Everyone has been talking about the California Consumer Privacy Act (CCPA) lately, namely because the 2018 law became enforceable as of July 1, 2020. This law provides California consumers with a number of privacy-related rights, and applies to any organization that has California consumers, even if they’re not located in California.
So why isn’t there more talk about BIPA? The Illinois Biometric Information Privacy Act has been around since 2008 and “has been a steady source of litigation ever since,” according to a 2020 article in the National Law Review.
Illinois Biometric Information Privacy Act (BIPA)
BIPA regulates how “private entities” collect, use, and share “biometric information” and “biometric identifiers”, and imposes certain security requirements, noting that:
“Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
The key obligations of BIPA require a written informed consent before collecting the data, a written retention and destruction policy of that information, prohibit profit from biometric information, and specify requirements around security.
Even more interesting is the Right to Action clause, which states: “Any person aggrieved by a violation of this Act shall have a right of action” with a potential monetary recovery for each violation.
This week’s eDiscovery Blues™ cartoon makes a play on a recent Illinois Supreme Court Ruling which clarified “aggrieved person” under BIPA. It also reminds the eDiscovery industry just how commonplace the collection of biometric data has become in a world of facial recognition, thumbprint ID verification, and home DNA kits.
Rosenbach v. Six Flags Entertainment Corp
In 2014, 14-year-old Alexander Rosenbach went on a school trip to Six Flags Great America, who had begun using a fingerprint scan for all season pass holders. The pass had been purchased online, and when his mother asked Alexander for the paperwork related to the pass after he returned home, he said, “it’s all done by fingerprint now.”
The original complaint states, “Neither Alexander, who was a minor, nor Rosenbach, his mother, were informed in writing or in any other way of the specific purpose and length of term for which his fingerprint had been collected. Neither of them signed any written release regarding taking of the fingerprint, and neither of them consented in writing ‘to the collection, storage, use, sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from, Alexander’s thumbprint or associated biometric identifiers or information.”
However, two years later, the Appellate Court overturned the lower court’s ruling in favor of the plaintiff, noting “a plaintiff is not ‘aggrieved’ within the meaning of the Act and may not pursue either damages or injunctive relief under the Act based solely on a defendant’s violation of the statute. Additional injury or adverse effect must be alleged.”
So, the issue at hand becomes injury or adverse effect as a result of the collection of biometric data, and not simply a “technical violation” of BIPA.
This was settled by the Illinois Supreme Court in 2019 when they overturned the Appellate Court’s ruling, noting that having one’s rights violated as defined by BIPA was sufficient to be considered aggrieved.
They also pointed out that the protection of individual biometric data was the purpose of the law, and that “to require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse…would be completely antithetical to the Act’s preventative and deterrent purposes.”
Biometric Data and eDiscovery
An important thing to consider is data knows no borders. With the growth of new technology which collects biometric data, it’s easy to see where it becomes potentially discoverable under litigation. As more states consider individual privacy laws, along with those which exist in Europe and other jurisdictions, compliance becomes more of a challenge, especially for global organizations.
Manual processes aren’t defensible, so having proper tools in place to ensure compliance with notifications, as well as retention and destruction policies, are vital. As this ruling under BIPA shows, saying “no harm, no foul” isn’t enough.
To learn more, listen to this discussion of Biometric Information and other new data sources with Judge Ron Hedges!