Biometric Privacy Suits Face Hurdles

Illinois’ Biometric Information Privacy Act (BIPA) is possibly the most advanced such law in the U.S., but the difficulty of suing biometrics providers as third party vendors have increased with a pair of recent decisions relating to jurisdiction and standing. A lack of connections between biometric providers and the state of Illinois can place providers outside of state or federal court jurisdiction for BIPA violations. Illinois only has jurisdiction if the providers have continuous and systematic contacts with Illinois (general jurisdiction), or if the claim is related to direct contacts with Illinois (specific jurisdiction). Illinois law does not apply to actions taken outside of the state unless the specific statute in question says so, which BIPA does not. The difference in standing to sue between state and federal court is crucial. Federal courts require an injury, states generally allow a suit to proceed based on a procedural violation. This creates a barrier for plaintiffs to make claims against third parties under BIPA’s Section 15(a), which requires publicly available policies for the retention and destruction of biometric data.