Companies are facing increased scrutiny of their use of biometric data — such as fingerprint scans, facial recognition, and voice recognition to name a few. In the past two years in particular, the number of biometric privacy class action lawsuits filed in the U.S. has skyrocketed.
Many of these lawsuits have been brought under the Biometric Information Privacy Act (BIPA) of Illinois, the first U.S. law and the most stringent of its kind to specifically regulate the collection and use of biometric data.
Adopted by the Illinois state legislature in 2008, BIPA applies to biometric identifiers defined as “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and information based on such biometric identifiers used to identify an individual (collectively “biometric data”).
The law places several limitations on how a company may handle biometric data including:
- Obtaining proper consent before collecting and disclosing biometric data
- Refraining from profiting from biometric data
- Developing a publicly available written policy on the retention and deletion of biometric data
- Using reasonable standards of care as applicable to the company’s industry in handling biometric data
Facebook and TikTok Reached Multimillion-Dollar Settlements for Alleged BIPA Violations
BIPA litigation continues to make national and international headlines. Recent high-profile cases include class action claims filed against major tech companies such as Facebook and TikTok and resulted in multimillion dollars of settlements.
Last month, the short-video sharing app, TikTok, agreed to pay $92 million to settle the class action lawsuit for improperly collecting users’ biometric data in violation of BIPA.
The settlement arises out of 21 separate federal privacy lawsuits against TikTok (and its China-based parent company ByteDance) filed in California and Illinois that were later consolidated as one class action and transferred to the U.S. District Court for the Northern District of Illinois.
The consolidated class action complaint alleges that TikTok collects biometric data (face templates and voiceprints) from its users without first obtaining users’ consent and uses biometric data to profile its users for unlawful purposes such as ad targeting and profit.
In an early biometric privacy case against Facebook, the company paid $650 million to resolve the class action claims arising out of its uses of facial recognition technologies on the photos that its users upload to its website, allegedly also without first obtaining consent from its users.
Notably, the $650 million settlement, one of the largest privacy settlements in U.S. history, was reached after five years of hotly contested litigation and intensive discovery, including an appeal to the U.S. Court of Appeals for the Ninth Circuit and a petition for a certiorari to the U.S. Supreme Court.
The TikTok settlement, which is currently awaiting court approval, was reached earlier on — after more than a year of litigation. As noted in the settlement proposal, this settlement was reached, in part, to avoid “embarking on years of protracted and uncertain litigation”.
BIPA Class Action Lawsuits Will Continue to Multiply in the Coming Years
As for now, BIPA is the only U.S. biometric privacy law that allows private individuals (as opposed to state AGs) to directly file lawsuits for damages stemming from a biometric privacy violation.
BIPA allows harmed individuals to seek statutory damages of $1,000 per negligent violation and $5,000 per reckless or intentional violation (or actual damages if the number is greater), along with attorney’s fees and litigation expenses.
Furthermore, since 2019, a few U.S. courts, notably the Illinois Supreme Court, the Seventh Circuit and the Ninth Circuit, have allowed BIPA cases to proceed solely based on a violation of the statute itself, regardless of whether such violation has caused any real damage (e.g. monetary damage) beyond intruding upon a person’s privacy right.
These plaintiff-favorable judicial decisions, coupled with the availability of the private right of action and per-violation based statutory damages, have led to a sharp increase of BIPA class action lawsuits filed in the past two years. It is expected that BIPA class action lawsuits will continue to multiply in the coming years.
Suggestions for Companies Handling Biometric Data
Companies that routinely handle biometric data need to carefully assess their potential exposure to BIPA litigation and take all necessary steps to minimize the risks of becoming embroiled in this type of litigation.
As the multimillion-dollar settlements involving TikTok and Facebook illustrate, failure to comply with BIPA carry severe consequences, as BIPA violations carry hefty statutory penalties that could potentially translate into large settlement amounts.
It is also worth pointing out that, although being a more than a decade-old law, BIPA has become a popular tool to pursue privacy class action lawsuits only in recent years. This means BIPA still leaves many fundamental questions open for the courts to resolve, including issues related to its scope and applicability.
As many BIPA cases are settled outside of the courtroom, it remains to be seen when and how case law in this emerging area will develop and become more settled. This means not only could BIPA litigation take years to resolve, but it also involves novel and evolving issues that add to the litigation uncertainties.
Furthermore, the coming years will continue to see class action lawsuits filed under BIPA due to class action plaintiff’s ability to seek high statutory damages with low threshold of proof. As such, it is advisable that companies with exposure to BIPA work with legal counsel to evaluate whether their current compliance policies comply with the BIPA requirements.
Lastly, BIPA is not the only U.S. biometric privacy law that a company has to worry about. Other states, such as Texas, Washington and California, have also passed laws to address the use and collection of biometric data. As biometric data are increasingly collected and/or used by companies, more states, and even the federal government, may enact laws to regulate biometric data. Companies are thus advised to keep abreast of the latest developments in biometric regulations as well as case law in this area.