Getting BIPA Right: Biometric Identifiers Must Identify

The Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et. seq., is one of the most hotly litigated privacy statutes in the country. As it stands, there is no clear appellate authority on BIPA’s reach in at least one critical aspect. Namely, whether BIPA applies to data that cannot identify a person. District courts are currently split on this issue, with some courts concluding that BIPA applies even in instances where an incidental “scan” of someone’s face is incapable of identifying the person whose face is scanned. If appellate courts uphold that conclusion, BIPA could effectively outlaw biometric-identification technology. Such an outcome is contrary to the plain language of the statute and makes little legal or policy sense.

I. Introduction

Biometric technologies are used to detect fraud, protect financial data, safeguard sensitive facilities, prevent workplace accidents, fight human trafficking, and much more.[1] But how these technologies are regulated has left companies at a crossroads, asking: when, exactly, are biometric privacy statutes triggered, and do they apply where complying with the statute’s requirements is impossible?

These tensions are felt most acutely for companies deploying biometric technologies in Illinois. Illinois’ Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., is a groundbreaking statute passed in 2008 for the well-meaning purpose of governing the use of biometrics linked to personally identifying information (“PII”).

Despite that, some courts have concluded that BIPA applies even where there is no PII at issue. These courts have concluded that BIPA applies where an entity incidentally captures, even in passing, data from individuals it cannot identify.[2] Other courts have disagreed, concluding that BIPA only applies if the data can identify an individual.[3] In doing so, they have effectively concluded that BIPA only applies in circumstances where compliance is at least possible.[4] 

As discussed below, neither BIPA’s text, the Illinois General Assembly’s intent, nor commonsense policy considerations support applying BIPA where biometric-identification technology is not capable of identifying the person whose data is allegedly at issue. To show why this is the case, we briefly summarize the legislative history, map out the current litigation landscape, and identify key law and policy considerations. 

II. BIPA's Legislative History and Plain Text

BIPA was enacted in 2008 in response to the bankruptcy of an Illinois-based company called Pay by Touch. As the name suggests, Pay by Touch allowed shoppers to pay for goods and services with the touch of a finger. Behind the technology, the company maintained a database in which individuals’ finger scans were associated with their personal information, like name, credit card number, and address. When the company went bankrupt, “thousands of customers” were left “wondering what will become of their biometric and financial data.”[5] In response, the Illinois General Assembly passed Senate Bill 2400, which became known as BIPA. From the very beginning, therefore, BIPA was designed to protect biometric data linked to individuals that posed a risk of financial or other harm if sold or disclosed.

The General Assembly was explicit that it did not intend BIPA to be an outright ban on biometric technology — rather, it recognized the “promise” of the technology and what it could offer the Illinois public.[6] Still, the General Assembly recognized that some members of the public may be “w[]ary” of the technology and thus sought to implement safeguards through an informed consent regime.[7]

BIPA thus regulates the collection, use, storage, sale, and dissemination of “biometric identifiers” and “biometric information.” BIPA defines “biometric identifiers” as six enumerated data elements used to identify an individual: fingerprints, voiceprints, retina scans, iris scans, scans of hand geometry, and scans of face geometry.[8] “Biometric information” is derivative data. BIPA defines it as any information “based on an individual’s biometric identifier,” “regardless of how it is captured, converted, stored, or shared,” that is “used to identify an individual.”[9]

Taken together, BIPA regulates “a set of biology-based measurements (‘biometric’) that is used to identify a person (‘identifier’),” and derivative data still capable of doing the same.[10] But not all district courts have read the plain text of the statute in this way.

III. BIPA's Current Litigation Landscape

The Illinois Supreme Court decided in Rosenbach v. Six Flags Entertainment Corp. that an individual may maintain a BIPA claim in the absence of harm beyond a technical violation of the statute.[11] But it has yet to consider fundamental questions relating to the viability of claims where the data at issue is not capable of identifying the individual such that a business cannot feasibly provide the requisite notice or obtain consent. As a result, companies are left to rely on conflicting rulings of lower courts, which provide uncertain guidance on what separates lawful and unlawful uses of biometric technology.   

On the one hand, some courts have concluded that the plain language of the statute and the practical realities of how biometric-identification technologies work require the collected data to be at least capable of identifying a person. For example, in Daichendt v. CVS, the court explained that the “most foundational aspect of a BIPA claim” is whether the defendant had the capacity to identify the plaintiffs with the data collected.[12] There, because the plaintiffs initially pled no facts suggesting the defendant could identify them (or any individual) based on the data collected, their claim failed. That litigation is ongoing, after plaintiffs amended to “allege that defendant collected and stored their personal contact data (‘real-world identifying information’) . . . , which made defendant capable of identifying them when associated with scans of their face geometry (‘biometric identifiers’).”[13]

Similarly, in Zellmer v. Meta, the court observed it would be “counterintuitive” if BIPA was construed to require companies to obtain consent from individuals unknown to them.[14] This would lead to “obvious and insoluble problems” that would put companies “in an impossible position.”[15] The court therefore concluded that interpreting BIPA in this way would not be “consonant with the Illinois legislature’s intent or the Illinois Supreme Court’s determination that BIPA should not impose extraordinary burdens on businesses.”[16]

On the other hand, in Colombo v. YouTube, LLC, the plaintiff filed a BIPA claim based on YouTube’s Face Blur feature. In denying the motion to dismiss, the court expressly rejected YouTube’s argument that a plaintiff must “allege a single fact that would plausibly lead to the conclusion that the data [YouTube] collects can be used to identify the individuals in the uploaded videos.”[17]

Following a similar pattern, in Gunderson v. Amazon.com, Inc., one of the plaintiffs was not an Amazon Alexa owner, but someone who allegedly spoke to an Alexa device owned by someone else who had activated Voice ID. The plaintiff sued Amazon, claiming that Alexa “captured her ‘voiceprint’” in the process of comparing her voice to the Alexa owner’s.[18] The court allowed her claim to proceed past the motion to dismiss stage, rejecting Amazon’s arguments that BIPA required a “minimum level of known contact” and did not apply to individuals that “Amazon has no means of identifying.”[19]

Given the growing split in lower court authority, the question of whether BIPA applies where the data collected cannot identify the individual is ripe for appellate review.

IV. BIPA Only Regulates Data Capable of Identifying a Person

BIPA’s text and legislative history make clear that the statute seeks to protect against the collection, sale, and disclosure of biometric data “used to identify an individual.”[20] Law and policy yield a clear answer to the growing split in the courts: BIPA’s reach must be limited to data capable of identifying a person. To hold otherwise would allow a plaintiff to sustain a BIPA claim in circumstances where compliance is impossible.

A. BIPA’s Plain Text

In holding that BIPA claims are not limited to identifiable individuals, some courts have noted that BIPA’s definition of “biometric identifier” omits the clarifying clause — “used to identify an individual” — that the General Assembly included in defining “biometric information.”[21] As a result, they have concluded that BIPA imposes no requirement that facial scans, for example, can be used to identify an individual. But this ignores the plain and ordinary meaning of the terms “biometric” and “identifier.”

“Biometrics” are “the measurement and analysis of unique physical or behavior characteristics (such as fingerprint or voice patterns) especially as a means of verifying personal identity.”[22] BIPA § 5(c) — the statement of legislative findings and intent — expressly provides that “[b]iometrics are unlike other unique identifiers.”[23]

Suggesting “biometric identifiers” could be interpreted to reach data that does not “identify” renders the term “identifier” in “biometric identifier” superfluous. It denies the term’s plain and ordinary meaning, i.e. something “that identifies”[24] or “state[s] the identity of (someone or something).”[25] Thus, courts considering the meaning of “biometric identifier” have recognized that “a ‘biometric identifier’ is . . . a set of measurements of a specified physical component (eye, finger, voice, hand, face) used to identify a person.”[26] The Illinois Attorney General agrees, explaining that “the phrase ‘biometric identifier’ is commonly understood to refer to the measurement and analysis of a unique physical or behavioral characteristic that identifies a person.”[27] 

The enumerated items listed in BIPA’s definition of “biometric identifier” confirm this interpretation. A voiceprint is “[a] distinctive pattern of curved lines and whorls made by a machine that measures human vocal sounds for the purpose of identifying an individual speaker.”[28] Similarly, a “fingerprint” is “an ink impression of the lines upon the fingertip taken for the purpose of identification.”[29] A scan of facial geometry must be read in the same way, because each item in the list must be interpreted to be like the terms that surround it to avoid giving the statute “unintended breadth.”[30] The General Assembly could have just said “biometrics,” which would still suggest a capability to identify. But it went further and modified the term with “identifier” to make the requirement that the data be capable of identifying a person unmistakable. Both terms must be considered.

B. Legislative Intent

Applying BIPA to any scan of a finger, voice, iris, hand, or face, regardless of the ability to tie that scan back to an individual further marks a clear departure from the General Assembly’s intent. As described, the General Assembly penned and ultimately signed BIPA into law to address concerns arising from Pay by Touch’s bankruptcy and potential sale of its database linking users’ finger scans to names and associated financial information. Thus, at its inception, BIPA was conceptualized to protect unique biometric markers of identifiable individuals.

Indeed, BIPA’s legislative findings state that “[a]n overwhelming majority of members of the public are [wary] of the use of biometrics when such information is tied to finances and other personal information.”[31] Illustrating this point, the General Assembly specified potential locations where biometrics might be collected: “grocery stores, gas stations, and school cafeterias.”[32] This “convey[s] the legislature’s intent that BIPA applies where there is at least a minimum level of known contact between a person and an entity that might be collecting biometric information.”[33]

What’s more, BIPA was designed “to regulate and promote, not inhibit, the use of biometric technology.”[34] Given that purpose, in Rosenbach, the Illinois Supreme Court explained that BIPA compliance “should not be difficult,” and that to comply, businesses should incur “insignificant” expenses.[35] Nothing could be further from reality if BIPA continues to be interpreted in a way that requires companies to identify, give notice to, and obtain consent from every individual whose data could be incidentally captured, even where the business has no relationship with the individual and the data collected cannot identify that individual. 

C. Avoiding Absurd Results

A fundamental principle of statutory construction is that statutes should not be interpreted in a manner that leads to “absurd, inconvenient, [and] unjust results.”[36]

Colombo v. YouTube illustrates why interpreting BIPA to reach technology that is not capable of identifying an individual can lead to illogical results. There, a plaintiff sued YouTube for allegedly capturing “scans of face geometry” through some of its video editing tools, such as the “face blur” feature.[37] YouTube users used the feature to blur out faces in their videos to protect individuals’ privacy. YouTube, meanwhile, had no reliable method of identifying the individuals whose faces had been blurred because they were not tied back to a YouTube account or otherwise connected to PII.[38] Despite that limitation, the court ultimately denied YouTube’s motion to dismiss, promoting a net-privacy loss for any individual, such as bystanders or minors, for whom anonymization would have been more valuable.[39]

BIPA’s notice-and-consent regime makes little sense if it is stretched to reach unidentifiable individuals. In Zellmer, for instance, the district court granted Facebook’s motion for summary judgment as to a non-Facebook user, because the company could not have possibly obtained consent from an unidentifiable individual whose photo was incidentally uploaded to the social media platform by a user.[40] As the court explained, a contrary interpretation would pose “insurmountable practical problem[s] for the myriad of photos taken in restaurants, vacation destinations, school graduations, and countless other settings where unknown people will appear in a picture.”[41] 

V. Conclusion

At the time BIPA was enacted, iris scans, facial recognition software, and biometric passports were fledgling technologies. The Illinois General Assembly understood that “the use of biometrics [was] growing.”[42] Its core mission, however, was simple: protect consumer privacy by regulating the collection, sale, and disclosure of biometric identifiers — i.e. biometric data that could be linked back to a person. In the 16 years since BIPA became law, some courts have lost sight of that core mission, reaching decisions that stand to reduce consumer privacy and hamper access to innovative biometric technologies in the Illinois market. Both law and policy support an interpretation of BIPA that avoids those pitfalls.

This was first published in CPI TechREG Chronicle. The authors would like to thank their colleagues Erik Manukyan and Leeza Arbatman for their assistance researching and drafting this article.

[1] See. Jan Lunter, Top 8 Advancements in Biometrics That Will Mark 2022, Analytics (Mar. 10, 2022), https://pubsonline.informs.org/do/10.1287/LYTX.2022.02.15/full/ (last accessed Apr. 15, 2024).

[2] See, e.g., Colombo v. YouTube, LLC, No. 3:22-CV-06987-JD, 2023 WL 4240226, at *3 (N.D. Cal. June 28, 2023) (rejecting argument that plaintiff must “allege a single fact that would plausibly lead to the conclusion that the data [defendant] collects can be used to identify the individuals in the uploaded videos”); Wilcosky v. Amazon.com, Inc., 517 F. Supp. 3d 751, 761-62, 757 (N.D. Ill. Feb. 5, 2021) (allowing BIPA claims brought by a plaintiff who had not registered with Amazon Voice ID or purchased an Alexa-enabled device, but had “spoken in proximity to an Alexa device while Alexa was recording”).

[3] See, e.g., Daichendt v. CVS Pharmacy, Inc., No. 22 CV 3318, 2022 WL 17404488, at *5 (N.D. Ill. Dec. 2, 2022) (asserting that plaintiffs must “allege that defendant’s collection of their biometric data made defendant capable of determining their identities”); accord Delgado v. Meta Platforms, Inc., No. 23-cv-04181-SI, 2024 WL 818344, at *6 (N.D. Cal. Feb. 27, 2024); Castelaz v. The Estee Lauder Cos., Inc., No. 22-cv-5713, 2024 U.S. Dist. LEXIS 7321, at *19-21 (N.D. Ill. Jan. 10, 2024); Clarke v. Aveda Corp., No. 21-CV-4185, 2023 U.S. Dist. LEXIS 232492, at *6-7 (N.D. Ill. Dec. 1, 2023).

[4] See, e.g., Zellmer v. Meta Platforms, Inc., No. 3:18-CV-01880-JD, 2022 WL 976981, at *3 (N.D. Cal. Mar. 31, 2022) (“[I]t would be patently unreasonable to construe BIPA to mean that Facebook was required to provide notice to, and obtain consent from, non-users who were for all practical purposes total strangers to Facebook, and with whom Facebook had no relationship whatsoever.”).

[5] H.R. Debate Transcript, 95th Gen. Assemb. No. 276, at 249 (Ill. 2008) (statement of Rep. Kathy Ryg).

[6] 740 ILCS 14/5(a).

[7] Id. § 5(d).

[8] Id. § 10.

[9] Id.

[10] Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1095 (N.D. Ill. 2017).

[11] Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, ¶ 33.

[12] Daichendt, 2022 WL 17404488, at *5.

[13] Daichendt v. CVS Pharmacy, Inc., No. 22 CV 3318, 2023 WL 3559669, at *1 (N.D. Ill. May 4, 2023).

[14] Zellmer, 2022 WL 976981, at *4.

[15] Id.

[16] Id. at *5.

[17] Colombo, 2023 WL 4240226, at *3.

[18] Gunderson v. Amazon.com, Inc., No. 19-cv-05061, ECF No. 207 at 9 (N.D. Ill. Oct. 31, 2023).

[19] Id. at 11-12.

[20] 740 ILCS 14/10.

[21] See, e.g., Colombo, 2023 WL 4240226, at *3.

[22] Biometrics, Merriam-Webster (last accessed Apr. 15, 2024).

[23] 740 ILCS 14/5(c).

[24] Identifier, Merriam-Webster (last accessed Apr. 15, 2024).

[25] Identify, Merriam-Webster (last accessed May 6, 2024); accord Nationstar Mortgage LLC v. Benavides, 2020 IL App (2d) 190681, ¶ 21; Black’s Law Dictionary (11th ed. 2019) (defining “identify” as “to prove the identity of a person or thing”).

[26] Rivera, 238 F. Supp. 3d at 1096; accord Carpenter v. McDonald’s Corp., 580 F. Supp. 3d 512, 515 (N.D. Ill. 2022) (“[A] biometric identifier is a unique personal feature that can be used to identify a person.”); Hazlitt v. Apple Inc., 500 F. Supp. 3d 738, 749 (S.D. Ill. 2020) (“The word ‘identifier’ modifies the word ‘biometric’ to signal that the types of data listed could be used to identify a person.”).

[27] State of Illinois, Office of the Attorney General, Public Access Op. No. 17-011, 2017 WL 10084298, at *3 (Ill. A.G. Aug. 14, 2017) (emphasis added).

[28] Voiceprint, Black’s Law Dictionary (11th ed. 2019) (emphasis added); see also. Robinson v. Lake Ventures LLC, No. 22 CV 6451, 2023 WL 5720873, at *7-9 (N.D. Ill. Sept. 5, 2023); see also. Vance v. Int’l Bus. Machines Corp., No. 20 C 577, 2020 WL 5530134, at *5 (N.D. Ill. Sept. 15, 2020) (defining a voiceprint as “a set of measurements of a specified physical component,” including “voice,” that “can be used to identify” a person (citation omitted)).

[29] Fingerprint, Merriam-Webster (last accessed May 6, 2024)

[30] Maracich v. Spears, 570 U.S. 48, 62-63 (2013) (citation omitted); accord Life Techs. Corp. v. Promega Corp., 580 U.S. 140, 146 (2017) (“[A] word is given more precise content by the neighboring words with which it is associated.” (citation omitted)).

[31] 740 ILCS 14/5(d) (emphasis added).

[32] Id. § 5(b).

[33] Zellmer, 2022 WL 976981, at *4.

[34] Vance v. Microsoft Corp., 534 F. Supp. 3d 1301, 1307 (W.D. Wash. 2021) (citation omitted).

[35] Rosenbach, 2019 IL 123186, ¶ 37.

[36] People v. Webb, 2019 IL 122951, ¶ 17; see also. Coram v. State, 2013 IL 113867, ¶ 57.

[37] Colombo, 2023 WL 4240226, at *1.

[38] Id. at *3.

[39] Id. at *3-4.

[40] Zellmer, 2022 WL 976981, at *3.

[41] Id. at *4.

[42] 740 ILCS 14/5(a).