Thus far in 2023, privacy and data breach class action litigation has seen a 154% increase from the previous year, making it the hottest area of growth in the class action bar. In previous years, federal data breach class actions rose from 13 a month to 33 per month, largely driven by the Illinois Biometric Privacy Act (BIPA), which focuses on business and vendors utilizing biometric technology.
Biometrics are unique physical characteristics, such as fingerprints or facial features, that can be used to automate recognition. For example, every time you log-in into your iPhone using facial recognition, you are utilizing their biometric technology. Other more specific examples, and a growing area of concern when it comes to the use of biometric technology, is in school systems and theme parks. When it comes to theme parks, they are often now utilizing fingerprints and/or facial recognition to link individuals to tickets when you enter the park. Similarly, school systems are using this technology for children to gain access to school, and other services such as lunch and after-school events.
In the United States, the government defined "personally identifiable" in 2020 as anything that can "be used to distinguish or trace an individual's identity" such as name, social security number (SSN), and biometrics information; either alone or with other identifiers such as date of birth or place of birth.
State regulations
As the use of biometrics has increased, so has the focus of state legislators. Many states have moved swiftly to propose and enact legislation to protect the privacy of individuals by regulating private entities collection and use of biometric data. At this time, several states are actively proposing bills, while certain states have been successful in having them passed. Widely considered the most detailed, burdensome, and plaintiff friendly is the Illinois Biometric Information Privacy Act (“BIPA”).
Enacted in 2008, BIPA regulates the collection and use of biometric data. The law ensures that individuals are in control of their own biometric data and prohibits private companies from collecting it unless they:
- Inform the person in writing of what data is being collected or stored. (e.g., fingerprint is stored when using Touch ID to log into bank account app on phone)
- Inform the person in writing of the specific purpose and length of time for which the data will be collected, stored and used. (e.g., fingerprint is stored for ease of logging into app and only for a duration of six months)
