The Illinois Biometric Information Privacy Act (BIPA) is currently the most important statute in the US concerning the collection and storage of biometric data. This past year saw a continuing escalation of putative class cases filed under the law, both inside and outside of Illinois, due to BIPA's express private right of action and per-violation statutory penalties of $1,000 or more. The vast majority of these cases involve the use of devices by retailers that capture biometric data such as fingerprints or iris images for the purpose of tracking customers and tracking employee attendance or cash-register access. Other biometric devices of immediate relevance to retailers and BIPA are store security systems that use facial recognition technologies.

To date, courts applying BIPA have been proceeding without a definitive interpretation of the nature of the harm required to demonstrate a violation of the BIPA. Is it enough for a defendant to have gathered biometric information in violation of the act, or does there have to be actual harm such as a data breach pursuant to which the biometric information is compromised and used for criminal purposes?

For the first time since the passage of BIPA in 2008, the Illinois Supreme Court is set to answer the question of whether persons "aggrieved" by a violation of the statute must allege that they suffered actual harm or if a technical violation of the statute is sufficient to establish standing. What the court decides has the potential to spur national biometric litigation along even further or render BIPA toothless; it will also directly affect how other states draft their biometric-data protection statutes.

The court heard oral argument on November 20, 2018, in Stacy Rosenbach v. Six Flags Entertainment Corp, et al., No. 123186 (Ill.), regarding the nature of the harm required to sue under BIPA. The plaintiff in the case has asserted a claim based on a technical violation of the statute: her son's fingerprint scan was collected by the amusement park in order to access a season's pass, but the park failed to comply with the notice and consent requirements of BIPA. The defendants pressed the point that interpreting BIPA to allow private enforcement of technical violations has opened the floodgates to "no-injury lawsuits," and argued that while a company that fails to comply with BIPA's notice-and-consent requirements is liable if the information it collects is compromised or misused in violation of the law, collection alone fails to trigger liability.

During oral argument, several justices seemed to side with the plaintiff, citing collection of biometric data itself without notice and consent as a potential "irreparable harm" and noting that the purpose of the statute was to prevent actual harm from happening in the first place. We anticipate that the Illinois Supreme Court will issue its opinion in Q1 2019.

Interestingly, BIPA was originally enacted in reaction to a situation that presents a cloudy issue as to actual versus potential harm. When Pay By Touch, a biometrics firm that supplied fingerprint scanners to Illinois retailers, faced bankruptcy in 2007, the company considered selling its database of fingerprints collected by the scanners. The Illinois chapter of the American Civil Liberties Union used the opportunity to draft BIPA, which was passed by the Illinois legislature the next year.

The idea of a corporation's selling a person's biometric information collected without notice to or consent of the individual certainly leaves a bad taste in the mouth of most people, but is it actually harmful? For that reason, most courts thus far have interpreted BIPA as vesting in Illinois residents the right to control their biometric information by requiring notice before collection and providing residents with the crucial ability to withhold consent. There are, however, some courts which have required a showing of actual harm for litigants to have standing to bring a claim under BIPA.

A decision by the Illinois Supreme Court holding that a plaintiff has standing to enforce BIPA based on only a technical violation of the statute would keep the tide of national biometric collection litigation rolling. Although Texas and Washington have their own statutes governing the collection and usage of biometric identifiers, those laws do not allow for private actions. BIPA has been the main vehicle in biometrics-related (especially class action) litigation due to its private right of action and steep statutory penalties.

BIPA is likely to remain the relevant benchmark for legislation controlling the collection of biometric information as efforts to pass a bill at the federal level have not been successful. In the House, the Biometric Information Privacy Act (H.B. 4381) was introduced in 2014 and requires permission before entities can share biometric data they collect with a third party, but no action has been taken on this bill to date. Additionally, the Secure and Protect Americans' Data Act (SPADA) and the Data Accountability and Trust Act (DATA) both include biometric data as a protected category of personal information for which entities that collect it must provide notice, but no action has occurred on either bill since their proposal in 2017. In the Senate, the Customer Online Notification for Stopping Edge-provider Network Transgressions Act (CONSENT Act) and the Social Media Privacy Protection and Consumer Rights Act (SMPPCR Act) were both proposed in 2018 and potentially cover biometric information under their definitions of "personally identifiable information" and "personal data," respectively, but no action has been taken to date on either bill.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.