Understanding the Illinois Biometric Information Privacy Act
At a glance
The Illinois Biometric Information Privacy Act (BIPA) protects biometric data, including fingerprints, facial scans, and retinal scans, of individuals living within Illinois.
Passed in 2008, BIPA has been amended several times, with the most recent amendment occurring in 2019.Â
BIPA is one of the strongest biometric privacy laws in the country and, in recent years, has provided the legal basis for an increasing number of biometric privacy lawsuits.Â
Below weâll explore BIPAâs requirements and scope, four recent cases involving BIPA violations, and the state of play with other state biometric privacy laws.Â
Table of contents
What is the Illinois Biometric Information Privacy Act?
Illinoisâs Biometric Information Privacy Act (BIPA) protects biometric data, which refers to unique physical or biological features that can be used to identify an individual. Examples of biometric data include:
Fingerprints
Palmprints
Voice data
Facial scans
Iris scansÂ
DNA sequences
Typing patterns
BIPA gives individuals in Illinois more power to control their biometric data, prohibiting private entities from collecting and processing it without written notification. This notification must cover:
The type of data being collected or stored
The intended purpose
How long it will be collected, used, and stored
In contrast to most U.S. state privacy laws, BIPA does include a private right of action, which allows individuals to pursue legal action on their own behalf. This means that individuals in Illinois may recover statutory damages when companies beholden to BIPA fail to honor their rights under the law.
BIPA stipulates a $1000 fine per negligent violation and a $5000 fine per violation deemed by the courts to be intentional or reckless.
There have been numerous class-action lawsuits as a result of BIPAâs private right of action. One of the most high-profile cases in recent years was against Facebook, on account of the facial-recognition based âTag Suggestionsâ feature. We'll cover this case in greater detail below.
How to comply with the Illinois Biometric Information Privacy Act
With biometric privacy lawsuits becoming increasingly common, it's important that companies take the appropriate steps to ensure compliance. Among the states that do have biometric privacy laws, the Illinois BIPA is the most mature. And, with the most established legal precedent, cases alleging BIPA violations tend to have an easier time in court.
To remain compliant with BIPA, organizations need to:
Obtain individual consent before collecting or disclosing biometric data
Disclose in writing what data is being collected and how long it will be stored
Establish systems for deleting biometric data in a timely manner
Ensure third parties are not selling biometric data collected by your company
Establish reasonable safeguards for collecting, transmitting, and storing biometric data
Obtain consent before sharing someone's biometric information
Ensure your biometric data privacy policies and procedures are up-to-date
These steps are a good starting point for ensuring your company's compliance with the Illinois Biometric Information Privacy Act, but as always, be sure to consult your legal counsel when determining your compliance strategy.
Facebook's biometric information privacy litigation
Facebook's recent biometric information privacy litigation revolved around a 2015 class-action lawsuit, Patel et al. vs Facebook, which accused the tech giant of improperly collecting and storing the biometric data of its Illinois users without appropriate notice and consent.
The lawsuit focused on Facebook's "Tag Suggestions" feature, with plaintiffs claiming the feature âharvested and stored usersâ facial data from photos without asking for consent or providing notice.â
Under the final settlement ruling, Facebook was ordered to pay $650 million to over 1.6 million Illinois residents, who will each receive at least $345.
In 2019, Facebook made its automatic facial recognition tagging feature opt-in only, in an effort to address the privacy issues highlighted by the class action. Then, in 2020, Facebook proposed a $550 million settlement, but this was rejected by a judge as insufficient.Â
Though a $650 million fine may seem steep, BIPAâs mandate of $5000 per purposeful violation combined with Facebookâs massive user base could have resulted in a multi-billion dollar fine. Commentators have noted this is likely why Facebook moved to settle.
Though Facebook is one of the most high-profile biometric privacy cases to date, several other BIPA lawsuits have been filed in recent years.Â
In the news: Other biometric privacy lawsuits
Clearview AI
In 2020, the American Civil Liberties Union (ACLU) and several other non-profits accused Clearview AI of violating BIPA by unlawfully collecting biometric data from billions of social media images without obtaining consent from the individuals in the photos.
No stranger to controversial press, Clearview AI settled the lawsuit in 2022âagreeing to not sell its facial recognition database to most US companies or provide its software to government agencies in Illinois for five years.
Though the company did not admit to any wrongdoing, Clearview AI must now provide an online "opt-out" form on its website that allows Illinois residents to block their face from appearing in search results.
The case against Clearview AI highlights how a single state privacy law can have far-reaching impacts on civil rights protections for Americans nationwide.
In 2022, a class-action lawsuit was filed against Google in Illinois over data privacy concerns regarding the Google Photos app.
The lawsuit claimed Google had violated the Illinois Biometric Information Privacy Act by collecting and analyzing facial data without:
notifying users
getting "informed" consent, or
sharing data retention policies with the publicÂ
Google Photos has a tool that groups photos of similar faces together by using facial geometry data to determine similarities and differences between people. However, Google failed to inform users that their biometric data was being collected.Â
As part of the settlement, claimants who appeared in pictures on Photos between May 1st, 2015 and April 25th, 2022, will receive a payment ranging from $200 to $400âfor a total settlement of $100 million. The final approval hearing for this settlement is scheduled for September 28th, 2023.
TikTok
TikTok has faced multiple biometric privacy lawsuits, the most high-profile one being settled in 2022 to the tune of $92 million. The result of 21 different lawsuits, mainly filed on behalf of minors as young as six, and citing violations of both BIPA and the California Privacy Rights Act (CPRA)âthis settlement applies to 89 million TikTok users across the U.S.Â
The suit accused the app of using facial recognition technology to harvest personal data from users without their consent and sharing it with third parties, including some based in China.Â
According to the plaintiffâs lawyers, TikTok had "clandestinely vacuumed up" huge amounts of personal, identifiable data, including information from video drafts that had not been published on the platform. Prosecutors also alleged that the appâs creators had gone to great lengths to hide this illegal data collection, obscuring the source code so as to limit investigations into potential misconduct.
Similar to Facebookâs run-in with biometric lawsuits, TikTok reportedly decided that settling these lawsuits was a safer bet than taking them on in open court.Â
What other states have biometric privacy laws?
As of 2023, Illinois, Texas, and Washington have enacted legislation to protect biometric privacy. Four other states (Nevada, New York, Maine, and Maryland) have active biometric privacy lawsâthough they have yet to be enacted.
Enacted in 2001, the Texas Capture or Use of Biometric Identifier Act (CUBI) requires prior information and consent from the concerned person before capturing their biometric identifiers for commercial purposes.
There is no comprehensive federal law regulating the collection and use of personal data or biometric data in the United States.
About Transcend
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.
References
TikTok To Pay $92 Million To Settle Class-Action Suit Over 'Theft' Of Personal Data
The ACLU sues Clearview AI, calling the tool an âunprecedented violationâ of privacy rights
Clearview AI banned from selling its facial recognition software to most US companies
Google Racks Up $600M in Privacy Settlements Across U.S. How Much Will Users Get?
Google Might Owe You Money for Your Face if You Live in Illinois
New Privacy Lawsuits Hit TikTok: 'Theyâre Collecting and Building a Database.'
Texas Enforcement of Biometric Law Focuses on Artificial Intelligence
Discover more articles