We are pleased to inform you about a recent development in the Illinois Biometric Information Privacy Act (BIPA) law that could significantly impact businesses using biometric data. Last week, in the case of GT v. Samsung Electronics America Inc. [1] the Northern District of Illinois set a precedent that is favorable to defendants, providing a clearer framework for compliance and potential defenses under BIPA.
Case Background: In this case, the plaintiffs alleged that Samsung Electronics America Inc. violated BIPA by collecting and storing biometric data on personal electronic devices (cell phones and tablets) without obtaining informed consent. The plaintiffs claimed that Samsung’s actions exposed them to heightened risks of identity theft and unauthorized use of their biometric information.
Court’s Decision: The court’s ruling addressed key aspects of BIPA compliance and set important precedents for businesses:
- Well-Pleaded Allegations: At the motion to dismiss stage, the court emphasized that it takes well-pleaded factual allegations as true and draws reasonable inferences in favor of the plaintiff. However, the court requires specific factual allegations that demonstrate how the defendant’s actions violated BIPA standards.
- Definition of Possession of Biometric Information: Section 15(a) of BIPA only applies to private entities “in possession” of Biometrics. Citing prior precedent from both Federal Court in the Northern and Central Districts of Illinois, the Court noted that with BIPA, “possession occurs when someone exercises any form of control over the [biometric] data or held the data at his disposal.” [2] The Court concluded that the Plaintiffs failed to adequately allege possession of Biometrics because while Samsung controls the App and its technology, they failed to allege that Samsung receives or could receive such Biometric data, demonstrating control. [3]
- Definition of Biometric Data: The court clarified the criteria for what constitutes biometric data under BIPA. For a claim to survive, plaintiffs must demonstrate that the defendant’s collection of biometric data made the defendant capable of determining their identities. This clarification helps businesses understand the scope of data considered under BIPA. [4]
Implications for Businesses: This ruling offers several benefits to businesses facing BIPA-related litigation:
- Enhanced Defenses: The requirement for plaintiffs to provide specific factual allegations and demonstrate actual harm strengthens the defense’s position, potentially reducing frivolous or baseless claims.
- Compliance Clarity: The court’s definition of biometric data and clarification on harm criteria provide businesses with a clearer understanding of BIPA compliance requirements.
- Risk Management: By emphasizing the need for concrete evidence of harm, the ruling encourages businesses to adopt robust data protection measures to mitigate risks associated with biometric data.
Action Steps: We recommend that businesses using biometric data take the following steps to ensure compliance and strengthen their defense against potential BIPA claims:
- Review, Update, and Publish Policies: Ensure that your biometric data collection and storage policies are up-to-date and comply with BIPA requirements, including publication.
- Obtain Informed Consent: Implement procedures to obtain explicit and informed consent from individuals before collecting their biometric data.
- Enhance Data Security: Invest in advanced security measures to protect biometric data from unauthorized access and breaches.
- Document Compliance Efforts: Maintain thorough records of your compliance efforts, including consent forms, data protection measures, and employee training programs.
SGR is here to help you navigate these changes and ensure your business remains compliant with BIPA regulations, and present an aggressive defense to any alleged BIPA violations. If you have any questions or need assistance with your compliance efforts, please do not hesitate to contact a member of our BIPA defense team: Joel Bruckman, Steve Hartmann, Jeff Rossman, and Johnathon Koechley.
[1] G.T. v. Samsung Elecs. Am. Inc., 21 CV 4976, 2024 WL 3520026 (N.D. Ill. July 24, 2024)
[2] Id at *2.
[3] Id at *4.
[4] Id at *7-8.