Biometric Information Privacy Act (BIPA)

Our approach

Companies across the country use biometric data like fingerprint scans for daily operations. But federal regulations have not provided clear guidance related to this technology. As the use of biometric data becomes increasingly popular, more states have begun passing legislation to address these issues.

Illinois was one of the first states to enact such a law with the Biometric Information Privacy Act (BIPA). BIPA allows a private right of action with statutory fines of up to $1,000 (for each negligent violation) and $5,000 (for each reckless or intentional violation), plus attorneys’ fees. Plaintiffs have filed more than 300 proposed class action lawsuits asserting BIPA claims since 2017. While the vast majority of these cases allege that employers used employee fingerprints for timekeeping purposes without appropriate disclosures and consent, other filed claims involve different uses of biometric information, including eye scans, face scans, hand scans, and voice recordings.

In 2019, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp. that BIPA claimants do not need to allege actual harm to receive statutory damages.This decision emboldened existing plaintiffs and led to even more BIPA lawsuits. BIPA can affect any company doing business in Illinois that collects, stores or uses biometric information, whether that of its employees, customers, guests or visitors.

We assist companies with employees and operations in Illinois, as well as entities outside Illinois that work with organizations in the state. Our attorneys have tracked BIPA updates over the years and can help clients update their policies to ensure compliance with the statute and reduce risks of BIPA litigation.

If a lawsuit looms or ensues, we work with clients to aggressively and practically handle the matter. We are currently defending several clients in putative class actions alleging violations of the disclosure and consent requirements of BIPA and have successfully resolved BIPA cases pre-suit. We understand this law and can help you minimize exposure in costly BIPA litigation.

We Work With

Businesses operating in regulated industries that deliver products or services, including:

• Retailers and franchisors
• Hardware and software providers
• Manufacturing companies
• Health and life science companies
• Senior and assisted living facilities
• Companies offering or using biometric technology

Additional Consumer Privacy Law Experience

We have experience with complex consumer privacy, data protection and security laws impacting businesses nationwide, including, among others:

• Telephone Consumer Protection Act (TCPA)
• Illinois Biometric Privacy Act (BIPA)
• California Consumer Privacy Act (CCPA)
• EU General Data Protection Regulation (GDPR)
• Computer Fraud and Abuse Act (CFAA)
• Federal Trade Commission Act (FTC Act)
• Fair Credit Reporting Act (FCRA)
• Fair and Accurate Credit Transactions Act (FACTA)
• Fair Debt Collection Practices Act (FDCPA)
• Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
• Children’s Online Privacy Protection Rule (COPPA)
• Video Privacy Protection Act (VPPA)
• Credit Card Accountability Responsibility and Disclosure Act (Credit CARD Act)
• Driver’s Privacy Protection Act (DPPA)
• Freedom of Information Act (FOIA)
• Federal Trade Commission (FTC) and Federal Communications Commission (FCC) regulations
• State consumer protection laws in all 50 states, the District of Columbia, and Puerto Rico