Despite the push for a federal privacy law, no such law is yet in place. Consequently, states are left to decide whether, and if so, to what extent, they should enact laws to protect the personal information of their constituents. One benefit to this piecemeal approach is that states can learn from other state statutes when proposing and enacting their own statutes. This is true for California and Massachusetts, who no doubt looked at Illinois when crafting their latest privacy statutes.
In 2008, Illinois passed the Biometric Information Privacy Act (“BIPA”). It is a statute directed specifically to biometric information. Biometrics refers to body measurements and calculations. Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals, such as fingerprints. BIPA defines biometric information as “...any information...based on an individual’s biometric identifier used to identify an individual.” [740 ILCS 14/10]. BIPA further defines “biometric identifier” to mean “...a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” [740 ILCS 14/10].
An Influx of Class Actions under BIPA
To protect the biometric information of its citizens, BIPA requires that before a private entity collects, stores, or uses an individuals’ biometric information, that private entity must first provide notice to and obtain consent from that individual. [740 ILCS 14/15]. BIPA allows an individual to bring a private right of action if a private entity fails to comply with this notice and consent requirement. [740 ILCS 14/20]. In theory, this allows an individual to enforce his or her biometric privacy rights.
In practice, however, the broad private right of action under BIPA has led to an influx of BIPA-related class actions, the majority of which seek damages against a private entity for that entity’s alleged failure to provide notice and/or obtain consent before collecting an individual’s biometric information. Such suits have targeted large social media companies and their use photo-tagging technology, and employers’ use of its employee’s fingerprint scans for timekeeping.
Limiting the Private Right of Action
When California and Massachusetts drafted their privacy statutes, they sought to limit the influx of class actions. To do so, they limited the private right of action.
Under the CCPA, a California resident cannot assert a private right of action if, for example, a company collected that consumer’s biometric information without providing the requisite notice. [Cal. Civ. Code §1798.150]. In Massachusetts, the proposed statute does not apply to a business collecting or disclosing personal information of the business’s employees so long as the business is collecting or disclosing such information within the scope of its role as an employer. [Bill S.D. 341 §8]. This way, Massachusetts can avoid a similar onslaught of class actions against employers as under BIPA.
Until a federal privacy statute is in place, states will decide for themselves how best to balance the protection of the privacy rights of their constituents with the business interests of the company. States attempt to achieve that balance differently.