- The Illinois Supreme Court ruled on Friday that an individual can bring a lawsuit against an organization that violates the state’s Biometric Information Privacy Act, without alleging actual injury or adverse event.
The court ruled that the individual can sue, if their rights have been violated under BIPA. The individual can seek liquidated damages, attorney’s fees, and injunctive relief under the law. Potentially, an individual can receive up $1,000 per each negligent violation or $5,000 for each reckless or intentional violation.
BIPA covers biometric information like iris scans, voiceprint, fingerprint, or hand scans, and other means to identify a person. Enacted in 2008, the law mandates that no private entity can collect, capture, purchase, or obtain an individual’s biometric identifier or biometric data unless authorized.
For health organizations, the Supreme Court judgement should serve as a reminder to ensure they’re compliant under BIPA. IT leaders should review time management and physical security procedures, along with any other systems that process, use, or disclose biometric data.
Those organizations must fix any discovered gaps in procedural or technical compliance flaws, including failure to obtain consent to provide biometric data to a third-party or maintaining a policy or guidelines for retaining and destroying biometrics.
“The duties imposed on private entities… regarding the collection, retention, disclosure, and destruction of a person’s or customer’s biometric identifiers or biometric information define the contours of that statutory right,” BIPA reads.
“Accordingly, when a private entity fails to comply with [the] requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach,” it continued. “Such a person or customer would clearly be “aggrieved” …. and entitled to seek recovery under that provision.”
Further, the individual needn’t prove or plead any further than the violation, which the court ruled “is sufficient to support the individual’s or customer’s statutory cause of action.”
The court’s decision takes BIPA a step further to protect an individual’s right to biometric data privacy and is one of the first states to define actual harm – and assert that such harm is unnecessary when those rights are violated.
“Compliance should not be difficult,” the ruling stated. “Whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”
“That is the point of the law,” it continued. “To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the act’s preventative and deterrent purposes.”