Authentication through biometrics—such as fingerprinting or iris scanning—is growing rapidly. In 2008, Illinois passed the Biometric Information Privacy Act (BIPA) and became the first state to regulate the collection and use of this kind of data.
Recently, the Illinois Supreme Court made it much easier for plaintiffs to show harm under BIPA. This means we’ll likely see a significant rise in the number of lawsuits alleging violations.
The Trouble with Biometrics
While convenient, there are several drawbacks to using this data to authenticate a user. Biometrics cannot be changed, like a password or government-issued identification number, if compromised. Consequently, lawmakers continue to regulate the collection, use, storage, and destruction of this sensitive data.
Generally, BIPA requires organizations to give written notice and receive consent from the individuals whose biometric data is being collected or used. Biometric identifiers include fingerprints and voiceprints as well as retina, iris, hand, and facial geometry scans.
Technical Violations Benefit Plaintiffs
Rosenbach v. Six Flags significantly changed the litigation landscape regarding biometric data handling. According to the Illinois Supreme Court, an individual could be “aggrieved” simply by a technical violation of BIPA even without suffering an actual injury or damage.
Prior to this case, plaintiffs had to show actual harm to collect damages. In short, this decision makes it much easier for plaintiffs to successfully sue companies for BIPA violations.
This recent decision highlights the importance of notice and consent procedures related to collecting biometric information. Here are some things you can do today.
- If you collect biometric data, get familiar with BIPA requirements and other biometric privacy laws (e.g. Texas).
- Provide adequate informed notice and receive written consent before collecting or using biometric data.
- Train your employees to properly handle biometric data.