Three lessons from BIPA for data privacy legislation
Recently, the Supreme Court denied cert on the lower court case of Patel v. Facebook, allowing the lower court ruling to stand. The company agreed to a $550 million settlement with the class of plaintiffs a few days later. This is the latest case to use private right of action, or individual and class-action lawsuits, as a method of enforcement for the Illinois Biometric Information Privacy Act (BIPA). This and other lawsuits related to BIPA, such as a case against Six Flags last year, provide an insight into how a private right of action might play out in the context of broader data privacy regulations.
Illinois’ BIPA, passed in 2008, has statutory requirements governing the collection and storage of biometric information, including fingerprints and facial features and measurements used to quickly identify photos. Unlike similar laws in Washington and Texas, it has also allowed individuals to bring cases against companies for alleged violations as part of its enforcement.
Whether consumer data privacy laws should include the right for those impacted to sue is a key inflection point in the data privacy debate at both the state and federal levels. States including New York are considering state-level data privacy legislation that includes such a right.