About face: court finds biometric information creates unique privacy rights

by Eversheds Sutherland (US) LLP

Eversheds Sutherland (US) LLP

Just two months after an Illinois appellate court dismissed a similar complaint alleging a violation of the Illinois Biometric Information Privacy Act (BIPA), a California federal court found that a claim asserted under BIPA for an alleged violation of a right to privacy—even without any independent injury or concrete harm—was sufficient to confer Article III standing. BIPA  has already given rise to dozens of class action lawsuits against companies that collect, store, or use the biometric information of their customers, employees, or even unwitting individuals. The California decision in In re: Facebook Biometric Info. Priv. Litig., increases the risks to companies that use biometric information, particularly in that district, and reinforces the need to strictly comply with the requirements of BIPA and other biometric protection statutes.

Biometric data is information used to identify an individual using that person’s unique biological characteristics. The data is collected using technology such as fingerprint or retina scans or facial recognition software. Government agencies and private companies have collected and used biometric data for a number of purposes, like enhancing security, tracking employees, serving as a substitute for paper or electronic tickets, or even creating “virtual” characters on a video game using the physical characteristics of a human player. Only the risks attendant with its collection and storage outnumber the uses for biometric data: unlike a credit card number, if a thief steals a person’s fingerprint, the owner of the print cannot simply alter it to avoid future identity theft. The tail on the risk may be as long as that person’s life (and even beyond).

BIPA was explicitly enacted to protect the biometric information of Illinois residents by regulating the collection, use, storage, and distribution of such data. Companies must obtain consent from individuals before they obtain biometric information or use it for any purpose. 

Enacted in 2008, BIPA is the oldest and most punitive of the biometric protection statutes in the United States. It remains the only biometrics law on the books (for now) that provides for a private right of action, statutory damages, and attorneys’ fees. It is therefore no surprise that over the last year, plaintiffs’ lawyers have filed dozens of putative class actions alleging violations of BIPA, against companies of all sizes, including corporate behemoths like Facebook. More and more states are expected to enact similar biometric protection laws. In the meantime, the recent decision in In re: Facebook will provide plenty of headaches for companies that use Illinois residents’ biometric data.

In re: Facebook is an amalgam of three separate putative class actions filed against Facebook in Illinois state and federal courts arising from alleged violations of BIPA. The cases were transferred to the Northern District of California and consolidated at the request of the parties. The plaintiffs allege that Facebook did not provide them notice or obtain their consent before collecting their biometric data in the form of their likenesses, in connection with Facebook’s “tagging” feature on photographs. 

Most significantly, the plaintiffs did not allege that they suffered any independent injury or concrete harm as a result of the BIPA violations, but the court nevertheless afforded them Article III standing since they held that the Illinois legislature had “codified a right of privacy in personal biometric information.” The court pointed to the language of BIPA, which focused on protecting the right of individuals to protect their unique—and inherent—personally identifiable information and concluded that violation of that right “is quintessentially an intangible harm that constitutes a concrete injury in fact.” 

In re: Facebook is significant for two other reasons. First, the court noted that “BIPA expressly recognizes that social security numbers do not implicate the kinds of privacy concerns that biometric identifiers do.” In so holding, the court distinguished biometric suits from the hundreds of data breach class actions filed every year that allege impending threat of future harm based on exposed social security numbers. Second, the court distinguished the allegations in this case from some other notable BIPA decisions because in this case the plaintiffs did not know their data was being collected, and therefore did not implicitly consent to its collection by virtue of their use of Facebook’s services. 

This decision stands in contrast with the Illinois appellate court’s dismissal in Rosenbach v. Six Flags, where the court found that the plaintiff was not “aggrieved” under BIPA because he had suffered no injury other than the alleged procedural violation. The Northern District of California has thus provided plaintiffs’ attorneys with a roadmap—at least in cases in that district—to withstand a standing challenge. 

While companies that collect, store, and use biometric data should be concerned by the In re: Facebook decision, there are ways to mitigate, or even avoid, liability. A strong compliance program surrounding biometrics, with a focus on obtaining customer or employee consent, is essential. This is even true for companies that do not conduct business or have contacts with Illinois. Although these suits are overwhelmingly filed in Illinois, they are certainly not limited to Illinois defendants, or even plaintiffs. It is also true that while BIPA is the first law of its kind, it is not the only one, and certainly will not be the last, as the use of biometric data becomes more prevalent.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Eversheds Sutherland (US) LLP | Attorney Advertising

Written by:

Eversheds Sutherland (US) LLP

Eversheds Sutherland (US) LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.