The concept of biometric data is explored in detail by Andrew Cook in his latest research paper published in UIC Law Review [57 UIC L. REV. 363 (2024)]. According to him the term can be defined as data that is obtained from distinctive physical characteristics such as fingerprints and facial features, and has become increasingly crucial for authentication purposes.

Nonetheless, due to concerns surrounding privacy, some states, including Illinois and Texas, have implemented biometric privacy laws. The Biometric Information Privacy Act (BIPA) in Illinois and the Capture or Use of Biometric Identifiers Act (CUBI) in Texas are examined in this article, which also offers suggestions for further improving their efficacy.

In this blog post, I aim to provide a literature review of this amazing research paper.

The Landscape of Biometric Privacy Laws

In the paper, he also talked about the importance of Biometrics, which involves the use of aspects such as fingerprints and facial features to ensure secure authentication. Biometric privacy laws were first pioneered by Illinois and Texas through BIPA and CUBI, respectively. BIPA empowers individuals to sue for any violations while CUBI reserves enforcement authority only for the Attorney General. This section emphasizes the significance of understanding the differences between these laws for individuals and businesses who are dealing with biometric privacy laws.

Utilization of Biometric Data and Associated Risks

He proceeded to discuss the common use of Biometric data, which is frequently utilized in smartphone security and banking. Tech giants have incorporated biometric scanners for authentication purposes. In this section, we will delve into the reliability, security, convenience, and applications of biometric data. The unique and consistent characteristics of biometric identifiers make them widely accepted and difficult to hack, making them a valuable tool in authentication processes.

Challenges Posed by BIPA Implementation

He contents that despite good intentions, the implementation of BIPA has presented challenges, particularly for employers. The private right of action granted by BIPA has resulted in a substantial number of lawsuits, with plaintiffs alleging technical violations without demonstrating actual harm. The interpretation of the term "aggrieved" under BIPA has been pivotal, allowing individuals to bring claims even in the absence of tangible harm. Employers, particularly small businesses, have faced the brunt of BIPA-related litigation, often settling for significant damages to avoid protracted legal battles.

Key Concepts

  1. Private Right of Action vs. Attorney General Right of Action

    BIPA provides individuals a private right of action, enabling them to independently initiate legal proceedings. In contrast, CUBI vests the Texas Attorney General with the exclusive right to file a claim. The section explores the implications and procedural disparities arising from these distinct approaches.

  2. "Aggrieved" Person

    The term "aggrieved" holds significance in Illinois BIPA, determining who can bring suit against a private entity for a violation. The Rosenbach case clarifies that an individual qualifies as "aggrieved" when their legal right is invaded, even without demonstrating additional harm. This interpretation aligns with the notion that a breach of statutory rights constitutes sufficient grounds for legal action under BIPA.

  3. BIPA Claims in Federal Court

    While many BIPA claims are filed in Illinois state courts, the Class Action Fairness Act allows defendants to move them to federal court. This section by Andrew then delved into the complexities of federal court standing concerning BIPA claims, highlighting the significance of Article III standing for jurisdiction.

    According to him, Federal court jurisdiction in BIPA cases hinges on Article III standing, necessitating a concrete and particularized injury directly traceable to the opposing party's actions and redressable by a favorable judicial decision. This differs from Illinois state courts, where being an "aggrieved" person under the statute automatically grants standing. Mere qualification as "aggrieved" doesn't assure automatic standing in federal court, as clarified by the Supreme Court in Spokeo, Inc. v. Robins.

Case Law Analysis

  1. Bryant v. Compass Grp. USA and Fox v. Dakkota Integrated Sys., LLC

    Bryant v. Compass Grp. USA: The court emphasized that a procedural violation without concrete harm doesn't meet Article III standing for the Section (a) claim. However, for the Section (b) claim, where the plaintiff lost control of her biometric identifiers due to non-disclosure, a concrete harm was acknowledged, satisfying Article III standing.

    Fox v. Dakkota Integrated Sys., LLC: The plaintiff alleged concrete harm resulting from the unlawful collection and sharing of biometric data, meeting Article III standing requirements.

    The author's main argument is that the recent case analyses demonstrate that plaintiffs need to prove actual harm in addition to the violation of BIPA rights to satisfy the Article III standing requirements in federal court. This requirement adds a layer of complexity for individuals who prefer to pursue their case in federal court

  2. Thornley v. Clearview AI

    In Thornley v. Clearview AI, Inc., plaintiffs strategically avoided alleging concrete harm to exploit Article III standing nuances. By narrowing the focus to a specific BIPA subsection, they emphasized a "bare procedural violation," successfully avoiding federal jurisdiction.

  3. Cothron v. White Castle Systems Inc

    Cothron v. White Castle Systems Inc. centered on claim accrual and potential damages. The court, aligning with Rosenbach, deemed each unauthorized biometric scan a separate violation, accruing new claims. This interpretation upheld BIPA's statutory damages, raising concerns about potential excessive damages and highlighting the delicate balance between damages, legislative intent, and strategic choices.

    According to Andrew, Thornley and Cothron highlight strategic considerations in BIPA litigation. Plaintiffs may tailor claims to avoid federal court, exploiting the absence of an automatic standing provision in Article III. Cothron prompts a nuanced evaluation of BIPA's damages structure, offering insights for both plaintiffs and defendants navigating the evolving biometric privacy litigation landscape.

Proposals for Refinement and Improvement

  1. Limiting Private Right of Action and Endowing Authority to the Attorney General

    Illinois' BIPA currently grants individuals a private right of action, leading to a surge in litigation. A proposed refinement is to eliminate the private right of action, reserving the authority for the Illinois Attorney General to bring claims. This shift would align with Texas' CUBI, streamlining enforcement and reducing the potential for frivolous lawsuits.

  2. Defining "Aggrieved" with Precision

    The term "aggrieved" under BIPA has been broadly interpreted, allowing individuals to sue even without demonstrating tangible harm. A more precise definition could be adopted, requiring a showing of actual harm or a significant risk of harm. This approach balances the protection of individual rights with a more realistic threshold for legal action.

  3. Limiting Standing to Tangible Harm

    To curb the influx of lawsuits based on technical violations without actual harm, Illinois should restrict standing to cases where tangible harm is demonstrated. This would prevent the filing of frivolous claims solely on procedural grounds and ensure that legal action is reserved for situations with real-world consequences.

  4. Implementing a Safe Harbor Provision

    Introducing a safe harbor provision within BIPA would offer protection to entities acting in good faith. This provision would allow entities to cure breaches when no actual harm to the plaintiff resulted from the violation. A safe harbor provision encourages innovation, reduces the burden on the judicial system, and strikes a balance between privacy protection and practical challenges faced by businesses in compliance.

  5. Clarifying Damages Structure

    Given the potential for substantial damages, clarity is needed in BIPA regarding the calculation and accrual of damages. Aligning damages with the actual harm suffered and establishing a reasonable cap on statutory damages per violation would prevent excessive liabilities and potential abuse of the statutory framework.

Conclusion and Our Review

Based on our review, this research paper presents a comprehensive overview of the landscape of biometric privacy laws, with a specific focus on Illinois' Biometric Information Privacy Act. I fully agree with the author's main argument that Illinois' BIPA, while well-intentioned, has created challenges for employers and the judicial system. The author has done an excellent job of highlighting the challenges faced by employers, the nuances of legal mechanisms, and strategic considerations in litigation that underscore the need for thoughtful refinements.

The proposed refinements aim to enhance the effectiveness of BIPA without unduly burdening businesses. These refinements include limiting the private right of action, defining "aggrieved" more precisely, restricting standing to cases of tangible harm, implementing a safe harbor provision, and clarifying the damages structure. I completely agree with the author's conclusion that Illinois can strike a better balance between protecting biometric privacy and fostering technological innovation.

Origina Paper is Avaialbel Here: https://repository.law.uic.edu/lawreview/vol57/iss2/5/