Using biometric identifiers and information continues to be a “go-to” method for authentication. Likewise, the Illinois Biometric Information Privacy Act (BIPA) continues to garner attention throughout Illinois and nationally as other states adopt differing biometric privacy laws. In response to growing public concern about the increased commercial use of biometric data, the Illinois General Assembly enacted BIPA in 2008. BIPA regulates collecting, using, and storing biometric information, such as fingerprints, retina scans, and facial recognition data. The goal of BIPA is to prevent the misuse of biometric identifiers. BIPA provides a private right of action and remedies for violations. It requires organizations to obtain informed consent before collecting biometric data and imposes specific obligations on handling such information. BIPA class actions have steadily gained traction and headlines since around 2019 when the Illinois Supreme Court (Rosenbach v. Six Flags, 2019 IL 123186) held no actual injury was required to state a claim.

In the past year and a half, the landscape of BIPA litigation experienced significant milestones. Notably, the first-ever BIPA trial resulted in a staggering $228 million judgment for 45,600 violations (one per class member). In 2023, the jury award in this case was set aside and a new trial was scheduled on the issue of damages due to an Illinois Supreme Court decision finding damages to be discretionary. Over the last several months, that new trial was vacated, and the parties reached a $75 million class action settlement, subject to the court’s approval. See Rogers v. BNSF Railway Co., No. 19-cv-03083 (N.D. Ill. Feb. 26, 2024). Despite this landmark verdict and subsequent settlement, not all decisions have been unfavorable for BIPA defendants. One crucial decision was the recognition that virtual try-on tools, like those used for trying on glasses and makeup, may be exempt from BIPA under the “health care exemption” (Svoboda v. Frames for America, Inc., 21-C-5509, 2022 WL 4109719 (N.D. Ill. Sept. 8, 2022)). Another noteworthy decision held that universities, such as DePaul University, could be exempt from BIPA under the “financial institution exemption” (Powell v. DuPaul Univ., No. 21-cv-3001, 2022 WL 16715887 (N.D. Ill. Dec. 6, 2022)). Additionally, a court ruled that a business might not be liable under BIPA if there is no acquisition of biometric data within Illinois (Vance v. Microsoft Corp., 20-1082, 2022 WL 9983879 (W.D. Wash. Oct. 17, 2022)).

In 2023, the Illinois Supreme Court, issued several landmark decisions shaping BIPA’s future. In a highly anticipated decision, the Illinois Supreme Court in Tims v. Blackhorse Carriers, Inc., 2023 IL 127801 (Feb. 2, 2023), resolved longstanding uncertainty about the statute of limitations under BIPA in finding it to be a 5-year limitation period.  In perhaps the most critical BIPA opinion of 2023, in Cothron v. White Castle System, Inc., 2023 IL 128004 (Feb. 17, 2023), the court held that a claim under BIPA accrues every time a person’s biometric data is scanned or transmitted without prior consent. Cothron drastically changed the breadth of statutory damages sought by plaintiffs, some of which seek millions of dollars for a single plaintiff who used a fingerprint scanning device. In Mosby v. Ingalls Memorial Hospital (Nov. 30, 2023), the Illinois Supreme Court overturned a lower state appeals court. It ruled that an exclusion in the state’s biometric law applies to health care workers using a medication dispensing device. Another emerging issue in BIPA litigation has become the scope of insurance coverage available to cover violations of BIPA, which is unclear because of the December 2023 decision in Nat’l Fire Ins. Co. of Hartford v. Visual Pak Co., 2023 IL App (1st) 221160, which found the insurer had no duty to defend its insured. The Visual Pak ruling by the Illinois appellate court held opposite to that of the federal court of appeals, which interpreted a similar insurance policy exclusion in Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, 70 F.4th 987 (7th Cir. 2023). Notably, the insured in Visual Pak filed a petition for leave to appeal in the Illinois Supreme Court earlier this month. Meanwhile, one federal district court has already followed the Visual Pak ruling because it was issued by an Illinois appellate court which is considered to be the best indicia of state law in the absence of a state supreme court decision, and the district court found Wynndalco distinguishable. See Citizens Ins. Co. of Am. v. Mullins Food Products, Inc., No. 22-cv-1334 (N.D. Ill. Feb. 27. 2024). These decisions create tension between the federal and state court’s interpretation of the scope of insurance. They will likely result in further clarification from either or both the Illinois Supreme Court and Seventh Circuit Court of Appeals.

These decisions will collectively shape the landscape for defending and prosecuting BIPA actions in the coming years. In 2024, the landscape of BIPA is expected to continue evolving, influenced by recent key decisions and regulatory developments. Expectations for future BIPA litigation involve an increase in cases as plaintiffs’ attorneys explore the boundaries of the law, its exemptions, and the scope of available damages. Voice recognition cases, like Wilcosky v. Amazon.com Inc., No. 19-CV-5061 (N.D. Ill. Nov. 1, 2023), and other similar cases, are likely to clarify further what is really necessary to identify a person to establish a BIPA violation. Notably, late last year, the court in Wilcosky denied Amazon’s motion to dismiss, focused primarily on Amazon’s arguments relating to the plaintiffs’ Section 15(b) claim challenging the sufficiency of the disclosures provided in the notice to plaintiffs before the collection of their purported voiceprints.

Beyond BIPA, businesses should remain vigilant about federal regulations, especially after the Federal Trade Commission (FTC) released a policy statement in mid-2023. The FTC’s clarification of what constitutes biometric information and the expectations for businesses collecting and using such data aims to prevent “unfair” or “deceptive” practices. The policy statement provides examples of how businesses should analyze practices, including discussions on potential harms and ongoing due diligence for biometric information service providers. As businesses navigate this evolving landscape of biometric data regulations at the state and federal levels, clear and accurate public-facing notices regarding biometric information practices will be crucial for compliance and transparency, whether directed to employees or consumers impacted by the technologies in use.