Illinois's Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA), has generated billions of dollars in settlements and remains the gold standard of biometric privacy legislation in the United States. Enacted in 2008, BIPA requires private entities to obtain written informed consent before collecting biometric identifiers or information, mandates a written retention and destruction policy, prohibits profit from biometric data, and creates a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. For practitioners in states without comparable legislation—including Alabama and Florida—the challenge is constructing viable legal theories from existing law while the federal legislative environment remains unsettled.
Illinois BIPA as a Doctrinal Benchmark
Understanding BIPA's architecture is essential for practitioners working in non-BIPA states, because it defines the space the law is moving toward and the analytical baseline against which state common law must be measured.
Coverage. BIPA covers "biometric identifiers"—retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry—and "biometric information" derived from those identifiers. It applies to private entities only, not government actors. 740 ILCS 14/10.
Key requirements. A private entity must: (1) have a publicly available written policy with a retention schedule and destruction guidelines; (2) inform the subject in writing of the purpose and term for which the biometric data is being collected and stored; and (3) obtain a written release before collecting the data. 740 ILCS 14/15(a)-(b).
Private right of action with no actual harm required. BIPA's most powerful feature—and the feature that has driven extraordinary litigation volume—is that it requires no actual harm for a statutory damages claim. Any "person aggrieved by a violation" may sue. Illinois courts have held that the collection of biometric data without the required disclosures and consent is itself the "aggrieved" condition. This is the feature most conspicuously absent from Florida and Alabama law.
Florida: Common Law Privacy and FIPA
Florida has no biometric-specific statute. Practitioners must build claims from three sources: the common law right of privacy, the Florida Information Protection Act, and occasionally § 1983 (for government actors) or the federal framework.
Florida's Common Law Privacy Torts
Florida recognizes four invasion of privacy torts, derived from the foundational taxonomy:
- Intrusion upon seclusion: Intentional intrusion into the private affairs of another, in a manner that would be objectionable to a reasonable person.
- Appropriation of name or likeness: Use of a plaintiff's name or likeness for commercial benefit without consent.
- Public disclosure of private facts: Public disclosure of private information that a reasonable person would find objectionable.
- False light: Publication of information that portrays a person in a false light, constituting a major misrepresentation.
For biometric privacy claims, intrusion upon seclusion is the most relevant. An employer who covertly captures employee fingerprints or facial geometry without consent arguably intrudes upon the employee's reasonable expectation of bodily privacy. However, Florida's intrusion-upon-seclusion tort requires: (a) an intentional intrusion; (b) into a private sphere in which the plaintiff has a reasonable expectation of privacy; (c) that would be highly offensive to a reasonable person.
The "highly offensive" requirement is the primary hurdle. Florida courts have not uniformly held that biometric data collection—even without consent—is "highly offensive" absent additional egregious circumstances. Practitioners should allege supporting facts: covert collection, sale of biometric data to third parties, use of biometric identifiers in ways the subject could not anticipate, or security breaches that exposed the data.
Appropriation of name or likeness may lie where biometric identifiers (particularly facial recognition templates) are used commercially in a manner analogous to appropriating the subject's identity. The commercial-purpose requirement limits this theory.
Florida Information Protection Act (FIPA)
The Florida Information Protection Act, Fla. Stat. § 501.171, establishes Florida's data breach notification framework. FIPA requires covered entities to provide notice of breaches of "sensitive personally identifying information" to affected residents within 45 days. FIPA defines covered "sensitive" information broadly—it includes biometric data by implication under the "unique identifier" category—but FIPA's primary enforcement mechanism is administrative and does not create a broad private right of action.
A data breach involving biometric identifiers (e.g., a facial recognition database breach) might support FIPA violation claims, but the remedies available under FIPA's private enforcement provisions are limited compared to BIPA. FIPA is primarily useful in biometric cases as: (a) a notice-requirement hook if a breach occurs; (b) a basis for regulatory complaints to the Florida Attorney General; and (c) evidence that the legislature has recognized biometric data as particularly sensitive.
Florida's Sectoral Privacy Framework
Florida enacted a general consumer privacy framework—the Florida Digital Bill of Rights, effective July 2024—that provides certain rights to consumers regarding personal data, including sensitive data (which includes biometric data). However, the Florida Digital Bill of Rights has a significant exclusion: it applies only to controllers that meet a revenue threshold (businesses with annual revenues exceeding $1 billion globally, with Florida-specific revenue or data processing thresholds). This effectively exempts most small and mid-sized employers from its coverage, limiting its immediate practical use in most biometric employment cases.
Alabama: No Biometric Statute; Common Law and § 8-38
Alabama has no biometric-specific statute and no comprehensive consumer privacy law comparable to BIPA or California's CCPA.
Alabama Common Law Privacy
Alabama recognizes common law privacy torts, though the body of case law is substantially less developed than Florida's. The Alabama Supreme Court has recognized the right of privacy as a constitutional and common law interest protecting individuals from unreasonable intrusion. Under Alabama law, the actionable privacy torts generally mirror the Restatement (Second) of Torts § 652A–652E categories (intrusion, appropriation, public disclosure, false light).
For biometric privacy claims, intrusion upon seclusion and appropriation remain the viable theories, subject to the same "highly offensive" limitation applicable in Florida. Alabama courts have not specifically addressed biometric data collection as a privacy tort, creating an opportunity to develop the doctrine in the appropriate factual context.
Alabama Data Breach Notification: Ala. Code § 8-38
The Alabama Data Breach Notification Act of 2018, codified at Ala. Code § 8-38-1 et seq., requires covered entities that own or license personal information of Alabama residents to notify affected individuals of security breaches within 45 days of discovery. The Act defines "sensitive personally identifying information" to include, among other categories, biometric data in combination with a person's name when that combination could enable identity theft or fraud.
Like FIPA, the Alabama Act is primarily a breach notification statute, not a pre-breach consent or retention framework. Enforcement is through the Alabama Attorney General, not through private rights of action. A breach of a biometric database affecting Alabama residents triggers the notice obligation but does not independently create civil liability in Alabama state court under the statute.
Strategic use of § 8-38. In cases involving biometric data breaches, the statute is useful in two ways: (1) the notice requirement confirms that the legislature has recognized biometric data as sensitive, supporting the reasonableness of a plaintiff's privacy expectation in common law intrusion claims; and (2) failure to provide timely notice, while not itself creating civil liability, may support claims of negligence or bad faith in tort and may be relevant to punitive damages analysis.
Federal Proposals: The American Privacy Rights Act and Successors
Congress has repeatedly considered comprehensive federal privacy legislation that would include biometric data protections comparable to or exceeding BIPA. The American Privacy Rights Act (APRA), proposed in 2024, would have established nationwide requirements for consent before collection of biometric data, created a federal private right of action, and potentially preempted some state laws. APRA did not pass in its 2024 form.
The continued absence of federal biometric legislation means the patchwork of state law governs—Illinois's BIPA-derived private right of action in Illinois, thin common law theories in Alabama and Florida, and a growing number of state-specific laws in other jurisdictions (Texas, Washington, New York City, among others). Practitioners in BIPA-gap states should consider whether their clients have any Illinois-based connection that might bring Illinois law to bear, and should monitor federal legislative developments.
Federal Hooks
Even in states lacking biometric statutes, federal law may provide supplementary hooks:
Title VII and ADA. Where biometric tools (facial recognition, voice analysis) are used in employment decisions and produce disparate impact on protected classes, Title VII's disparate impact framework applies. See post 60 of this series.
Section 1981. For race-based algorithmic screening producing intentional discrimination, § 1981 provides a federal damages claim without exhaustion requirements.
Computer Fraud and Abuse Act (CFAA). In cases involving unauthorized access to biometric databases or systems, the CFAA may provide a federal cause of action, though its civil application is narrow.
Wiretap Act / Electronic Communications Privacy Act. The interception of biometric data transmitted electronically may, in narrow circumstances, fall within the ECPA's protections.
Practical Guidance for Non-Illinois Practitioners
Build common law claims with specificity. Allege covert collection, absence of any notice or consent, commercial use of the biometric data, and specific privacy harms resulting from the collection. The "highly offensive" standard is met more readily with evidence of deception or covert surveillance than with routine employment fingerprinting where the employer provided at least informal notice.
Document the data security posture. Evidence of inadequate security controls for biometric data—especially facial recognition templates or voiceprints—supports both the reasonableness of the privacy expectation and any negligence theory for breach-related harm.
Plead negligence and negligence per se. Where a data breach has occurred, allege breach of the duty of reasonable care in protecting sensitive biometric data. Alabama and Florida recognize negligence claims for foreseeable harm from data mishandling.
Maintain legislative vigilance. The biometric privacy landscape is in flux. Alabama and Florida legislative sessions warrant monitoring for BIPA-modeled proposals; federal legislation may preempt or supplement state law. Advise clients now on the risk of biometric data collection in preparation for a legal environment that will likely be more restrictive in the coming years.
Talk to Yates Anderson
If you are litigating a matter in this area — or weighing whether to — the working analysis above only goes so far. Request a case evaluation and a Yates Anderson attorney will respond within one business day.
Informational only. Not legal advice. No attorney-client relationship is created by reading this post. Consult a licensed attorney in your jurisdiction.