Federal Court Finds Illinois’ Biometric Information Privacy Act Constitutional

On November 29, 2020, a federal district court in Chicago ruled in Bryant v. Compass Group USA, Inc.[1] that Illinois’ Biometric Information Privacy Act (BIPA)[2] did not violate the Illinois constitution. The BIPA created a comprehensive set of rules for regulated companies that collect biometric data from Illinois residents, such as fingerprints and retina scans. In general, these companies must implement a policy for: (1) informing those from whom biometric information is collected of the fact that the information is being collected and for what purpose; (2) obtaining consent from those whose biometric information is collected to the use of the information for the purposes described in the policy and any potential dissemination of that information to third parties; and (3) a publicly available “retention schedule” for the information.

Liability under the BIPA is draconian. It carries penalties that could exceed $5,000 per violation and does not require a data breach, wrongful disclosure, or actual injury to the consumer. As a result, the BIPA has fueled many class action lawsuits.

In Bryant, the Plaintiff filed a class action lawsuit under the BIPA after her fingerprint scan was collected when she signed up to use a smart vending machine. Bryant alleged that Compass Group violated Section 15(a) of BIPA by possessing her biometric information and failing to destroy that information once the purpose for collecting it was complete.

In moving to dismiss Bryant’s Complaint, Compass Group raised a constitutional challenge to the BIPA. The Illinois state constitution provides that the Illinois general assembly “shall pass no special or local law when a general law is or can be made applicable.” The Illinois Supreme Court has held that this language “prohibits the General Assembly from conferring a special benefit or exclusive privilege on a person or a group of persons to the exclusion of others similarly situated.”

Compass Group argued that the BIPA conferred such a special benefit or exclusive privilege on the certain types of entities which are excluded from the BIPA and are therefore not subject to its requirements.  Specifically, the BIPA excludes financial institutions, affiliates of financial institutions that are subject to the Gramm-Leach-Bliley Act, government agencies, and government contractors working in the capacity as contractors.

To prevail on this constitutional challenge, Compass Group had to establish that this exclusion was not rationally related to a legitimate government interest. The Court found that the Compass Group failed to do so, stating that “[t]he Illinois General Assembly’s decision to exclude certain entities from BIPA’s coverage is eminently rational.” The Court pointed out that financial institutions were excluded because they are already subject to comprehensive privacy protection requirements under federal law. The Court further pointed out that government agencies are already generally entitled to sovereign immunity. The Court noted further that the Illinois “…General Assembly planned to assess threats to privacy caused by governments’ possession of personal information in a different way—namely, by forming a study committee to review agencies’ policies and practices with respect to collection and storage of biometric identifiers.”[3]  The Court held that because privacy safeguards are already in place, imposing the BIPA’s additional requirements on the excluded entities “would have been minimally efficacious.”

Joseph Messer has vast experience litigating claims under privacy laws such as the BIPA, the Fair Credit Reporting Act and the Telephone Consumer Protection Act. If you need assistance with claims under privacy laws or compliance matters feel free to contact Mr. Messer at jmesser@messerstrickler.com or (312) 334-3440.

[1] 2020 U.S. Dist. LEXIS 222219 (N.D. Ill. Nov. 29, 2020)

[2] 740 ILCS 14/1, et seq.

[3] This committee was supposed to review current policies and practices and make recommendations for improvement by January 2009. Query if this ever happened or whether action was taken on any such recommendations.

More Posts

2024 PBSA Annual Conference

Joe Messer and Andrew Schwartz are looking forward to the Professional Background Screeners Association’s Annual Conference in Boston on Sep 8 – 10, 2024 where they will be presenting How to Effectively Manage FCRA Litigation. They hope to see you at the Conference and at their presentation.

Why You Need a FCRA Compliance Manual and What it Should Include

On December 14, 2022 I presented a Professional Background Screening Associations (PBSA) Educational Resources Committee webinar entitled Why You Need a FCRA Compliance Manual and What it Should Include. During the presentation I explain the “reasonable”

Internal FCRA Compliance Audits

Internal Fair Credit Reporting Act (FCRA) Compliance Audits can be an effective way to guard against lawsuits. A properly conducted Audit will expose operational deficiencies which can subject your firm to potential liabilities so you can address them before liability arises. This article describes what an Audit can cover, how to motivate your employees to meaningfully participate in the Audit, what to do with the information gleaned from the Audit and how to protect negative information from the Audit from disclosure if litigation arises.

Professional Background Screening Association’s Annual Conference

On September 13, 2022, Joe Messer will be speaking at the Professional Background Screening
Association’s Annual Conference at the Gaylord Rockies Resort in Denver, Colorado. He will present a
seminar on Fair Credit Reporting Act compliance audits and how they can guard against FCRA lawsuits.

Send Us A Message