Identifiable to Whom? Clarifying Biometric Privacy Rights in Illinois and Beyond
Illinois’s Biometric Information Privacy Act (BIPA) is the country’s most powerful law governing biometric data—data generated from an individual’s biological characteristics, like fingerprints and voiceprints. Over the past decade, BIPA garnered a reputation as an exceptionally plaintiff-friendly statute. But from 2023 to 2024, the Illinois legislature, Illinois Supreme Court, and Ninth Circuit Court of Appeals all sided with BIPA defendants, largely for the first time. Most significantly, in Zellmer v. Meta Platforms, Inc., the Ninth Circuit dismissed the plaintiff’s BIPA claim because the face scan collected by the defendant could not be used to identify him.
It is unclear whether these developments represent a trend or an exception to BIPA’s plaintiff friendliness. Which path is charted will largely turn on how courts interpret Zellmer. While Zellmer established that a biometric identifier must be able to identify an individual, lower courts have construed its holding narrowly to require that the entity collecting biometric data must itself be able to identify using that data, rather than it being sufficient for any entity to do so. Reading BIPA this narrowly would significantly weaken the statute’s protections.
After detailing how employer and consumer cases catalyzed this recent defendant-friendly shift, this Comment proposes a two-step framework to determine whether a biometric identifier is able to identify, thereby falling under BIPA’s reach. Given BIPA’s broad influence, where courts ultimately land on this question will be crucial to the protection of biometric data nationwide.