The Illinois Biometric Information Privacy Act (BIPA)

The Illinois Biometric Information Privacy Act (BIPA)

The Illinois Biometric Information Privacy Act or BIPA for short is an Illinois state law passed in 2008 that regulates the collection, storage, retention, safeguarding, use, and destruction of biometric information and identifiers. If residents living within the state of Illinois feel as though their biometric information has been shared with business or third parties without their consent, the BIPA allows them to take any applicable parties to court and put forth a grievance to recover financial damages, any associated legal or court fees, and other forms of relief deemed by a court of law in relation to a privacy violation. Furthermore, the BIPA was also the basis of a landmark 2019 case, Rosenbach v. Six Flags Entertainment Corp., that changed the ways in which such legislation has come to be viewed around the country. Despite all of this, many people may be wondering what biometric information is.

What is biometric information?

Biometrics is defined as the measurement and statistical analysis of an individual’s behavioral and physical characteristics. In the context of personal privacy, biometric information or identifiers can be used to identify, label, or describe individuals. Some common examples of physical biometric identifiers include facial recognition, fingerprints, DNA, iris recognition, hand geometry, palm veins, odor or scent, and retina or ear features. Alternatively, some common examples of behavioral biometric identifiers include signature, gait analysis, typing rhythm, gestures, keystroke, voice, and behavioral profiling.

How is biometric information used in the context of business?

The use of biometric information in the business world has become widespread in recent years, as many companies and industries such as banking and technology have begun to make use of biometric features such as fingerprint and facial recognition. As such, biometric information has come to be used in business in the following ways:

What criteria are Illinois businesses required to follow when collecting or using biometric information?

Under the BIPA, companies, and businesses that collect the biometric information of residents within the state of Illinois are required to follow the following comprehensive set of rules:

Unlike many state privacy statutes around the country, the BIPA allows for a private right of action that allows for any aggrieved person to recover the following damages in accordance with a BIPA violation:

Plaintiffs involved in BIPA violation lawsuits are also entitled to recover reasonable attorney fees and related court costs, including expert witness fees and other litigation expenses.

What is the significance of Rosenbach v. Six Flags Entertainment Corp?

In Rosenbach v. Six Flags Entertainment Corporation, the plaintiff, the mother of a 14-year-old boy, sued the Six Flags Corporation on the grounds that the corporation had violated the BIPA. The plaintiff alleged that the theme park had collected the biometric information of her son in the form of a fingerprint without first obtaining written consent. Moreover, the plaintiff also alleged that the Six Flags Corporation failed to provide her with proper disclosure in relation to the collection, use, and retention of her son’s fingerprint data. Alternatively, the Six Flags corporation countered by arguing that the plaintiff was not “an aggrieved” party for the purposes of the BIPA, as she had not alleged that an “actual injury” had occurred as a result of the biometric information that was collected from her son.

In the end, The Illinois Supreme Court concluded that a consumer did not need to demonstrate “an adverse effect or specific harm (such as evidence that personal information was stolen or misused) to have standing to sue under BIPA”. This decision was in stark contrast to the ways in which many privacy laws are written and enforced around the country, as plaintiffs in privacy lawsuits and cases often have to prove that they sustained some form of damage or harm in relation to the illegal disclosure of their personal information. As such, Rosenbach v. Six Flags Entertainment Corp will serve as a landmark case for future biometric privacy laws and cases around the country.

The BIPA was the first comprehensive biometric privacy law to be passed within the United States. As such, it has been extremely influential in the space of biometric privacy, as many states around the country have come to draft and pass their own forms of biometric privacy laws in response to the BIPA. What’s more, the case of Rosenbach v. Six Flags Entertainment Corp has changed the ways in which privacy laws, in general, are viewed within the U.S., as what is considered a violation of a citizen’s privacy in our current digital age is something that is still up for debate and discussion.

Related Reads