BIPA’s scope shaped by courts with no legislative help in sight | Locke Lord LLP

Since the Illinois Supreme Court decision Rosenbach decision[1] judging that the BIPA[2] is actionable on the mere demonstration of statutory violations rather than actual harms, litigants and courts have been busy shaping BIPA case law. Here are the issues the courts have ruled on.

General definitions of “biometric identifier” and “biometric information”

BIPA regulates the collection, sale, disclosure, consent and destruction of biometric data under two categories, “biometric identifier[s]and “biometric information”. “Biometric identifier” includes certain immutable physical characteristics of a person: “retina or iris scan, fingerprint, voiceprint, or hand or facial geometry scan”.[3] “Biometric information” is broadly defined as “any information… used to identify an individual” that is “based on an individual’s biometric identifier[,]”[4] which at least implies that BIPA regulates any non-anonymized result of a computer analysis of a person’s biometric identifiers.

While BIPA expressly excludes certain types of data, including “photographs”, courts have interpreted these exclusions narrowly, for example by holding that “unique digital representations” based on a person’s facial geometry derived from a photograph constitutes a “biometric identifier”.[5]

Specific disclosure and consent

Recent case law has clarified BIPA’s disclosure and consent requirements.[6] Businesses must disclose and receive consent for the specific biometric identifier or biometric information they collect or derive from collected data. For example, general consent to the collection of photographs will likely be insufficient to satisfy the requirement to seek consent on the types of identifiers or biometric information that can be derived from the photographs.[7]

Limitation of BIPA

So far, courts have found a handful of factual limitations to BIPA’s statutory regime:

Pre-emption: Allegations by unionized employees of violations of BIPA by their employer are pre-empted by the (federal) Labor-Management Relations Act as long as the employee and employer had a collective bargaining agreement in place.[8] However, BIPA is not preempted by Illinois workers’ compensation law.[9]

Similarly, a federal court has ruled that the Airline Deregulation Act prevails over BIPA’s allegations raised by a passenger against an airliner for collecting biometric data in connection with voice-response software.[10]

Contact: The complainant and the company must have some relationship. “[A]At least some measure of knowledge and awareness of individuals subject to biometric data collection” must exist with the business collecting biometric data for the business to be subject to BIPA.[11] In other words, BIPA does not require entities to proactively identify individuals whose biometric data may be in their possession, for example because a user of a social media website has uploaded photos including non-users.[12]

Arbitration Clauses: Although not a legal defense, companies can avoid costly and extensive class action lawsuits. Companies may prefer to resolve alleged BIPA violations through arbitration with individual complainants in less public forums.[13] In whaleThe court granted Facebook’s motion to compel arbitration because the plaintiff agreed to Instagram’s terms of service, including the terms that were disclosed to the plaintiff via an in-app update.[14]

Undecided problems

Number and accumulation of violations:

The Illinois Supreme Court is expected to decide in the fall of 2022 whether a BIPA violation occurs every time a person’s biometric ID is scanned or only the first time a person’s biometric ID is scanned by a particular entity.[15] A “parse” decision by the Court coupled with statutory damages could exponentially increase the exposure to liability for violations of BIPA.

Statute of limitations: The Illinois Supreme Court also has a case pending that would decide the statute of limitations applicable to BIPA – the state’s general five-year statute of limitations, which applies to civil cases unless otherwise provided by either the state’s one-year statute of limitations, which applies to alleged privacy violations involving publication, or a combination thereof.[16] In 2021, an appeals court ruled that BIPA provisions involving alleged inappropriate publication of biometric data are subject to a one-year statute of limitations, while other provisions are subject to a five-year statute of limitations. .

Other preemption: A case involving Google before the Central District of Illinois will likely decide whether BIPA is preempted by the federal Children’s Online Privacy Protection Act (“COPPA”) and the Personal Protection Act in Illinois Student Online (“SOPPA”), which regulates the online collection of personal information from children under 13.[17] The case concerns Google educational products distributed by schools to minor children.

‘Profit’ under BIPA: A case involving Macy’s and its use of a facial recognition provider for loss prevention will likely decide the extent of BIPA’s seemingly blanket ban on ‘selling'[ing]less[ing]traditional[ing]or otherwise profit[ing] from the biometric identifier or biometric information of a person or a customer. »[18] It is important to note that companies cannot circumvent this ban with informed consent.


Although legislative attempts to clarify or limit the scope of BIPA have failed to date, litigation continues to shape the impact of BIPA on entities doing business in Illinois or with Illinois residents. Among other examples, a bill aimed at limiting the damage[19] and clarify the timing of BIPA’s informed consent requirement for repeat biometric data collection[20] haven’t made much progress.

Entities should carefully assess whether BIPA applies to their activities, including with their customers and employees, and take steps to ensure compliance. Because courts have tended to apply BIPA requirements broadly and apply disclaimers narrowly, complying with the notice and consent requirements of the law remains the best course of legal risk management.


[1] Rosenbach vs. Six Flags Entertainment Corp., 2019 IL 123186 (2019).
[2] See here and here for Locke Lord’s companion articles on other state laws that address the privacy of biometric information and the growing case law regarding litigation over insurance coverage for BIPA claims.
[3] 740 ILCS 14 Sect. ten.
[4] 740 ILCS 14 Sect. ten.
[5] Sosa vs. Onfido, Inc.., Case No. 20-cv-4247 (ND III 25 Apr. 2022).
[6] 740 Ill. Comp. Statistics 15(a) (disclosure requirement) and 14/15(b) (consent requirement).
[7] Sosa vs. Onfido, Inc.., Case No. 20-cv-4247, (ND Ill. Apr. 25, 2022).
[8] Walton University versus Roosevelt, 2022 IL App (1st) 210011 (1st Dist. 2022).
[9] McDonald v. Symphony Bronzeville Park, LLC, et al., 2022 IL 126511 (2022).
[10] Alex Kislov et al. against American Airlines Inc., Case No. 1:17-cv-09080, Dkt. 111 (ND Ill. Mar. 22, 2022).
[11] Zellmer v. Facebook Inc.., Case No. 3:18-cv-01880 (ND Cal. April 1, 2022).
[12] Zellmer v. Facebook Inc.., Case No. 3:18-cv-01880 (ND Cal. April 1, 2022).
[13] Kelly Whalen et al. against Facebook Inc.., Case No. 4:20-cv-0636 (ND Cal. 4 Apr 2022).
[14] Kelly Whalen et al. against Facebook Inc.., Case No. 4:20-cv-0636 (ND Cal. 2022 Apr 11). See also KFC vs Snap Inc., Case No. 21-2247 (7th Cir. 2022).
[15] Cothron vs. White Castle Sys., Inc.., 20 F.4e 1156 (7th Cir. 2021), pleaded Cothron against White Castle System Inc., Case No. 128004.
[16] 735 ILCS 5/13-205, 735 ILCS 5/13-201, Tims vs. Black Horse Carriers, Inc.., 2021 IT App (1st) 200563, appeal lodged Case No. 127801.
[17] HK et al. against Google LLCcase number 1:21-cv-01122 (CD Ill. April 1, 2022).
[18] In Re: Clearview AI Inc. Consumer Privacy Litigation, Case No. 1:21-cv-00135. Dekt. 314 (ND Ill. Mar. 18, 2022).
[19] 2021 HB 0559
[20] 2022 SB 3874

Comments are closed.