Recent Illinois Lawsuit Highlights Ongoing Identity Verification and Biometric Privacy Concerns

In the ever-evolving landscape of data privacy, the importance of protecting individuals’ personal information, especially biometric data, has gained significant attention. Recently, a lawsuit in the state of Illinois has once again brought biometric privacy concerns to the forefront. This legal battle involves ID scanning provider TokenWorks and a well-known Illinois dispensary, PharmaCann, accused of violating the stringent regulations outlined in the Biometric Information Privacy Act (BIPA). The case underscores the complexities and challenges surrounding the collection, retention, and use of biometric data.

The Regulatory Landscape of Biometric Data Privacy

Illinois is among a handful of states in the U.S. that has implemented robust regulations to safeguard biometric data. Enacted in 2008, the Biometric Information Privacy Act (BIPA) is widely recognized as one of the strictest data protection laws of its kind. It requires companies to obtain explicit consent from individuals before collecting their biometric data, which includes information like fingerprints and facial scans. The law also mandates specific measures for securing and protecting such sensitive information. Moreover, BIPA empowers Illinois residents to file lawsuits against companies found to be in violation of these regulations.

The TokenWorks Case: Allegations and Implications

TokenWorks, a provider of ID verification software, has found itself entangled in a legal battle due to its involvement with a well-known cannabis dispensary, PharmaCann. The lawsuit, filed in Cook County circuit court, alleges that visitors to PharmaCann stores had their biometric data captured, collected, stored, and disseminated without their consent. Plaintiffs Christopher Koltas and Kyle Morrell contend that TokenWorks’ IDentiFake scanners were used to carry out these actions.

The heart of the matter lies in the assertion that TokenWorks’ scanners, which are primarily intended for identity verification, might have also collected biometric data for unauthorized purposes. This raises concerns about the extent to which biometric information is being harvested without individuals’ knowledge or explicit consent. Notably, the lawsuit claims that TokenWorks profited from PharmaCann’s utilization of its scanners, further emphasizing the potential implications of this alleged data mishandling.

Amazon’s Case: Insights into Biometric Privacy Disputes

The TokenWorks case is not an isolated incident in the realm of biometric privacy lawsuits. Another recent lawsuit involving Amazon sheds light on the challenges companies face when dealing with biometric data. In this case, Amazon faced accusations under BIPA for not adhering to its own policies regarding the storage of biometric identifiers. The plaintiffs contended that Amazon did not prioritize the security of biometric data in the same manner as other sensitive information. While the court dismissed one count of the complaint, it allowed the other count to proceed, underscoring the nuances in assessing alleged violations of biometric privacy regulations.

The Broader Implications

The Illinois lawsuit against TokenWorks and PharmaCann has broader implications beyond the immediate parties involved. It highlights the critical need for companies to handle biometric data with the utmost care and transparency. The evolving nature of technology, including the integration of biometric systems into various industries, calls for continuous vigilance in upholding individuals’ privacy rights.

The case also underscores the significance of Illinois’ Biometric Information Privacy Act (BIPA) as a benchmark for effective biometric data protection legislation. The law’s provisions, including the right for individuals to sue companies for non-compliance, have catalyzed a wave of legal actions against companies accused of mishandling biometric information. The impact of these lawsuits resonates well beyond the state’s borders, setting a precedent for biometric privacy regulations across the nation.


As technology continues to advance, the collection and utilization of biometric data present both promising opportunities and significant challenges. The recent Illinois lawsuit involving TokenWorks and PharmaCann serves as a reminder that the responsible use of biometric information requires adherence to rigorous privacy regulations and ethical standards. With Illinois’ Biometric Information Privacy Act (BIPA) as a guiding example, it is evident that the protection of biometric data is not only a legal obligation but also a crucial aspect of respecting individuals’ rights in the digital age.