Enforceability of State Data Privacy Laws Against Out-of-State Companies

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, is the most litigated biometric privacy statute in the United States. BIPA requires private entities that collect, capture, or otherwise obtain biometric identifiers, including fingerprints, facial geometry scans, iris scans, and voiceprints, to obtain informed written consent before collection and to follow specific guidelines for storage and destruction. Critically, BIPA includes a private right of action that allows individuals to recover statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, making it a powerful tool for plaintiffs' attorneys.

The growth of biometric technology in consumer products, workplace timekeeping, and online services has expanded BIPA's reach far beyond Illinois. Companies headquartered in California, Texas, and other states routinely collect biometric data from Illinois residents through facial recognition features, fingerprint-based authentication, and voice assistant technologies. These companies have challenged the application of BIPA to their activities on jurisdictional and Commerce Clause grounds, arguing that an Illinois statute should not govern their data collection practices conducted primarily from servers and offices located in other states.

The jurisdictional analysis under the Due Process Clause requires that an out-of-state company have minimum contacts with Illinois sufficient to satisfy the requirements of specific personal jurisdiction. Under the Supreme Court's framework from International Shoe Co. v. Washington (1945) and its progeny, a court may exercise jurisdiction when the defendant has purposefully directed its activities toward the forum state and the cause of action arises from those contacts. In the BIPA context, the relevant contacts are the collection and processing of biometric data from Illinois residents. Companies that operate websites, applications, or services that are accessible to Illinois residents and that collect biometric data as part of those services have purposefully availed themselves of the Illinois market.

The dormant Commerce Clause analysis examines whether BIPA imposes an unconstitutional burden on interstate commerce. The Supreme Court's framework from Pike v. Bruce Church, Inc. (1970) provides that state regulations that have only incidental effects on interstate commerce are upheld unless the burden on commerce is clearly excessive in relation to the putative local benefits. BIPA's focus on protecting the biometric privacy of Illinois residents constitutes a legitimate local interest, and the burden on interstate commerce is incidental rather than direct. Companies can comply with BIPA by obtaining consent and implementing appropriate data handling procedures, which are standard business practices that do not significantly impede interstate commercial activity.

The opinion also addresses the extraterritoriality doctrine, noting that BIPA does not regulate conduct occurring entirely outside Illinois. Rather, it regulates the collection and handling of biometric data belonging to Illinois residents, which constitutes conduct directed at Illinois regardless of where the company's servers or offices are located. The Seventh Circuit's approach to BIPA jurisdiction has generally been favorable to plaintiffs, and the opinion endorses this framework while acknowledging that the Supreme Court may eventually address the jurisdictional boundaries of state data privacy laws.

BIPA is enforceable against out-of-state companies that intentionally collect biometric data from Illinois residents, provided that the company has minimum contacts with Illinois sufficient to support specific personal jurisdiction. The statute does not impose an unconstitutional burden on interstate commerce, and its application to out-of-state entities does not violate the extraterritoriality doctrine when the regulated conduct is directed at Illinois residents. The Attorney General will continue to enforce BIPA against companies that fail to comply, regardless of their state of incorporation or principal place of business.

This opinion has significant implications for technology companies, employers, and service providers that collect biometric data from customers or employees in Illinois. Companies must evaluate whether their data collection practices trigger BIPA's consent and disclosure requirements, even if they have no physical presence in Illinois. The potential for class action litigation under BIPA's private right of action, combined with statutory damages that can accumulate to hundreds of millions of dollars, makes compliance a high priority. Data privacy counsel should advise clients to implement BIPA-compliant consent procedures for any service that collects biometric identifiers from users who may be Illinois residents.