In the face of billions of dollars of potential liability at trial, social media giant, Facebook, opted for the finality of a class-wide settlement—to the tune of $550 million—reached with Illinois users complaining of violations of the Illinois Biometric Information Privacy Act (BIPA). Facebook explained that the settlement was “in the best interest of [its] community and shareholders.” If approved by the court, the $550 million settlement will be the largest of its kind and will put an end to a case where Plaintiffs alleged that Facebook violated BIPA by collecting biometric data without consent through its facial-tagging feature. 

Under BIPA, entities may not “collect, capture, purchase, receive through trade or otherwise obtain” or store a person’s biometric information without informing an individual in writing about the collection or storage of said information. Further, entities collecting biometric information must specify the purpose for its collection and storage and how long it will be kept. Finally, entities must obtain a written release signed by the individual whose information has been collected. A failure to comply with these requirements gives an aggrieved individual a “private right of action” and allows the recovery of a minimum of $1,000 in liquidated damages, reasonable attorneys’ fees and costs and injunctive relief to anyone who successfully shows a violation. 

While plaintiff did not allege actual damages, the 9th Circuit confirmed that failure to obtain written consent and to establish a compliant retention schedule resulted in a compensable injury. Facebook and other companies have similarly come up short in other defenses in the face of BIPA class actions grounded in a failure to obtain the appropriate consent and complying with the statute’s other requirements.

In fact, Illinois’ BIPA, the most comprehensive legislation addressing the privacy of biometric information, packs a significant punch because unlike other states that have statutes protecting biometric data, including the California Consumer Privacy Act (the CCPA), the Illinois statute has been found to contain a private cause of action for the (mere) failure to comply with the law’s requisites. It’s unclear the impact that this Facebook settlement will have on other state legislatures in drafting similar privacy protections and how such an eye-popping settlement, without any alleged injury to the actual privacy of the Facebook users, might drive Congress to take action. No matter what: there appears to be no immediate relief in sight.

Our prior recommendations remain in place. Specifically, employers should review, audit and update practices regarding the use of their employees’ biometric data. This means companies with an Illinois presence should take the following steps:

1. Establish and make public (for example, post on the company’s website) a written policy that addresses the purpose(s) of biometric data use, how it will be collected, and how it will be stored.
2. Be prepared to address any requests for reasonable accommodations based on disability, religious, or other reasons.
3. If biometric data might leave a closed system, ensure that proper safeguards are in place, including contractual liability shifting.
4. Ensure that employees whose biometric data is used acknowledge the policy, and authorize its use and collection in writing.
5. Train supervisors on the company’s policies and practices to ensure consistency.
6. Have biometric data systems audited to ensure that data is not open to the public or a systems breach.
7. Consult with competent counsel to ensure that policies and practices comply with relevant law.