An Illinois federal judge has ruled that a security camera company can face claims under the state’s Biometric Information Privacy Act (BIPA), rejecting the defense’s argument that the location of data processing servers outside Illinois exempts them from the law’s jurisdiction.
The company contended that because the servers processing the collected images were based outside Illinois, they were not subject to BIPA. However, the court determined that the alleged collection and access to biometric data occurred at the plaintiffs’ residences in Illinois, where the cameras were installed. This decision underscores that the physical location of data processing does not necessarily shield companies from compliance with Illinois’ biometric privacy regulations.
Enacted in 2008, BIPA is one of the nation’s most stringent biometric privacy laws, requiring private entities to obtain informed consent before collecting or storing biometric identifiers, such as facial scans or fingerprints. The act also mandates that companies disclose their data retention policies and secure the biometric data they collect. Violations can result in statutory damages ranging from $1,000 for each negligent violation to $5,000 for each intentional or reckless violation.
This ruling aligns with other recent decisions emphasizing the applicability of BIPA to companies operating in Illinois, regardless of where their data processing occurs. For instance, in a case involving Anker Innovations Ltd., the manufacturer of “eufy” security cameras, the court allowed BIPA claims to proceed, highlighting that the alleged data collection took place at users’ residences in Illinois. The court dismissed the company’s argument that the location of their servers outside the state exempted them from BIPA’s reach.
These decisions reflect a broader trend in Illinois courts to uphold the protections afforded by BIPA, even as the state legislature has made amendments to the law. In August 2024, Governor J.B. Pritzker signed a bill modifying BIPA to limit companies’ liability to a single incident per individual, rather than multiple penalties for each instance of misuse. This change aims to reduce the potential financial penalties for companies mishandling biometric data, which had previously led to costly settlements under the stricter BIPA regulations.
As biometric technology becomes increasingly integrated into consumer products and services, companies operating in Illinois must remain vigilant in complying with BIPA’s requirements. This includes obtaining explicit consent from individuals before collecting biometric data, transparently disclosing data handling practices, and ensuring robust security measures to protect sensitive information. Failure to adhere to these standards can result in significant legal and financial repercussions, as demonstrated by the recent court rulings.