Posted on 5/18/2020 3:27:54 PM By Francyn Brown

While the Illinois Biometric Information Privacy Act (“BIPA”)[i] has been effective since October 3, 2008, courts have seen a surge of litigation arising under BIPA since the beginning of 2019.  This uptick can be attributed to a January 2019 Illinois Supreme Court decision which held that an individual alleging a private cause of action under BIPA does not have to allege an actual injury or adverse effect;[ii]  rather, all that is required is a violation of his or her rights under BIPA.[iii]  This holding substantially lowered the threshold for a party bringing suit under BIPA thus creating an increasing number of cases that puts small businesses and giant tech companies alike on high alert.  And even more recently, the Seventh Circuit Court of Appeals reached the same conclusion and held that a claim made under Section 15(b) of BIPA may proceed in federal court, and thus, Article III standing is established, where a party fails to make certain disclosures and receive informed consent from consumers before obtaining biometric information.[iv] 
The Biometric Information Privacy Act imposes numerous restrictions on how private entities collect, retain, disclose and destroy biometric identifiers, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or other biometric information.[v] Under the Act, any person "aggrieved" by a violation of its provisions "shall have a right of action *** against an offending party" and "may recover for each violation" the greater of liquidated damages of $1000 or actual damages[vi], reasonable attorney fees and costs, and any other relief, including an injunction, that the court deems appropriate.[vii] 
There have been several cases instituted[viii] since the decision came down from the Illinois Supreme Court in Rosenbach v. Six Flags Entm't Corp., including several cases where the key players are publicly recognizable companies: Facebook[ix], Google[x], OKCupid[xi], and Shutterfly[xii]. Facebook found itself the target in a class action lawsuit alleging that Facebook collected facial recognition data on images of users in Illinois without disclosure. Facebook agreed to pay over half a billion dollars to settle without admitting any fault.[xiii] The $550 million settlement amount is a small fraction of the $35 billion maximum the company could have faced.[xiv]  Even still, an attorney representing the plaintiffs in the lawsuit claimed that the $550 million is “the largest all-cash privacy class action settlement to date.”[xv]  Facebook’s best interest was to settle the case after it was taken to the Ninth Circuit Court of Appeals where the court concluded that “the development of face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests. Similar conduct is actionable at common law.”[xvi]  As a result of the settlement, Facebook is required to obtain consent in the future from Illinois users for face analysis.[xvii]
On the heels of Facebook’s massive settlement, a class action lawsuit was filed on February 6, 2020 in the Northern District of California against Google, claiming that Google “failed to obtain consent from anyone” when it introduced facial recognition to its cloud service for storing and sharing photos.[xviii]  “Specifically,” the suit alleges, “Google created, collected, and stored, in conjunction with its cloud-based ‘Google Photos’ service, millions of ‘face templates’ (or ‘face prints’) – highly detailed geometric maps of the face – from millions of Google Photos users.[xix]  According to the suit, “There are more than 100 putative class members … of different states” seeking damages exceeding $5 million (exclusive of interest and costs).[xx]  The result of this recently-filed lawsuit is yet to be determined.
Facebook and Google are just two tech giants faced with a massive lawsuit alleging violations of Illinois’ BIPA law, but one thing remains clear: they won’t be the last in this string of litigations. 
Partridge Partners provides data protection and privacy services to clients nationwide.  If you have any questions regarding BIPA or how it may effect your company, please contact us.
[i] 740 ILCS 14/1 et seq.
[ii] Rosenbach v. Six Flags Entm't Corp., 129 N.E.3d 1197, 1207 (Ill. 2019).
[iii] Id.
[iv] Bryant v. Compass Group USA, Inc., No. 20-1443 at *17 (7th Cir. 2020).
[v] 740 ILCS 14/15.
[vi] Actual damages are only available to an aggrieved party where an actual injury is alleged, and not just a violation of plaintiff’s rights under BIPA.
[vii] 740 ILCS 14/20.
[viii] See e.g, W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834, ¶ 11; Roberson v. Symphony Post Acute Care Network, 2019 IL App (5th) 190144-U, ¶ 4; Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1st) 182645, ¶ 11; Rottner v. Palm Beach Tan, Inc., 2019 IL App (1st) 180691-U, ¶ 11; Figueroa v. Kronos Inc., No. 19 C 1306, 2020 U.S. Dist. LEXIS 64131, at *5 (N.D. Ill. Apr. 13, 2020); Mintun v. Kenco Logistics Servs., LLC, No. 19-2348, 2020 U.S. Dist. LEXIS 61146, at *2 (C.D. Ill. Apr. 7, 2020); Bray v. Lathem Time Co., No. 19-3157, 2020 U.S. Dist. LEXIS 53419, at *2 (C.D. Ill. Mar. 26, 2020); Vo v. VSP Retail Dev. Holding, Inc., No. 19 C 7187, 2020 U.S. Dist. LEXIS 53916, at *3 (N.D. Ill. Mar. 25, 2020); Peatry v. Bimbo Bakeries USA, Inc., No. 19 C 2942, 2020 U.S. Dist. LEXIS 32577, at *1 (N.D. Ill. Feb. 26, 2020); Heard v. Becton, Dickinson & Co., No. 19 C 4158, 2020 U.S. Dist. LEXIS 31249, at *9 (N.D. Ill. Feb. 24, 2020); Bryant v. Compass Grp. USA, Inc., No. 19 C 6622, 2020 U.S. Dist. LEXIS 13657, at *1 (N.D. Ill. Jan. 28, 2020); Durbin v. Carrols Corp., No. 3:19-CV-1212-NJR, 2020 U.S. Dist. LEXIS 5033, at *2 (S.D. Ill. Jan. 13, 2020); McGinnis v. United States Cold Storage, Inc., No. 19 C 00845, 2019 U.S. Dist. LEXIS 219748, at *6 (N.D. Ill. Dec. 23, 2019); Neals v. Par Tech. Corp., 419 F. Supp. 3d 1088, 1090 (N.D. Ill. 2019); Treadwell v. Power Sols. Int'l, Inc., No. 18 C 8212, 2019 U.S. Dist. LEXIS 215467, at *2 (N.D. Ill. Dec. 16, 2019); Namuwonge v. Kronos, Inc., 418 F. Supp. 3d 279, 282 (N.D. Ill. 2019); Rogers v. BNSF Ry. Co., No. 19 C 3083, 2019 U.S. Dist. LEXIS 188961, at *2 (N.D. Ill. Oct. 31, 2019); Colon v. Dynacast, LLC, No. 19-cv-4561, 2019 U.S. Dist. LEXIS 183527, at *7 (N.D. Ill. Oct. 17, 2019); Rogers v. CSX Intermodal Terminals, Inc., 409 F. Supp. 3d 612, 615 (N.D. Ill. 2019); Peatry v. Bimbo Bakeries United States, 393 F. Supp. 3d 766, 767 (N.D. Ill. 2019); Gray v. Univ. of Chi. Med. Ctr., Inc., No. 19-cv-04229, 2019 U.S. Dist. LEXIS 229536, at *4 (N.D. Ill. Mar. 26, 2019).
[ix] Facebook Will Pay $550 Million to Settle Class Action Lawsuit over Privacy Violations, available at (Jan. 29, 2020).
[x] Molander v. Google, LLC, Case No. 5:20-cv-00918 (filed Feb. 6, 2020); see also Google Hit with New Biometric Data Privacy Class Action under BIPA, available at (Feb. 10, 2020).
[xi] Class Action Claims Clarifai ‘Harvested,’ Built Database of OKCupid Users’ Profile Pictures for Facial Recognition Tech, available at (Feb. 21, 2020)
[xii] Shutterfly Violated Illinois Biometric Law by Collecting, Storing Face Scans from Uploaded Photos, Class Action Says, available at (June 14, 2019).
[xiii] Facebook Will Pay $550 Million to Settle Class Action Lawsuit over Privacy Violations, available at (Jan. 29, 2020).
[xiv] Id.; 740 ILCS 14/15.
[xv] Id.
[xvi] Patel v. Facebook, Inc., 932 F.3d 1264, 1273 (9th Cir. 2019).
[xvii] Facebook Will Pay $550 Million to Settle Class Action Lawsuit over Privacy Violations, available at (Jan. 29, 2020).
[xviii] Google Hit with New Biometric Data Privacy Class Action under BIPA, available at  (Feb. 10, 2020).
[xix] Molander v. Google, LLC, Case No. 5:20-cv-00918, Dkt. No. 1 at ¶5 (filed Feb. 6, 2020).
[xx] Id. at ¶9.
"Data Privacy", Internet