Resource Center / Resource Articles / US Data Privacy Litigation
US Data Privacy Litigation
Biometrics and consumer health data litigation
This article, part of a series covering U.S. data privacy litigation, focuses on biometrics and consumer health data. The full series can be accessed here.
Published: March 2025
Contributors:
Navigate by Topic
Private litigants alleging violations under the Illinois Biometric Information Privacy Act have had success settling claims regarding the privacy of their biometric data. The largest per-member award to date, around USD1,000 each for a class with over 45,000 members, comes from the sole BIPA case that was decided by a jury.
BIPA Section 15 contains the core requirements for private entities' retention, collection, disclosure and destruction of biometric identifiers and information. Section 15(a) lays out requirements for covered entities, which possess biometric identifiers or biometric information, to develop publicly available, written policies that establish a retention and destruction schedule. Such biometric identifiers and biometric information must be destroyed when the initial purpose of collection has been met or within 3 years of its last interaction with the individual, whichever occurs first.
Section 15(b) prohibits private entities from collecting, capturing, purchasing, receiving through trade or otherwise obtaining an individual's biometric identifier or information, unless three conditions have been met:
- The subject has been informed in writing that a biometric identifier or biometric information is being collected or stored.
- The subject has been informed of the purpose and length of term for the collection, storage and use of the biometric identifier/information.
- The private entity has received written release by the subject.
Similarly, Section 15(d) prohibits private entities from disclosing, redisclosing or otherwise disseminating, respectively, an individual's biometric identifier or information unless they have met those three analogous conditions.
The third prong of this consent requirement for "written release" had been the subject of some debate. In August 2024, BIPA was amended to include "electronic signature" within this definition.
Section 15(c), meanwhile, puts a blanket prohibition on selling, leasing, trading or otherwise profiting from an individual's biometric identifier or information.
Lastly, Section 15(d) requires private entities in possession of biometric identifiers/information to store, transmit and protect from disclosure such data "using the reasonable standard of care within the private entity's industry" and "in the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information."
BIPA definitions and exclusions
Under BIPA Section 10, a biometric identifier is specifically defined as "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." By comparison, biometric information is any information "based on" one of these biometric identifiers that is then used to identify an individual.
While the term biometric data does not appear in the text of the law, it has been used as an umbrella term to refer to both biometric identifiers and biometric information. Excluded from the definition of biometric identifiers are things such as written signatures, photographs and human biological samples used for valid scientific testing or screening. Demographics and physical descriptions such as height, weight, hair color or eye color also do not constitute biometric data, nor do biological materials regulated under the Illinois Genetic Information Privacy Act or patient information regulated under the Health Insurance Portability and Accountability Act.
Section 20 of BIPA contains its private right of action. This section provides "any person" aggrieved by a violation the right to file suit within a state circuit court or a supplemental claim within federal district court. Individuals may recover four types of relief:
- For negligent violations, the greater of liquidated damages of USD1,000 or actual damages.
- For intentional or reckless violations, the greater of liquidated damages of USD5,000 or actual damages.
- Attorney fees and other litigation expenses.
- Other types of relief, including injunction.
Courts have previously ruled on the constructions of Section 15(b) and 15(d) of BIPA, namely whether "claims accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and transmission." The Illinois Supreme Court in Latrina Cothron V. White Castle System construed that "a separate claim accrues each time a private entity scans or transmits an individual's biometric identifier or information in violation of BIPA section 15(b) or 15(d)."
Following this decision, the Illinois State Legislature passed Senate Bill 2979, which put a limit on BIPA claims. Now, individuals are at most entitled to one recovery for a given biometric identifier or biometric information regardless of the number of times the biometric identifier/information was collected, captured, purchased, received through trade or otherwise obtained, per Section 15(b), and at most one recovery under Sec. 15(d) regardless of how many times the biometric identifier or information was disclosed, redisclosed or otherwise disseminated to a recipient.
The statute of limitations on bringing a BIPA claim has also been decided through litigation. In Tims v. Black Horse Carriers, the Illinois Supreme Court held that individuals can bring BIPA claims up to five years following an alleged BIPA violation.
Several BIPA complaints with large technology companies have led to multimillion-dollar settlements and changes in the way companies collect, process and use consumers' biometric data.
-
expand_more
T.K. v. Bytedance Tech.
The settlement in T.K. v. Bytedance Tech. stemmed from multidistrict litigation that combined 21 class-action lawsuits filed across California and Illinois. The BIPA claim, which was brought on behalf of the Illinois subclass, hinged on the allegation that TikTok extracted "a broad array of private data including biometric data and content" and that it allegedly tried to "ascertain users' race, gender and age by using biometric identifiers." In addition to TikTok agreeing to pay USD92 million, the settlement required TikTok to refrain from collecting or storing users' biometric identifiers or information and to hire a third-party firm to review their data privacy training for a period of three years.
-
expand_more
Rivera v. Google
The protection of biometric information, a derivative of biometric identifiers, has been lauded as one of the most innovative aspects of BIPA. Rivera v. Google was a class-action lawsuit whereby members of the class alleged Google violated BIPA by collecting, storing and using their biometric data in connection with Google Photos without their informed written consent. It was settled in 2022 for USD100 million.
In its opinion, the court explained the definition and inclusion of the term biometric information "does important work" in BIPA, essentially preventing private entities from evading the law's scope "by converting a person's biometric identifier into some other piece of information, like a mathematical representation, or even simpler, a unique number assigned to a person's biometric identifier." Thus, the court found the "face templates" generated by Google qualified as biometric identifiers, also being one of those specified in the act as a "scan of face geometry."
-
expand_more
Meta lawsuits
Hailed at the time as the largest privacy class-action settlement, Meta, then Facebook, reached an agreement with Illinois Facebook users in Patel v. Facebook for USD650 million over its alleged use of facial recognition technology to collect and store user's biometric identifiers without consent.
More recently, a BIPA class-action lawsuit was dismissed in favor of Meta, this time on the issue of standing. Standing within privacy jurisprudence has been wrought with contention at least since the Supreme Court's decision in Spokeo v. Robins nearly a decade ago, as well as in subsequent cases like TransUnion v. Ramirez. A panel of the U.S. Court of Appeals for the Ninth Circuit found the plaintiff class in Zellmer v. Meta Platforms failed to demonstrate how they were harmed in a "concrete and particularized way" by the alleged BIPA violations and dismissed the claim.
-
expand_more
Rogers v. BNSF Railway
The first — and only to date — jury trial under BIPA, heard in 2022, resulted in an order for BNSF Railway to pay USD228 million to 45,600 truck drivers for collecting their fingerprints without consent. The amount of the settlement represented the maximum award, USD5,000 per individual. While a new trial was ordered for the damages amount to be determined by a judge rather than a jury, an interim agreement was reached between BNSF and class members to settle the dispute for USD75 million. The lessons from BNSF will likely encourage BIPA defendants to continue to seek settlement agreements over jury trials.
Washington state's My Health My Data Act was signed into law 17 April 2023, with its provisions largely taking effect 31 March 2024. Small businesses, a subcategory of the act defined as those with the consumer health data of less than 100,000 consumers or that derive less than 50% of their gross revenue from the collection, processing, selling or sharing of consumer health data of less than 25,000 consumers, had a delayed effective date of 30 June 2024.
Consumers must allege actual damages to bring lawsuits under the MHMDA. In addition, the law will require plaintiffs to prove they suffered actual injury tied to data sharing. With this high threshold, it will be challenging to litigate due to the requirement that plaintiffs prove actual injury. But litigation could better define the scope of the law through court decisions.
Almost a year after the law's entry into force in March 2024, the first class-action lawsuit under MHMDA was brought on 10 Feb. 2025, against Amazon for alleged violations by the company's software development kit embedded in third-party apps. The crux of the claim is that the location data Amazon's SDK collects could reveal sensitive health information that is protected under MHMDA.
New York's Biometric Privacy Act
The New York Biometric Privacy Act, a proposed state bill that tracks closely to BIPA, has come close to passage. Like BIPA, it would prohibit collection and sharing of biometric identifiers and biometric information without prior consent, and, most importantly, it would also include a private enforcement mechanism. Individuals could be awarded the greater of USD1,000 or actual damages for negligent violations and the greater of USD5,000 or actual damages for intentional or reckless violations.
Biometric privacy laws exist in over a half-dozen states in the U.S., while state-level consumer health data laws — like Washington state's MHMDA and Nevada's SB 370 — are also becoming more numerous. Connecticut is also among the states that have recently amended their comprehensive privacy laws, adding protections for health data. These laws fill an important gap by providing privacy protections for individuals health and biometric data, including fingerprints, faceprints and voiceprints.
Moreover, BIPA and MHMDA are unique among state privacy laws as they contain PRAs. By providing private individuals with the right to bring claims and join classes for alleged privacy violations, these laws have emerged as supplements to state and federal enforcement activities and magnified the compliance challenges for organizations that collect, use, and store biometric and consumer health data.
US Data Privacy Litigation
The full series landing page can be accessed here.
- Part 1: Breach of contract and warranties litigation
- Part 2: Website tracking litigation
- Part 3: Security breach litigation
- Part 4: Biometrics and consumer health data litigation
- Part 5: Data brokers and judicial privacy litigation
- Part 6: Litigating accountability through shareholder action
-
expand_more
Health privacy resources
-
expand_more
US federal privacy resources
-
expand_more
US state privacy resources
Approved