BIPA: What Recent Court Decisions Mean for the Financial Industry

Class action plaintiffs' firms — spurred on by a significant recent expansion of available damages for biometric privacy suits — have begun targeting the financial industry. The Illinois Biometric Information Privacy Act (BIPA) is the most expansive biometric privacy law in the country, and has strict requirements for businesses collecting, storing or using biometric data (including voiceprints, fingerprints and facial scans). Pursuant to BIPA, plaintiffs' attorneys have pursued hundreds of class action lawsuits in recent years against companies operating in Illinois or collecting Illinois residents' biometric data. In February 2023, the Illinois Supreme Court issued two decisions that ratcheted up available damages by extending the statute of limitations to five years and holding that every instance of collecting or using biometric data (rather than just the first instance for each plaintiff) constitutes a compensable injury.

Until recently, financial institutions have largely been able to navigate the explosion of BIPA litigation through an express statutory exception providing that BIPA does not "apply in any manner to a financial institution nor an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act (GLBA) of 1999 and the rules promulgated thereunder" (the "GLBA Exemption"). 740 ILCS 14/25(c).

Despite the GLBA Exemption, plaintiffs' attorneys have recently found traction targeting the practices of vendors financial firms use for identity verification (e.g., using facial scans or voiceprints) and arguing that the firms themselves should also be on the hook for alleged BIPA violations. In Davis v. Jumio Corp., No. 22-CV-00776, 2023 WL 2019048 (N.D. Ill. Feb. 14, 2023), the court rejected a motion to dismiss filed by a vendor providing identity verification for users of a cryptocurrency exchange, holding in part that the vendor was not protected by the GLBA Exemption and that the exchange, which retained the vendor, could also be on the hook for violations.

Plaintiffs' attorneys' tactics in Davis and similar cases make clear that financial institutions must evaluate and understand their practices (and their vendors' practices) for collecting, handling, and storing biometric information, as missteps could result in significant liability. Further, going forward, financial firms should negotiate robust indemnity provisions with their biometric vendors, and determine their oversight obligations concerning vendors' handling of biometric data.