Burdened by BIPA

Balancing Consumer Protection and the Economic Concerns of Businesses

In the last decade or so, several states have enacted legislation to protect biometric information in the wake of the rise in its usage. In 2008, in response to the growing use of this technology and the bankruptcy of a leading fingerprint scan company, Illinois passed the Biometric Information Privacy Act (“BIPA”). BIPA is the leading example of state biometric privacy legislation and the most robust. The law imposes requirements and restrictions—such as obtaining written informed consent before the collection of biometric data—on entities that collect biometric identifiers. BIPA is unique and has gained notoriety for its private right of action, which allows Illinois citizens to sue for violations of the statute as opposed to a state governmental entity like the Attorney General.

BIPA litigation remained dormant for several years following the statute’s enactment. In 2015, the first BIPA class actions were filed in Illinois. Since then, BIPA lawsuits have exploded and left a myriad of unanswered legal questions in its path. In 2019, the Illinois Supreme Court held that a party alleging a technical violation of BIPA qualifies as “aggrieved” and could bring suit under the statute. This decision set off a wave of new BIPA class actions, which only grow in number each year.

While BIPA contains important protections for individuals’ biometric privacy, these protections have come at a cost for companies and employers. Organizations large and small have been inundated with expensive class action lawsuits. Companies and employers are subject to millions of dollars in liability for BIPA violations that occurred in the previous five years, and face rapidly compounding damages for multiple violations of the statute per plaintiff.

The Illinois Legislature should amend BIPA, incorporating changes that balance the need for biometric privacy protection with business interests. Until the statute is amended, this Note argues that courts will continue to interpret the statute broadly. The Illinois Legislature, however, should amend the Act to limit damages by restricting the private right of action to violations of the disclosure section of BIPA. All other violations should be enforceable by the Illinois Attorney General. Additionally, the legislature should amend the Act to incorporate a three-year statute of limitations. Implementing these changes would clarify ambiguities in the Act and limit liability for businesses and employers while still protecting an individual’s right to biometric privacy.

a. J.D. Candidate 2022, University of Illinois College of Law; B.A. 2015, University of Iowa. Special thanks to the editors, members, and staff of the University of Illinois Law Review for their careful editing and hard work, and my parents, family, friends, and cat, Ted, for their unwavering love and support. This Note is dedicated to my grandmother, Margo, who was my biggest cheerleader.

The full text of this Note is available to download as a PDF.