Biometric Information Privacy Act (BIPA)



BIPA is the new class action of note in Illinois, with potential far-reaching impact across the country. We help businesses comply with the statute and defend them when class actions ensue.

Our approach

Companies across the country use biometric data like fingerprint scans for daily operations. But federal regulations have not provided clear guidance related to this technology. As the use of biometric data becomes increasingly popular, more states have begun passing legislation to address these issues.

Illinois was one of the first states to enact such a law with the Biometric Information Privacy Act (BIPA). BIPA allows a private right of action with statutory fines of up to $1,000 (for each negligent violation) and $5,000 (for each reckless or intentional violation), plus attorneys’ fees. Plaintiffs have filed more than 300 proposed class action lawsuits asserting BIPA claims since 2017. While the vast majority of these cases allege that employers used employee fingerprints for timekeeping purposes without appropriate disclosures and consent, other filed claims involve different uses of biometric information, including eye scans, face scans, hand scans, and voice recordings.

In 2019, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp. that BIPA claimants do not need to allege actual harm to receive statutory damages.This decision emboldened existing plaintiffs and led to even more BIPA lawsuits. BIPA can affect any company doing business in Illinois that collects, stores or uses biometric information, whether that of its employees, customers, guests or visitors.

We assist companies with employees and operations in Illinois, as well as entities outside Illinois that work with organizations in the state. Our attorneys have tracked BIPA updates over the years and can help clients update their policies to ensure compliance with the statute and reduce risks of BIPA litigation.

If a lawsuit looms or ensues, we work with clients to aggressively and practically handle the matter. We are currently defending several clients in putative class actions alleging violations of the disclosure and consent requirements of BIPA and have successfully resolved BIPA cases pre-suit. We understand this law and can help you minimize exposure in costly BIPA litigation.

We Work With

Businesses operating in regulated industries that deliver products or services, including:

  • Retailers and franchisors
  • Hardware and software providers
  • Manufacturing companies
  • Health and life science companies
  • Senior and assisted living facilities
  • Companies offering or using biometric technology

Additional Consumer Privacy Law Experience

We have experience with complex consumer privacy, data protection and security laws impacting businesses nationwide, including, among others:

  • Telephone Consumer Protection Act (TCPA)
  • Illinois Biometric Privacy Act (BIPA)
  • California Consumer Privacy Act (CCPA)
  • EU General Data Protection Regulation (GDPR)
  • Computer Fraud and Abuse Act (CFAA)
  • Federal Trade Commission Act (FTC Act)
  • Fair Credit Reporting Act (FCRA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Fair Debt Collection Practices Act (FDCPA)
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
  • Children’s Online Privacy Protection Rule (COPPA)
  • Video Privacy Protection Act (VPPA)
  • Credit Card Accountability Responsibility and Disclosure Act (Credit CARD Act)
  • Driver’s Privacy Protection Act (DPPA)
  • Freedom of Information Act (FOIA)
  • Federal Trade Commission (FTC) and Federal Communications Commission (FCC) regulations
  • State consumer protection laws in all 50 states, the District of Columbia, and Puerto Rico

Ruling against Facebook could propel additional biometric lawsuits

Business Insurance Magazine | August 20, 2019

In this article, Chicago Complex Commercial Disputes partner Rich Tilghman discusses the impact of a recent Ninth Circuit ruling recognizing the plaintiffs’ standing in a class action suit accusing Facebook of violating Illinois’ biometric law through its use of facial recognition technology.

Facebook lawsuit underscores importance of transparent collection and use of data

Rochester Business Journal | January 25, 2019

Rochester Corporate partner Jeremy Wolk wrote this contributed column analyzing a lawsuit filed against Facebook in Washington, DC, alleging violations of state-level consumer protection laws by the social media company. This article incorporates perspective from an alert written by Washington Complex Commercial Disputes associate Brian Donnelly, Rochester Corporate associate Jenny Holmes, and Los Angeles Government Investigations & White Collar Defense associate Karina Puttieva.

Problems with the California Consumer Privacy Act

Los Angeles/San Francisco Daily Journal | January 23, 2019

Los Angeles Government Investigations and White Collar Defense partner Jason Gonzalez and associate Karina Puttieva co-wrote this contributed article identifying issues with the “remarkably unclear” California Consumer Privacy Act, a measure passed last year that regulates large businesses businesses who buy, sell or share consumers’ personal information.

Back to top