Did You Receive a Settlement Check in the Mail Too? – A Look at Illinois’ Biometric Info Privacy Act

Perhaps think twice before applying a filter to your photo on social media. What if the filter feature uses technology to produce a facial scan to store your biometric information?[1] This is one of many situations that the Biometric Information Privacy Act (“BIPA”)^[2] seeks to prevent or remedy. This law imposes restrictions on how private entities collect, retain, use, disclose, and destroy an individual’s biometric identifiers and biometric information.^[3] Recently, millions of settlement checks have been disbursed to Illinois residents, a result of biometric privacy class action lawsuits. Large social media and tech companies like Facebook, Google, Snapchat, and TikTok, have all faced BIPA class action lawsuits. These companies were found in violation of Illinois residents’ biometric information in some capacity.^[4] Due to BIPA violations, these companies are now obligated to pay millions to settle. Some of these violations included creating face templates without consumer consent and disclosing biometric identifiers to third parties.

What are Biometrics? What is Biometric Data?

Biometrics are “unique physical characteristics, such as fingerprints, that can be used for automated recognition.”^[5] Biometrics can also include “facial, retinal or iris measurements.”^[6] Therefore, an individual’s biometric data is the individual’s specific and unique physical characteristics, like their fingerprints, retinal measurements, or even voice patterns. Illinois, unlike other state biometric laws,^[7] defines “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.”^[8] Biometric data is highly sensitive information and must be handled properly and accurately to protect the safety and livelihood of individuals.

What Exactly is BIPA?

In 2008, Illinois was the first state to enact a biometric data privacy law.^[9] BIPA regulates “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”^[10] Private entities must, among other things, obtain the informed, written consent of an individual prior to obtaining and utilizing the individual’s biometric information or identifiers.^[11] BIPA, unlike other privacy laws, “provides individuals with a private right of action.”^[12] To be eligible for a monetary payout from any settlement agreement, an affected individual must qualify and submit a claim.

Additionally, private entities are subject to statutory penalties up to $5,000, in addition to attorneys’ fees.^[13] Private entities are also required to develop written policies and create detailed data retention and destruction schedules.^[14] These entities are prohibited from selling biometric identifiers they have collected.^[15]

Does BIPA Apply to Me?

BIPA protects Illinois residents from any private entity operating in Illinois.^[16] Some other states have adopted legislation modeled after BIPA.^[17]If you are an Illinois resident or your state has similar legislation, there may be a recourse for illegal use of biometric data.

Recent BIPA Class-Action Settlements

Facebook

$650 million. That is how much the United States District Court of the Northern District for California approved in Facebook’s class action settlement after it was alleged the tech giant failed to obtain consent prior to using its facial-recognition technology on users.^[18] Affected Illinois residents claimed that Facebook’s “Tag Suggestions” feature, among others, violated BIPA by creating face templates (to identify users).^[19] For Illinois Facebook users to have received money under the settlement, there were two requirements:  (1) that they lived in Illinois “for a period of at least 183 days…after June 7, 2011,” and (2) that Facebook created and stored a face template of the user(s).^[20] Consequently, settlement check payments to individuals were approximately $200 – $400 per person. As is the case in most BIPA settlement payments, individuals were required to submit a claim form to receive payment.^[21] Generally, these claim forms ask individuals to confirm their address, bank account information (for direct payment), and other identifying information to confirm they are eligible for payment.

Google

Eligible Illinois residents who filed valid claims were entitled to “receive a pro rata portion” of Google’s $100 million settlement.^[22] This is the second largest BIPA settlement case.^[23] Illinois residents claimed Google collected, used, and stored their facial data without consent and created face templates via its Google Photos service in violation of BIPA.^[24] Affected individuals are expected to receive settlement checks approximately between $200 – $400.^[25]

TikTok

$92 million was approved in TikTok’s class action lawsuit.^[26]  Members of the class claimed TikTok violated BIPA by collecting and disclosing biometric data to third-parties, like Google and Facebook, without prior consent.^[27] To have been eligible for a settlement payout, affected individuals must have created TikTok videos prior to September 30, 2021.^[28]

What Does This All Mean?

A person’s biometric data is unique – it is their own physical characteristics. Use of biometric information is on the rise, given technological advances. For instance, Apple’s facial recognition system, Face ID, allows biometric authentication for unlocking an individual’s personal device.[29] In the event of a security or data breach, an individual’s biometric information could be leaked and used to commit identity fraud and be misappropriated by hackers. The stakes are high! Therefore, private entities must be wary of how they interact and safeguard individuals’ biometric data. Laws like BIPA seek to safeguard individuals from unauthorized use and the harmful effects of biometric data use. Consequently, companies should regularly review and update their BIPA compliance practices. If they do not, they could face class action lawsuits and be ordered to pay out large sums of money in the form of settlement checks to affected Illinois residents. Although affected individuals are provided monetary relief, no amount of money can replace a person’s fingerprint or facial features, in the event this biometric information is intercepted and placed in the wrong hands.

[1] Snapchat Broke Illinois Law by Violating Biometric Privacy of Users, Suit Alleges, NBC 5 Chicago (May 23, 2022), www.nbcchicago.com/news/local/snapchat-broke-illinois-law-by-violating-biometric-privacy-of-users-suit-alleges/2840246/ (explaining the class action lawsuit filed against Snapchat, alleging Snapchat’s Lenses features contains technology used to “create a face scan and creating, obtaining, and storing a user’s unique biometric identifiers); see also Aisha Mailk, Snap agrees to $35 million settlement in Illinois privacy lawsuit, TechCrunch (Aug. 24, 2022), www.techcrunch.com/2022/08/24/snap-35-million-settlement-in-illinois-bipa/ (stating Illinois residents that were affected by Snapchat’s BIPA violation(s) may submit a claim online).

[2] 740 Ill. Comp. Stat. Ann. 14/1 (West 2008).

[3] See McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, ¶ 21 (explaining how BIPA, among other things, imposes certain restrictions on private entities and how they interact with an individual’s biometric information).

[4] See Here’s a Look at Settlements Stemming From Illinois’ Biometric Privacy Act, NBC 5 Chicago (Aug. 24, 2022), www.nbcchicago.com/news/local/heres-a-look-at-all-the-settlements-stemming-from-illinois-biometric-privacy-act/2922736 (noting the various BIPA settlements faced by some of the world’s largest companies).

[5] Biometrics, Homeland Sec., www.dhs.gov/biometrics (last visited Oct. 8, 2022); see also The Evolution of Biometric Data Privacy Laws, Bloomberg Law (Nov. 4, 2021), pro.bloomberglaw.com/brief/biometric-data-privacy-laws-and-lawsuits/ (explaining biometric data, BIPA’s enactment, prominent BIPA lawsuits, and other states’ enacted or proposed biometric laws).

[6] Id.

[7] See Cal. Civ. Code § 1798.140 (defining “biometric information” in a broad way by mentioning “imagery” of one’s iris, fingerprint, etc.).

[8] 740 Ill. Comp. Stat. Ann. 14/10 (West 2008).

[9] 740 Ill. Comp. Stat. Ann. 14/1 (West 2008).

[10] 740 Ill. Comp. Stat. Ann. 14/5 (West 2008).

[11] See 740 Ill. Comp. Stat. Ann. 14/5, Sec. 15 (West 2008) (providing information about BIPA’s requirements on the retention, collection, disclosure, and destruction of an individual’s biometric information/identifiers); see also See Here’s a Look at Settlements Stemming From Illinois’ Biometric Privacy Act, NBC 5 Chicago (Aug. 24, 2022), www.nbcchicago.com/news/local/heres-a-look-at-all-the-settlements-stemming-from-illinois-biometric-privacy-act/2922736 (explaining how affected individuals must submit claims on the violating business’ dedicated settlement form site(s)).

[12] See Molly S. DiRago, et al., A Fresh “Face” of Privacy: 2022 Biometric Laws TroutmanPepper (Apr. 5, 2022), www.troutman.com/insights/a-fresh-face-of-privacy-2022-biometric-laws.html (listing states that have either enacted biometric laws or are introducing such laws); Fredric D. Bellamy, Looking to the Future of Biometric Data Privacy Laws, Reuters (Apr. 6, 2022), www.reuters.com/legal/legalindustry/looking-future-biometric-data-privacy-laws-2022-04-06/.

[13] See 740 Ill. Comp. Stat. Ann. 14/20, § 20 (West 2008) (detailing an Illinois resident’s right of action and various areas of recovery).

[14] 740 Ill. Comp. Stat. Ann. 14/5, § 15 (West 2008), see also Retention and Destruction, schedule.fieldprint.com/Public/Footer_RetentionDestruction (last visited Oct. 27, 2022) (outlining Fieldprint Inc.’s policy for retaining and destroying an individual’s biometric information).

[15] Id.

[16] See Illinois Biometric Information Privacy Act, www.termsfeed.com/blog/bipa (last visited Oct. 8, 2022) (explaining, among other things, that Illinois residents are afforded a private right of action; 740 Ill. Comp. Stat. Ann. 14/1 (West 2008).

[17] See generally Ark. Code Ann. § 4-110-104 (providing, among other things, that a person or business must “implement and maintain reasonable security procedures and practices” to protect an individual’s personal information from misuse, disclosure, etc.), Cal. Civ. Code § 1798.100 (stating, in part, that a business must inform consumers about the type of personal information to be collected and the reason for its use), Tex. Bus. & Com. Code § 503.001 (explaining the intricacies behind capturing or using an individual’s biometric identifier(s), Wash. Rev. Code § 19.375.020 (detailing the enrollment, disclosure, and retention of biometric identifiers).

[18] See Judge Approves $650M Facebook Privacy Lawsuit Settlement, AP News (Feb. 26, 2021),  apnews.com/article/technology-business-san-francisco-chicago-lawsuits-af6b42212e43be1b63b5c290eb5bfd85 (describing the enormity of the settlement reached by Facebook to payout to affected individuals); See also In re Facebook Biometric Information Privacy Litigation, Case No. 3:15-CV-03747-JD (N.D. Cal. May 14, 2018) (holding that plaintiffs had plenty evidence for a jury to reasonably conclude their biometric information was utilized by Facebook without consent, in violation of BIPA).

[19] In re Facebook Biometric Information Privacy Litigation, Case No. 3:15-CV-03747-JD (N.D. Cal.) (May 14, 2018).

[20] Official Notice, Facebook users in Illinois may be entitled to payment if their face appeared in a picture on Facebook after June 7, 2011, www.facebookbipaclassaction.com/media/2989470/fby_not_200911.pdf (last visited Oct. 8, 2022).

[21] Id.

[22] Settlement Information, Rivera, et al. v. Google LLC Class Action Settlement, www.googlebipasettlement.com/ (last visited Oct. 8, 2022).

[23] Rivera v. Google, LLC, Nos. 19-1182, 19-1242, 2020 U.S. App. LEXIS 41117 (7th Cir. Dec. 30, 2020); Celeste Bott, Google’s $100M BIPA Deal Gets Final Approval, Law 360 (Sep. 28, 2022), www.law360.com/articles/1534091/google-s-100m-bipa-deal-gets-final-approval.

[24] Bott, supra note 22.

[25] Settlement Information, supra note 21. See also Staff Report, Judge Approves Google Class-Action Lawsuit Settlement for Illinois Residents, NBC 5 Chicago (Sep. 29, 2022), www.nbcchicago.com/news/local/google-class-action-lawsuit-settlement-for-illinois-residents-approved-by-judge/2953010.

[26] Tik Tok settlement: Illinois users eligible for payout from $92M class action lawsuit, ABC 7 Chicago (Aug. 23, 2022), https://abc7chicago.com/tiktok-settlement-class-action-lawsuit-illinois-videos/12159141/.

[27] Judge Approves $92 Million TikTok Settlement, With Illinois Claimants Receiving Biggest Share, NBC 5 Chicago (Aug. 24, 2022), www.nbcchicago.com/news/local/judge-approves-92-million-tiktok-settlement-with-illinois-claimants-receiving-biggest-share.

[28] In Re: TikTok, Inc., Consumer Privacy Litigation, www.tiktokdataprivacysettlement.com/ (last visited Oct. 8, 2022).

[29] Apple Platform Security, Apple,  www.support.apple.com/guide/security/face-id-touch-id-passcodes-and-passwords-sec9479035f1/web (last visited Oct. 27, 2022).