Do I have a Claim Under the Illinois Biometric Information Privacy Act?

The Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., stated that the Illinois Biometric Information Privacy Act (“BIPA”)  is the only “enforcement mechanism available” to hold violators accountable for misusing personal biometric data. 192 N.E.3d 1197, 1207. That same case held that a person whose biometric data is unlawfully obtained, mishandled, misused, or lost by an Illinois business, can sue under the BIPA even if he or she did not suffer any actual damage from the breach. A common issue, however, is that without actual damages resulting from a BIPA violation, claimants are seldom aware that  their privacy rights have been violated. This explains how you can determine if you have a potential claim under BIPA claim and how much money you might be owed?.

What is the Illinois Biometric Information Privacy Act?

The Illinois Biometric Information Privacy Act (740 ILCS 14) is a collection of laws passed in 2008 to address the growing use and collection of biometric data in the business and security screening industries. BIPA sets forth the means by which a private entity may obtain, collect, store, and transfer a person’s biometric data and allows employees to file a lawsuit if the data is unlawfully collected, misused, or lost.

Biometric data, unlike other types of personal information such as usernames and passwords, is uniquely linked to the individual and cannot be changed in the event of a data breach. The following is considered biometric data under BIPA: 

  • Retina or iris scan 
  • Fingerprint 
  • Voiceprint 
  • Hand Scan 
  • Facial Scan 
  • Information based on these identifies if it’s used to identify an individual 

However, biological samples like drug tests, handwriting, photographs, and physical descriptions of individuals are not considered biometric data under BIPA but may still be protected under other Illinois data privacy laws.

When is an Employer Liable for Violating BIPA?

Employers are required to do the following under BIPA:

  • Obtain a written release or authorization from the person to collect and store the biometric data; 
  • Destroy biometric identifiers when:
    • The purpose for which they were obtained is accomplished; or
    • Within three years of the individual’s last interaction with the business.
  • Inform the person in writing that his/her biometric information is being collected or stored;
  • Inform the person in writing of the specific purpose of the collection and the length of time for which the information will be collected, stored, and used; 
  • Receive consent to disclose or disseminate the data unless otherwise authorized by law to do so; 
  • Use the data for authorized purposes only. Entities may not sell, lease, trade, or otherwise profit from the use of the biometric information even with your permission; 
  • Store, transmit, and protect all data from disclosure as it would other confidential or sensitive information.

Any failure to obtain a written consent or authorization from a person, and or failure to  issue a written biometric data policy gives rise to a private cause of action for damages under BIPA. In addition, the following circumstances may trigger employer liability under BIPA:

  • Failure to obtain an employee’s written consent to obtain the biometric data;
  • Failure to treat the data as confidential information subject to data protection;
  • Failure to issue employees a written biometric data policy;
  • Unlawful disclosure of the information to a new entity or employer. 

How Do You Sue for Damages Under BIPA?

An individual or group of employees whose biometric data is being utilized in a manner violative of BIPA may sue for damages under 740 ILCS 14/20. They may collect the following damages for each individual violation:

  • Actual damages suffered as a result of the misuse, i.e., losses resulting from identity theft, or $1,000, whichever is greater, for any negligent violation of BIPA;
  • Actual damages or $5,000, whichever is greater, for a reckless or intentional violation of BIPA;
  • Reasonable attorneys fees; 
  • Litigation costs and expenses including expert witness fees; 
  • An injunction prohibiting further use of or requiring the destruction of the data;
  • Any other relief deemed appropriate by the court.

Accordingly, Illinois claimants should contact a biometric privacy attorney at Werman Salas P.C. to file a new claim or join a class action lawsuit without fear that attorney’s fees and litigation costs will outweigh their potential recovery. It also means that employees may have an individual claim for damages each time the biometric data is collected and stored in violation of the BIPA. A claimant may be able to obtain between $1,000 and $5,000 for being required to scan his or her thumbprint if the scan is obtained and collected in violation of BIPA. 

Call the BIPA Employee Claims Attorneys at Werman Salas P.C. Today

The Chicago class action and collective privacy litigation attorneys at Werman Salas P.C. combine multiple BIPA claims into a single class action lawsuit to protect employee rights, mitigate costs, and recover rightful damages for a BIPA violation. 

If you believe your current or former employer has violated BIPA, contact our experienced attorneys at 312-419-1008 or online for your free BIPA claims consultation.