Do you own your own fingerprints?

A series of plaintiffs are suing tech giants, including Facebook and Google, under a little-used Illinois law. The Biometric Information Privacy Act, passed in 2008, is one of the only statutes in the U.S. that sets limits on the ways companies can handle data such as fingerprints, voiceprints, and retinal scans. At least four of the suits filed under BIPA are moving forward. “These cases are important to scope out the existing law, perhaps point out places where the law could be improved, and set principles that other states might follow,” says Jeffrey Neuburger, a partner at law firm Proskauer Rose.

The bankruptcy of fingerprint-scanning company Pay By Touch spurred BIPA’s passage. Hundreds of Illinois grocery stores and gas stations used its technology, allowing customers to pay with the tap of a finger. As the bankrupt company proposed selling its database, the Illinois chapter of the American Civil Liberties Union drafted what became BIPA, and the bill passed with little corporate opposition, says Mary Dixon, legislative director of the Illinois ACLU.

Under the Illinois law, companies must obtain written consent from customers before collecting their biometric data. They also must declare a point at which they’ll destroy the data, and they must not sell it. BIPA allows for damages of $5,000 per violation. “Social Security numbers, when compromised, can be changed,” the law reads. “Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, [and] is at heightened risk for identity theft.”