A 2019 ruling by the Illinois Supreme Court (Rosenbach v. Six Flags Entertainment Corp.) lowered the bar regarding who is entitled to seek damages under BIPA, which has led to a significant increase in lawsuits. Indeed, these recent state class-action lawsuits allege substantial damages against companies, as plaintiffs commonly argue that fines can be levied per individual violation.
With more than 300 class-action lawsuits filed under BIPA to date, both public and private companies would be wise to pay attention to whether their own information collection, storage and protection methods follow what could be evolving biometric privacy laws in their states.
More states are weighing biometric privacy laws
Although BIPA is not a new law, it looms large in ongoing discussions of how to regulate the increasingly common collection and handling of biometric data. A number of states – including Alaska, Arizona, Connecticut, Delaware, Florida, Idaho, Massachusetts, Michigan, Montana, New Hampshire, New Jersey, New York and Rhode Island – have pending biometric privacy legislation. It is likely not a question of if but when legislatures will apply safeguards and weigh the potential use of a private right of action as seen in Illinois.
The implications of increased legislation are far reaching. In addition, violations alleged under BIPA can potentially fall within the scope of directors and officers liability, employment practices liability, commercial general liability or cyber liability, depending on the nature of the claim.