While specific details about a completed lawsuit claiming L1 Identity Solutions retained biometric border system data beyond required periods are not currently available in major legal databases, the underlying legal issue is very real and increasingly common in biometric privacy litigation. Under the Illinois Biometric Information Privacy Act (BIPA), companies that collect biometric data—including those operating border control systems—must destroy that data within 3 years of the last interaction with an individual or when the collection purpose is satisfied, whichever comes first. Violations of these retention requirements have become a major source of class action litigation, with courts imposing strict penalties against companies that fail to follow these timelines.
L1 Identity Solutions, now part of the defense contractor Idemia after being acquired by Safran in 2011, specializes in biometric identification systems deployed across border control, passport processing, and identity verification operations in more than 20 countries. The company’s technology touches the biometric data of millions of travelers and citizens globally, making data retention compliance a critical legal and operational concern. If such a lawsuit exists or emerges, it would fit into a larger pattern of BIPA litigation targeting companies that retain biometric information longer than law allows.
Table of Contents
- What Is BIPA and Why Does It Apply to Border System Data?
- What Happens When Companies Store Biometric Data Beyond the Required Period?
- L1 Identity Solutions’ Background and Why Border System Cases Matter
- How Do These Lawsuits Get Certified as Class Actions?
- What Are Common Defenses and Limitations in Biometric Retention Cases?
- What Do BIPA Settlements Typically Look Like?
- What’s the Future of Biometric Data Retention Litigation?
What Is BIPA and Why Does It Apply to Border System Data?
The Illinois Biometric Information Privacy Act (BIPA) is one of the most employee and consumer-protective biometric privacy laws in the United States. Enacted in 2008, BIPA requires companies to obtain written consent before collecting, storing, or using biometric identifiers—defined as fingerprints, retinal or iris images, and other unique physical characteristics used for identification. The law also establishes strict rules about how long companies can keep that data. Specifically, a company must destroy an individual’s biometric data and all records containing that data within 3 years of the individual’s last interaction with the company, or immediately after the specific business purpose for collecting it has been satisfied, whichever occurs first. This requirement applies regardless of whether the data was collected in Illinois or by an Illinois-based company—courts have consistently interpreted BIPA’s reach as extraterritorial.
For a company like L1 Identity Solutions operating border control systems, BIPA compliance becomes complex because the “business purpose” and “last interaction” timelines vary significantly by use case. If L1 operates facial recognition or fingerprint matching systems at U.S. airports or border crossings, the company must comply with BIPA even if the traveler was not from Illinois. However, if the system was deployed outside the U.S. or in contexts where no individual ever set foot in Illinois, BIPA might not apply—this is a critical distinction that litigation often hinges on. The requirement to prove compliance through documented destruction of records is stringent; companies must demonstrate they actually deleted the data, not just deleted references to it.
What Happens When Companies Store Biometric Data Beyond the Required Period?
When a company retains biometric data beyond the 3-year window (or beyond the end of the collection purpose, whichever is sooner), it violates BIPA and exposes itself to significant liability. The law allows individuals to sue for violations, and courts have awarded damages ranging from statutory penalties to class action settlements. Under BIPA, each violation can result in statutory damages of $1,000 to $5,000 per person per violation, depending on whether the violation was negligent or intentional. In a large-scale border system case affecting millions of travelers, these numbers compound quickly; even a single-digit settlement usually involves multiple plaintiffs and can reach millions of dollars. However, not every data retention issue triggers liability at the same level. If a company can demonstrate it had a legitimate reason to extend retention—such as an ongoing investigation or legal hold—and did so transparently and minimally, courts may view the violation more favorably than a pattern of indefinite storage for unclear business reasons.
The burden of proof matters significantly in retention cases. Companies must maintain detailed records showing when data was destroyed, by whom, and through what method. If a company claims it deleted biometric data but cannot produce documentation of that deletion, courts typically assume the data was retained improperly. A relevant example is the pattern seen in BIPA litigation against fingerprint and facial recognition vendors: many companies discovered during discovery that they had no deletion logs, no audit trails, and no ability to prove they ever destroyed anything. This lack of documentation has proven costly—settlement amounts often increase when plaintiffs’ attorneys can show the defendant had no retention oversight at all. The difference between a company that made a good-faith effort to comply (but fell short by 6 months) and a company that simply never deleted anything can be substantial in settlement negotiations.
L1 Identity Solutions’ Background and Why Border System Cases Matter
L1 Identity Solutions emerged as a significant player in biometric identity systems through decades of government and commercial contracts. After its acquisition by Safran (a major aerospace and defense company) in 2011, the firm became part of Idemia, which now operates as one of the world’s largest providers of secure identity and digital security solutions. L1’s systems have been deployed in border control agencies, passport issuance programs, and identity verification networks across more than 20 countries. This extensive deployment means that if a data retention violation occurred, the number of affected individuals could easily reach hundreds of thousands or millions—the scale of a modern mega-breach, but in this case involving sensitive biometric data like fingerprints and facial images rather than usernames and passwords.
The company’s history includes a previous securities-related lawsuit (the Viisage Technology settlement from 2004-2005, which resulted in a $2.3 million settlement), but that case dealt with alleged misstatements to investors rather than data privacy issues. A hypothetical BIPA lawsuit against L1 would be distinct and would focus on the actual treatment of biometric data in the company’s systems. Border system cases are particularly sensitive because they involve government databases and high-security contexts where data retention is especially scrutinized; regulators and courts expect defense contractors and government technology providers to maintain higher standards than commercial companies. If L1 retained border system biometric data beyond the legal retention window, the violation would be especially problematic because it affects citizens’ core identity information and government systems depend on their reliability.
How Do These Lawsuits Get Certified as Class Actions?
Biometric data retention cases have become a standard category of class action litigation, and courts have become familiar with the mechanics of certifying these cases. A class action requires that the court find: (1) a sufficiently large class of affected people, (2) common questions of law or fact, (3) claims or defenses typical of the class, and (4) a representative plaintiff who fairly represents the class. In a data retention case against a border system operator, the “class” would typically be all individuals whose biometric data was collected and retained beyond the legal retention period. Defining that class can be straightforward (all travelers processed through System X between dates Y and Z) or complex (how do you identify individuals whose data was retained beyond the 3-year deadline if records are incomplete?). Courts generally allow these classes to be certified even when identifying individual class members requires data reconstruction, because companies are expected to maintain those records.
The advantage of class certification is that individual plaintiffs don’t have to prove they were harmed in a unique way; the violation is largely mechanical and documentable. Either the data was retained past the deadline or it wasn’t. However, not all BIPA cases win at class certification. Some courts have required individualized proof of consent, awareness of data collection, or actual injury, which can complicate certification. A comparison: a case alleging that a company unlawfully retained data for 4 years instead of 3 is typically easier to certify than a case alleging that a company collected data without proper consent, because the retention timeline is a single, provable fact that applies uniformly to all class members. In a hypothetical L1 case, if the company stored biometric data in a centralized system and the retention period is clearly documentable from system logs, class certification would likely be granted relatively quickly.
What Are Common Defenses and Limitations in Biometric Retention Cases?
Companies facing biometric data retention lawsuits typically raise several defenses, some stronger than others. The most common defense is that the company did destroy the data and has documentation to prove it; if the defendant can present credible deletion logs and audit trails, the case may be dismissed or significantly limited. Another defense is that the retention was justified by an ongoing legal hold, regulatory requirement, or business purpose that extended the retention timeline; if the company can show a court order or legitimate reason for extended retention, damages may be reduced. A third defense involves arguing that BIPA does not apply to the specific context—for instance, if data was collected and stored entirely outside Illinois by a foreign company with no Illinois contacts, BIPA might not reach it. However, this defense has weakened over time as courts have broadly interpreted BIPA’s scope.
One significant limitation in these cases is that BIPA does not require proof of actual harm or identity theft. A plaintiff doesn’t have to show that their biometric data was misused, sold, or breached; the violation is the retention itself, regardless of what happened to the data afterward. This makes these cases easier to litigate in some ways (fewer elements to prove) but also means settlements may be smaller than in cases involving actual fraud or theft. Another limitation is the statute of limitations: under BIPA, a claim must generally be filed within one year of discovery of a violation, or within one year of when a reasonable person should have discovered it. If a company’s unauthorized retention occurred years ago and only came to light recently, timing questions can arise about whether claims are barred. For a defense contractor operating border systems, the discovery trigger might be when the company announces a settlement, a government audit report, or a news story—which can extend the period during which new claims are filed.
What Do BIPA Settlements Typically Look Like?
Biometric privacy settlements vary widely, but certain patterns have emerged. Settlements typically include a monetary payment to the class (either a per-person payment if the class is manageable in size, or a claims-made fund if the class is very large), attorney’s fees (usually 25-33% of the settlement), claims administration costs, and often injunctive relief (court-ordered changes to the company’s data retention practices). In many border system or large-scale cases, the per-person payout ranges from $50 to $500, depending on the severity of the violation and the strength of the plaintiffs’ evidence. Some recent major settlements have exceeded $10 million, though smaller cases settle for $1-5 million. A key feature of these settlements is the claims process.
If the class cannot be accurately identified from company records (for instance, if deletion logs are incomplete), the settlement often includes a claims process where individuals must submit proof that they were processed through the system. This can reduce the actual payout to individual claimants, because not everyone eligible will file a claim. For a border system that processed millions of travelers, a settlement that is theoretically worth $100 million might pay out far less if only 10% of eligible individuals submit claims. Additionally, some settlements include ongoing monitoring or audits by a neutral third party, ensuring the company maintains proper data deletion protocols going forward. These injunctive components are often viewed as more valuable by consumer advocates than the monetary payout, because they prevent future violations.
What’s the Future of Biometric Data Retention Litigation?
Biometric privacy cases are expected to increase as more companies deploy facial recognition, fingerprint matching, and other biometric systems for identification purposes. Federal lawmakers have discussed creating a comprehensive federal biometric privacy law similar to BIPA, though no such law has passed yet. In the interim, BIPA remains the strongest biometric privacy statute in the U.S., and its application has expanded over time through litigation. Courts have shown a willingness to impose significant penalties on companies that fail to comply with retention requirements, viewing data security and privacy as increasingly important.
For companies like L1 Identity Solutions that operate large-scale biometric systems, the regulatory environment is tightening. Government agencies that deploy these systems are increasingly requiring documentation of data handling practices, retention schedules, and deletion procedures as a condition of contract renewal or expansion. Whether or not a specific lawsuit against L1 exists currently, the company and similar firms face ongoing pressure to maintain strict compliance with biometric data retention laws. As biometric technology becomes more prevalent in daily life—from border crossings to unlocking phones—the legal framework governing how that data is stored and destroyed will likely become even more stringent.