By Al Saikali, a Partner in the Miami office of Shook, Hardy & Bacon LLP, where he chairs the Privacy and Data Security Practice. 

What impact would a private right of action have if it were included in a federal data-privacy law?  This question is being asked as Congress considers such a law.  Thus far, Congress has not included private rights of action in federal privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act.  A private right of action in the context of a data-privacy law appears to benefit plaintiffs’ lawyers the most, imposes a significant burden on judicial resources, and creates a disincentive for companies to be more forthcoming about privacy incidents, which is antithetical to the purpose of these laws and harmful to consumers. 

BIPA—A Case Study

The Illinois Biometric Information Privacy Act (BIPA) is perhaps the most prominent example of an existing privacy law that contains a private right of action.  The law, which went into effect over ten years ago, requires companies that collect biometric information (e.g., fingerprints, facial scans, hand scans, and retinal scans) to first provide notice and obtain a written release from the data subjects.  BIPA also prohibits companies from sharing biometric information with third parties without first obtaining the data subject’s consent.  Security safeguards must also be implemented in an effort to protect the biometric information.  Most pertinent to this article, individuals who are “aggrieved by” a violation of the law are entitled to sue for an amount of $1,000 to $5,000 per violation depending on the level of negligence or intentional misconduct involved. 

The Illinois legislature adopted BIPA to address the perceived fear that biometric information, which cannot be replaced if stolen, might be compromised and misused in some way.  The fear never became a reality.  Since late 2017, however, over 200 class-action lawsuits have been filed against companies whose employees punch in and out of work using a finger scan.  The lawsuits contend that the defendants never gave employees notice that their biometric information was being collected, nor were they asked to sign a release as required by BIPA.  Companies that employ as few as 1,000 people are now facing a minimum of $1,000,000 in liability under these lawsuits.