Illinois Biometric Privacy Act (BIPA) Clarifications

BIPA Background

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, regulates the collection, storage, and use of biometric data, like fingerprints and face scans, by private entities. It mandates these entities to obtain informed consent from individuals before collecting their data, prohibits the disclosure of biometric information without consent or unless required by law, requires entities to protect biometric data with reasonable care, and mandates the destruction of such data once its purpose has been served or within three years of the individual's last interaction. Noncompliance with BIPA can lead to stiff penalties.

Two New Decisions

 The Illinois Supreme Court issued two highly-anticipated decisions regarding the scope of BIPA – Tims v. Black Horse Carriers and Cothron v. White Castle Systems – striking fear in the hearts of Illinois' companies and excitement in the wallets of plaintiffs' attorneys.

These rulings could open the litigation floodgates, as they create more opportunities for BIPA-related lawsuits. By clarifying that a five-year statute of limitations applies to all BIPA claims, the court in Tims opened a longer time frame for plaintiffs to bring cases. Then, the court's ruling in Cothron established that a separate claim accrues each time an entity scans or transmits biometric information, thus greatly increasing the number of potential claims a plaintiff can bring. Imagine an employer using a fingerprint scan for its employees when clocking in and out for each and every shift…

 Implications

While these decisions could incentivize companies to reevaluate their biometric data practices, making businesses more cautious when implementing biometric technologies and more careful to comply with privacy regulation, they may also lead to an increase in legal costs for both plaintiffs and defendants. Either way, it's a win for the lawyers.