Resource Center / Resource Articles / US Data Privacy Litigation

 

US Data Privacy Litigation

Biometrics and consumer health data litigation

This article, part of a series covering U.S. data privacy litigation, focuses on biometrics and consumer health data. The full series can be accessed here.


Published: March 2025


Contributors:


Navigate by Topic

Private litigants alleging violations under the Illinois Biometric Information Privacy Act have had success settling claims regarding the privacy of their biometric data. The largest per-member award to date, around USD1,000 each for a class with over 45,000 members, comes from the sole BIPA case that was decided by a jury.


BIPA requirements

BIPA Section 15 contains the core requirements for private entities' retention, collection, disclosure and destruction of biometric identifiers and information. Section 15(a) lays out requirements for covered entities, which possess biometric identifiers or biometric information, to develop publicly available, written policies that establish a retention and destruction schedule. Such biometric identifiers and biometric information must be destroyed when the initial purpose of collection has been met or within 3 years of its last interaction with the individual, whichever occurs first.

Section 15(b) prohibits private entities from collecting, capturing, purchasing, receiving through trade or otherwise obtaining an individual's biometric identifier or information, unless three conditions have been met:

  • The subject has been informed in writing that a biometric identifier or biometric information is being collected or stored.
  • The subject has been informed of the purpose and length of term for the collection, storage and use of the biometric identifier/information.
  • The private entity has received written release by the subject.

Similarly, Section 15(d) prohibits private entities from disclosing, redisclosing or otherwise disseminating, respectively, an individual's biometric identifier or information unless they have met those three analogous conditions.

The third prong of this consent requirement for "written release" had been the subject of some debate. In August 2024, BIPA was amended to include "electronic signature" within this definition.

Section 15(c), meanwhile, puts a blanket prohibition on selling, leasing, trading or otherwise profiting from an individual's biometric identifier or information.

Lastly, Section 15(d) requires private entities in possession of biometric identifiers/information to store, transmit and protect from disclosure such data "using the reasonable standard of care within the private entity's industry" and "in the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information."


BIPA definitions and exclusions

Under BIPA Section 10, a biometric identifier is specifically defined as "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." By comparison, biometric information is any information "based on" one of these biometric identifiers that is then used to identify an individual.

While the term biometric data does not appear in the text of the law, it has been used as an umbrella term to refer to both biometric identifiers and biometric information. Excluded from the definition of biometric identifiers are things such as written signatures, photographs and human biological samples used for valid scientific testing or screening. Demographics and physical descriptions such as height, weight, hair color or eye color also do not constitute biometric data, nor do biological materials regulated under the Illinois Genetic Information Privacy Act or patient information regulated under the Health Insurance Portability and Accountability Act.


Scope of BIPA's PRA

Section 20 of BIPA contains its private right of action. This section provides "any person" aggrieved by a violation the right to file suit within a state circuit court or a supplemental claim within federal district court. Individuals may recover four types of relief:

  • For negligent violations, the greater of liquidated damages of USD1,000 or actual damages.
  • For intentional or reckless violations, the greater of liquidated damages of USD5,000 or actual damages.
  • Attorney fees and other litigation expenses.
  • Other types of relief, including injunction.

Courts have previously ruled on the constructions of Section 15(b) and 15(d) of BIPA, namely whether "claims accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and transmission." The Illinois Supreme Court in Latrina Cothron V. White Castle System construed that "a separate claim accrues each time a private entity scans or transmits an individual's biometric identifier or information in violation of BIPA section 15(b) or 15(d)."

Following this decision, the Illinois State Legislature passed Senate Bill 2979, which put a limit on BIPA claims. Now, individuals are at most entitled to one recovery for a given biometric identifier or biometric information regardless of the number of times the biometric identifier/information was collected, captured, purchased, received through trade or otherwise obtained, per Section 15(b), and at most one recovery under Sec. 15(d) regardless of how many times the biometric identifier or information was disclosed, redisclosed or otherwise disseminated to a recipient.

The statute of limitations on bringing a BIPA claim has also been decided through litigation. In Tims v. Black Horse Carriers, the Illinois Supreme Court held that individuals can bring BIPA claims up to five years following an alleged BIPA violation.


Notable BIPA settlements

Several BIPA complaints with large technology companies have led to multimillion-dollar settlements and changes in the way companies collect, process and use consumers' biometric data.

  • expand_more

  • expand_more

  • expand_more

  • expand_more


My Health My Data Act

Washington state's My Health My Data Act was signed into law 17 April 2023, with its provisions largely taking effect 31 March 2024. Small businesses, a subcategory of the act defined as those with the consumer health data of less than 100,000 consumers or that derive less than 50% of their gross revenue from the collection, processing, selling or sharing of consumer health data of less than 25,000 consumers, had a delayed effective date of 30 June 2024.

Consumers must allege actual damages to bring lawsuits under the MHMDA. In addition, the law will require plaintiffs to prove they suffered actual injury tied to data sharing. With this high threshold, it will be challenging to litigate due to the requirement that plaintiffs prove actual injury. But litigation could better define the scope of the law through court decisions.

Almost a year after the law's entry into force in March 2024, the first class-action lawsuit under MHMDA was brought on 10 Feb. 2025, against Amazon for alleged violations by the company's software development kit embedded in third-party apps. The crux of the claim is that the location data Amazon's SDK collects could reveal sensitive health information that is protected under MHMDA.


New York's Biometric Privacy Act

The New York Biometric Privacy Act, a proposed state bill that tracks closely to BIPA, has come close to passage. Like BIPA, it would prohibit collection and sharing of biometric identifiers and biometric information without prior consent, and, most importantly, it would also include a private enforcement mechanism. Individuals could be awarded the greater of USD1,000 or actual damages for negligent violations and the greater of USD5,000 or actual damages for intentional or reckless violations.


Conclusion

Biometric privacy laws exist in over a half-dozen states in the U.S., while state-level consumer health data laws — like Washington state's MHMDA and Nevada's SB 370 — are also becoming more numerous. Connecticut is also among the states that have recently amended their comprehensive privacy laws, adding protections for health data. These laws fill an important gap by providing privacy protections for individuals health and biometric data, including fingerprints, faceprints and voiceprints.

Moreover, BIPA and MHMDA are unique among state privacy laws as they contain PRAs. By providing private individuals with the right to bring claims and join classes for alleged privacy violations, these laws have emerged as supplements to state and federal enforcement activities and magnified the compliance challenges for organizations that collect, use, and store biometric and consumer health data.


US Data Privacy Litigation

The full series landing page can be accessed here.

Published

Coming Soon

  • Part 5: Data brokers and judicial privacy litigation
  • Part 6: Litigating accountability through shareholder action

Additional resources



Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 3

Submit for CPEs