The Illinois Biometric Information Privacy Act enacted in 2008 was an important first step in developing policy on biometrics. According to the law, a private entity possessing biometric information accessible to the public must have a retention schedule and policy for permanently destroying biometric information. Additionally, there are restrictions on how a private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information. Most importantly, this law requires obtaining written consent prior to collecting biometric information as the law provides a private right of action for anyone injured under the Act. 

Interestingly, the case of Patel v. Facebook is an illustration of how this law applies to our growing dependence on technology. The question in Patel, is whether the collection of an individual's biometric data in violation of the Illinois Biometric Information Privacy Act is sufficient to establish Article III standing. According to the complaint, plaintiffs’ allege that Facebook subjected them to facial-recognition technology without complying with an Illinois statute intended to safeguard their privacy. Since the plaintiff did not allege substantive harm, the defendant moved to dismiss the case on Article III standing grounds. However; the Ninth Circuit stated that “Because a violation of the Illinois statute injures an individual’s concrete right to privacy, we reject Facebook’s claim that the plaintiff have failed to allege a concrete injury-in-fact for purposes of Article III standing.”

This case is in contrast to Santana v. Take-Two Interactive Software, Inc. who in 2017 interesting had the same Illinois law at issue. In this case plaintiff purchased NBA 2K15 and used the MyPlayer feature that allowed the creation of MyPlayer avatars. However; the Illinois Biometric Information Privacy Act’s private right of action allowed for plaintiff to allege that defendant “(1) collected their biometric data without their informed consent; (2) disseminated their biometric data to others during game play without their informed consent; (3) failed to inform them in writing of the specific purpose and length of term for which their biometric data would be stored; (4) failed to make publicly available a retention schedule and guidelines for permanently destroying plaintiffs’ biometric data; and (5) failed to store, transmit, or protect from disclosure plaintiffs’ biometric data by using a reasonable standard of care or in a manner that is at least as protective as the manner in which it stores, transmits, and protects other confidential and sensitive information.”

The Second Circuit in contrast to Patel, found that the plaintiff lacked standing for this claim because they did not allege that this deficient notice created any material risk that would have “resulted in plaintiffs’ biometric data being used or disclosed without their consent.”

So what happens now? First Santana is a summary order which means that this is not binding precedent on the Second Circuit. The Patel court attempted to distinguish itself from Santana by saying that in Patel unlike Santana, the plaintiff did not know that their biometric information was being collected. It seems like the U.S. Supreme Court may be the appropriate forum to settle this split decision by the Court of Appeals. This is especially true as Congress has not yet passed a federal biometric law that could put all questions to rest. Needless to say that as technology companies look for innovative ways to deliver advanced customer experiences, these stakeholders may want to forecast how their new products may be impacted by enacted laws like biometrics. Contact Lanton Law for additional information.