main content

All Insights, All Publications, Legal Alert |
April 3, 2019

Illinois Law Restricting Biometric Identifiers May Set Precedent for Other States

Twitter Facebook Linkedin

The Illinois Biometric Information Privacy Act (BIPA) is receiving a great deal of attention because it includes a private right of action.  The law imposes numerous restrictions on how private entities collect, retain, disclose and destroy biometric identifiers.  Under the Act, any person “aggrieved” by a violation of its provisions “shall have a right of action … against an offending party” and “may recover for each violation” the greater of liquidated damages or actual damages, reasonable attorney fees and costs and any other relief, including an injunction, that the court deems appropriate.

In the United States Supreme court case, Clapper v. Amnesty International, the court held that to recover for data privacy breach, there had to be an actual harm to the plaintiff; and this law has allowed a number of defendants to win dismissals in the face of a litigation alleging data breach.  However, none of the privacy laws involved in Clapper or the cases that rely on it addressed a law that had liquidated damages.   On January 24 the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment that a plaintiff who alleges only a technical violation of the law, without alleging any injury or adverse effect, may still maintain a claim for relief.

NIST controls and state laws regarding personal information

Most organizations would be well advised to include in their purchasing decisions whether the system supports the implementation of the individual participation controls set forth in NIST 800-53 (IP-1, IP-2, IP-3 and IP-4) along with their enhancements and whether they can inventory and track personal information within their organization.  In addition, the laws of many countries and now even some of our states offer special protections for biometric information and afford individuals a significant voice in whether the organization may keep or share their biometric information with third parties.

Steps to consider when collecting biometrics

The decision to collect and preserve biometric information should not be taken lightly.  Clear consent documents should be drafted and procedures and policies should be created to clearly delineate what information can be collected, preserved and shared with others.  There should be significant involvement by legal counsel when any organization elects to collect biometric information.  The ease of using a customer’s anatomy to authenticate a transaction needs to be weighed against the risk of collecting and preserving this type of information.  This is especially true with minors who are not able to consent to the collection and who could be accompanied by someone other than the parent or guardian legally authorized to consent to the biometric collection.

Today, the BIPA is an Illinois law.  But it would be prudent to expect other states to adopt similar laws just as they have in other countries.  Therefore, we are advising our clients to consider the potential need to implement a future consent process for the collection of biometric information regardless of the jurisdiction of the collection occurs..

If you would like to review your organization’s data collection practices in light of the BIPA or other data privacy laws, please contact Alan M. Winchesteror the attorney with whom you usually work.

This alert does not purport to be a substitute for advice of counsel on specific matters.

Harris Beach has offices throughout New York State, including Albany, Buffalo, Ithaca, Melville, New York City, Rochester, Saratoga Springs, Syracuse, Uniondale and White Plains, as well as New Haven, Connecticut and Newark, New Jersey.

Illinois Law Restricting Biometric Identifiers May Set Precedent for Other States

Insight

The Illinois Biometric Information Privacy Act (BIPA) is receiving a great deal of attention because it includes a private right of action.  The law imposes numerous restrictions on how private entities collect, retain, disclose and destroy biometric identifiers.  Under the Act, any person “aggrieved” by a violation of its provisions “shall have a right of action … against an offending party” and “may recover for each violation” the greater of liquidated damages or actual damages, reasonable attorney fees and costs and any other relief, including an injunction, that the court deems appropriate.

In the United States Supreme court case, Clapper v. Amnesty International, the court held that to recover for data privacy breach, there had to be an actual harm to the plaintiff; and this law has allowed a number of defendants to win dismissals in the face of a litigation alleging data breach.  However, none of the privacy laws involved in Clapper or the cases that rely on it addressed a law that had liquidated damages.   On January 24 the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment that a plaintiff who alleges only a technical violation of the law, without alleging any injury or adverse effect, may still maintain a claim for relief.

NIST controls and state laws regarding personal information

Most organizations would be well advised to include in their purchasing decisions whether the system supports the implementation of the individual participation controls set forth in NIST 800-53 (IP-1, IP-2, IP-3 and IP-4) along with their enhancements and whether they can inventory and track personal information within their organization.  In addition, the laws of many countries and now even some of our states offer special protections for biometric information and afford individuals a significant voice in whether the organization may keep or share their biometric information with third parties.

Steps to consider when collecting biometrics

The decision to collect and preserve biometric information should not be taken lightly.  Clear consent documents should be drafted and procedures and policies should be created to clearly delineate what information can be collected, preserved and shared with others.  There should be significant involvement by legal counsel when any organization elects to collect biometric information.  The ease of using a customer’s anatomy to authenticate a transaction needs to be weighed against the risk of collecting and preserving this type of information.  This is especially true with minors who are not able to consent to the collection and who could be accompanied by someone other than the parent or guardian legally authorized to consent to the biometric collection.

Today, the BIPA is an Illinois law.  But it would be prudent to expect other states to adopt similar laws just as they have in other countries.  Therefore, we are advising our clients to consider the potential need to implement a future consent process for the collection of biometric information regardless of the jurisdiction of the collection occurs..

If you would like to review your organization’s data collection practices in light of the BIPA or other data privacy laws, please contact Alan M. Winchesteror the attorney with whom you usually work.

This alert does not purport to be a substitute for advice of counsel on specific matters.

Harris Beach has offices throughout New York State, including Albany, Buffalo, Ithaca, Melville, New York City, Rochester, Saratoga Springs, Syracuse, Uniondale and White Plains, as well as New Haven, Connecticut and Newark, New Jersey.

Attorney Advertising. Prior results do not guarantee a similar outcome.
© 2022 Harris Beach PLLC

Content current as of December 9, 2023 2:06 pm