In January 2019, the Illinois Supreme Court issued a seminal decision, Rosenbach v. Six Flags Entertainment Corp., holding that a plaintiff need not allege an actual injury or damages to successfully state a claim under Illinois’ Biometric Information Privacy Act (BIPA), which regulates the possession, collection and disclosure of biometric information.
Since Rosenbach, myriad cases alleging violations of BIPA have been filed in Illinois — and indeed around the country. And with its statutory penalties of $1,000 to $5,000 per violation, the potential exposure for defendants in these cases can be enormous.
For a statute that has received so much attention, there is a significant amount of uncertainty surrounding some of its most basic provisions.
This perhaps should not come as a surprise considering the brevity of the statute (only a few pages) and the limited number of cases that have reached a substantive decision on the merits.
Nonetheless, this uncertainty presents significant litigation risk to businesses that collect or otherwise possess biometric data of Illinois residents.
This article explores some of the more significant examples of ambiguity present in the statute and flags key issues of which all BIPA litigants — and indeed any company considering the implementation of biometric technology — should be aware.
The article concludes by providing concrete steps a company can take to reduce its potential liability under BIPA, which may in turn further mitigate liability on a larger scale given the increasing scrutiny of biometric privacy well beyond Illinois.