As technology progresses, biometric data—such as your face, fingerprints, and voice—is becoming increasingly useful outside law enforcement. But your privacy matters too, and the state of Illinois put some teeth behind that belief in 2008. The state's Biometric Information Privacy Act requires companies to get consent before collecting any biometric information from their employees and customers. Importantly, it is one of the few laws that permits ordinary people to enforce their rights through a biometric privacy lawsuit.
If a company has violated your privacy by collecting and sharing your biometric data without permission, the Illinois Biometric privacy violation attorneys at Rosenfeld Injury Lawyers can help. To speak with an experienced attorney, contact us online or call toll-free at 1-888-424-5757.
Illinois Biometric Privacy Violation Lawsuit FAQ's
What is Biometric Data?
Biometric data is any data created by a computer when measuring a person's biology. Fingerprints are one of the most widely recognized biometric measures because they have been used for years by law enforcement, and more recently, to unlock more recent models of iPhone. Like fingerprints, biometric data can be useful as identification when it's unique to each person, permanent and does not require invasive measures to collect.
Modern technology has gone well beyond fingerprints, however. Voice recognition software is capable of responding to anyone, or it can operate only when it recognizes the specific voice it is "trained" for. That technology is now widespread. So is facial recognition technology, which may be able to identify someone in a crowd without that person's active participation, if their face is already in the right database.
How is Biometric Information Used by Companies?
The fact that biometric measures are unique to each person and difficult to falsify makes them extremely useful—and not just to law enforcement. Biometric information is already being used for computer security at the consumer level, as a way for owners of smartphones and laptops to log in to their devices.
In addition, biometric data also has many applications in the workplace, starting with the same kind of computer security. For workplaces that require building security, biometric data like facial recognition or fingerprints can also be used to control access to sensitive areas. Employers can use biometric data to keep close track of employees' work time and breaks, as is legally required for some employees. And employers that offer health and wellness plans may request biometric data to measure the results of health changes and reward them as necessary.
What's the Problem With Biometric Privacy?
Biometric data is extremely personal because it comes from a person's own body. Not every American is comfortable sharing information about their weight, age, or other biological data that isn't relevant to the work or transaction they originally intended to do. Indeed, that kind of information can be the basis of prejudice that leads to unlawful workplace harassment or other negative consequences.
Even those who are comfortable sharing their biometric data in a limited way—say, for access to a special secure area at work—may not be comfortable with leaving it vulnerable to a wider audience, such as their workplace's human relations department. And storing this kind of information invites a risk of hacking, especially because biometric identification is considered so secure that it may not be backed up with any other passwords or security measures.
That leads to another potential problem with biometric privacy: You can't change your fingerprints or your voice or your retinas. That's great for security purposes, but if that data is compromised, you won't be able to change it, and you won't be able to control what "you" do with the information. Since biometric data is considered trustworthy, you could have difficulty convincing authorities that you were hacked.
Finally, biometric data includes information about you that is visible even to a casual observer, such as your face and hands. Already, law enforcement and artificial intelligence researchers can identify faces in a crowd if they have the right information. As technology advances, it may become even easier to collect biometric data without the subject's consent, merely from cameras placed in public places. If you do not entirely trust the government—or the private companies that have an interest in this technology—that is bad news.
What Does the Illinois Biometric Privacy Act Require?
Fortunately, the privacy rights of Illinois residents are protected by the Illinois Biometric Privacy Act, which provides a strong remedy for violations. Passed in 2008, it requires companies to get consumers' permission before collecting their information and allows ordinary people to sue companies that fail to get that permission.
The Act defines a "biometric identifier" as:
- A retina or iris scan
- Scan of hand geometry
- Scan of face geometry
Biometric information is any information based on those identifiers and used to identify an individual, regardless of how it's collected. Private businesses may not obtain biometric information or identifiers unless they:
- Inform the subject (or a representative like a parent) in writing that they're doing it
- Explain the purpose and length of time they will retain it
- Receive a written release of the biometric information from the subject or representative
- Create a written publicly available policy on retaining and destroying the information
They may not sell or otherwise profit from the information, and they may not release it without the subject's written consent unless the disclosure is authorized by law. Businesses are required to protect the biometric information from disclosure, in a way that is at least as strict as the business's protection of other confidential and sensitive information.
Perhaps most importantly, the Illinois Biometric Privacy Act has real teeth, in the form of a right to sue any company that violates the Act. Under an Illinois Supreme Court ruling, Illinois residents do not have to show they were harmed by violations of the Act; merely violating it is an adequate basis for a lawsuit.
What can I Recover in an Illinois Biometric Privacy Lawsuit?
If you sue a company for mishandling your private biometric information under the Illinois Biometric Privacy Act, you could stand to recover substantial money. That's because the Act allows you to claim either payment for the actual injuries caused to you or a specified amount of money. That specified amount depends on the company's behavior:
- For a private entity that violates the law through carelessness, $1,000 per violation or actual damages, whichever is greater
- For a private entity that intentionally violates the law, $5,000 per violation or actual damages, whichever is greater
Since these amounts are per violation, they may add up. For example, if a company sells both your fingerprints and your facial recognition data, it has intentionally violated the law two times and could have to pay $10,000 if you prove it in court.
In either case, you can also claim reasonable court costs and attorneys' fees. That means if you win the case, the other side pays for your lawyer. It's an important provision because it puts a lawsuit within financial reach for everyone, even people who didn't start with a lot of money. In that way, it levels the playing field between ordinary people and large companies.
Finally, the law permits you to sue for non-monetary relief, such as a court order forbidding the company from violating your biometric privacy again.
Recent Biometric Privacy Lawsuits and Settlements in Chicago and Illinois
As the use of biometric information has increased, so has the number of violations of the Illinois Biometric Privacy Act. Cases that have been brought, settled or tried to a verdict in recent years include:
- Facebook: In January of 2020, Facebook settled a class-action facial recognition lawsuit for $550 million. The lawsuit, whose plaintiffs were all Illinois residents, argued that Facebook broke Illinois law with its Tag Suggestions feature. The feature used millions of users' pictures to guess at the identity of people in photographs; Facebook then asked the user for confirmation. A biometric privacy attorney for the plaintiffs told the New York Times that users should be able to have anonymous discussions of controversial social issues if they choose.
- WeWork: A class-action lawsuit complaint filed in November of 2019 alleges that shared office space company WeWork collects facial scans in violation of the Illinois law.
- Google: In late September of 2019, a group of Illinois residents filed a proposed class-action lawsuit in Chicago, arguing that Google Photos violated the Illinois Biometric Privacy Act by "actively collecting, storing, and using" facial information without the required disclosures or consent.
- Vimeo: Also in late September of 2019, video sharing company Vimeo was sued for collecting and storing facial recognition data through its Magisto service. Users upload videos and photos to Magisto, which the proposed class action argues extracts facial recognition information without consent or disclosure.
- Thyssenkrup: A former employee at a Danville, Illinois factory sued the employer, Thyssenkrup Crankshaft, in September of 2019 for failing to get her consent to use her fingerprints as a substitute for a time card in a fingerprint scanning timeclock system. Brenda Wickens also alleges that the company failed to inform her about the purpose for the storage of her fingerprints. According to both the attorney for Wickens and Bloomberg Law, this is a common type of lawsuit under the Illinois Biometric Privacy Act.
Contact an Illinois Biometric Privacy Violation Attorney Today
If you believe a company has been collecting your personal biometric information without your consent, contact Rosenfeld Injury Lawyers LLC today to discuss your rights and your legal options. You can call us at 1-888-424-5757 or contact us online. We are committed to holding companies fully accountable when they violate your legal right to privacy.