Biometric Information Privacy Act (BIPA): A Checklist for Defendants

The rising tide of litigation under Illinois’s Biometric Information Privacy Act (BIPA) shows no sign of ebbing anytime soon. No industry is immune, and here’s what companies should consider if they’ve been named as a defendant in a BIPA lawsuit.

1. Contact your in-house legal department or outside counsel and have them work with your insurance broker to determine if there is coverage.


2. Review contracts with any vendor that provided biometric collection equipment to determine if you can seek defense and/or indemnity for litigation.


3. Determine what plaintiff alleges you collected.


• BIPA defines “biometric identifier” as only one of the following: (1) retina or iris scan; (2) fingerprint; (3) voiceprint; (4) scan of hand geometry; or (5) scan of face geometry.


• BIPA defines “biometric information” as any information based on a biometric identifier used to identify an individual. Biometric information does not include information derived from, among other things, writing samples, written signatures, photographs, or information captured from a patient in a health care setting.


• If you collected something other than biometric identifiers or biometric information (“biometrics”), you have a good argument that BIPA does not apply even if the information seems generally related to biometrics (e.g., photographs).


4. If you determine that you collected plaintiff’s biometrics, immediately stop the disclosure or sale of plaintiff’s biometrics.


5. If you determine that you collected plaintiff’s biometrics, implement a legal hold on all documents relating to your collection or use of plaintiff’s and other similarly situated individuals’ (e.g., other persons from whom you collected biometrics, including employees or customers) biometrics.


6. If you are collecting biometrics as defined by BIPA, evaluate your practices for compliance. Specifically:


• Do you have a publicly-available written policy establishing a retention schedule governing how long you will retain biometrics you collect and guidelines for the destruction of the biometrics? 


• Do you follow the required procedures before collecting biometrics?


• Do you follow the required procedures before disclosing or disseminating biometrics outside  your company?


• Do you take the required steps to secure the biometric information?


If the answer to any of these questions is no, suspend the collection and use of biometrics (to the extent possible) and immediately update your practices to comply with BIPA.


• Also, do you sell, lease, trade, or otherwise profit from a person’s biometrics? If so, stop immediately. This is prohibited regardless of any disclosure or consent.


7. Review potential litigation strategies and defenses:
   
   
   • Consider removal to federal court.
   
   
   • Determine if there is an applicable arbitration provision, class-action waiver, or release.
   
   
   • Determine if plaintiff is trying to apply BIPA extraterritorially.
   
   
   • Determine if the alleged conduct falls within BIPA’s narrow definitions of biometric identifier and biometric information.
   
   
   • Determine if the alleged conduct occurred within the applicable statute of limitations.
   
   
   • Assess plaintiff’s alleged damages for purposes of arguing that plaintiff lacks statutory or constitutional standing to assert a BIPA claim.