy Law Update

• TikTok To Pay $92 Million To Settle Class-Action Suit Over 'Theft' Of Personal Data

• Patel v. Facebook: Facebook Settles Illinois Biometric Information Privacy Act (“BIPA”) Violation Suit

• The ACLU sues Clearview AI, calling the tool an ‘unprecedented violation’ of privacy rights

• Clearview AI banned from selling its facial recognition software to most US companies

• ACLU v. Clearview AI

• Google Racks Up $600M in Privacy Settlements Across U.S. How Much Will Users Get?

• Google Might Owe You Money for Your Face if You Live in Illinois

• New Privacy Lawsuits Hit TikTok: 'They’re Collecting and Building a Database.'

• Texas Enforcement of Biometric Law Focuses on Artificial Intelligence