The Illinois Biometric Information Privacy Act (BIPA) regulates how companies collect, store, use, and share biometric information.
In the past few years, several companies have been taken to court for allegedly violating the BIPA. The Illinois courts treat this law very seriously and are prepared to enforce it against non-Illinois companies.
In this article, we will answer some key questions about the BIPA, help you understand how the law works and offer some practical information about how you can comply with it.
What is the Illinois Biometric Information Privacy Act?
The BIPA is a short piece of law with significant implications. It safeguards the rights of Illinois residents, and so it applies to all companies operating in Illinois regardless of where they're based.
What is Biometric Information?
Biometric information is data derived from human characteristics. Biometrics involves collecting images or information from a person's unique physical features or behaviors and using them to identify them.
Businesses are increasingly using biometric information in the following contexts:
- Maintaining security - For example, using biometric scanners to control access to premises, devices, and facilities
- Keeping track of employee behavior - For example, monitoring their attendance, punctuality, or completion of training
- Identifying users on mobile apps - Certain image processing technology uses biometric information to recognize individuals in photos
What is the Purpose of the BIPA?
The BIPA regulates how businesses and other private organizations (of any size) use biometric information.
The BIPA recognises biometrics as among the most sensitive types of personal information. Unlike your credit card number or email address, you can't change biometric information. If your biometric information is compromised, it's compromised forever.
It provides rules about:
- How long you may store biometric information
- What you need to do before you collect biometric information
- The conditions under which you may share biometric information
- The extent to which you must keep biometric information secure
Consequences of Violating the BIPA
Violating the BIPA can leave your company open to private legal claims.
If you negligently violate the BIPA (i.e. through carelessness or ignorance), the injured party can take you to court. They can claim:
- Damages of $1,000 per violation, or
Actual damages - Any actual amount of money they have lost due to your actions.
For example, if you misplace their fingerprint data, and someone uses it to gain access to their bank account, you could be liable for any money that gets stolen.
If you intentionally or recklessly violate the BIPA, the injured party can claim:
- Damages of up to $5,000 per violation, or
- Actual damages
You may also have to pay legal costs, and comply with any other order that the court deems appropriate.
It's also important to note that the Illinois Supreme Court determined that no actual harm needs to occur for a claim under the BIPA to succeed.
In other words, if you collect, store, or use an individual's biometric information unlawfully, this could be enough for them to sue you. They don't need to show that they have suffered any additional losses.
Laws that Take Precedence Over the BIPA
The BIPA does not affect the following laws:
If you comply with any of these laws, you must still comply with the BIPA, but if the BIPA contradicts with one of the laws above, you should disregard the BIPA.
Illinois residents have brought several high-profile lawsuits against companies alleged to have violated the BIPA.
For example, Illinois residents are bringing a class-action lawsuit against Facebook. The plaintiffs claim that Facebook unlawfully used biometric information in its "Tag Suggestions" feature. Facebook stands to lose billions if the claim succeeds.
Chicago company NorthShore University HealthSystem also faces a legal claim that it violated the BIPA. The company collected fingerprints to track what time workers were "clocking in" allegedly without giving lawful notice of how and why it was using this data.
These cases are an important reminder of how important it is to comply with this law.
Before we look at what you need to do to comply with the BIPA, you need to understand how the BIPA defines certain terms.
Biometric Information and Biometric Identifiers
The BIPA distinguishes between "biometric information" and "biometric identifiers."
Under the BIPA, "biometric information" is "any information [...] based on an individual's biometric identifiers used to identify an individual."
Under the BIPA, "biometric identifiers" include:
- Retina scan
- Iris scan
- Hand scan
- Face geometry scan
Under the BIPA, biometric identifiers do not include:
- Writing samples
- Written signatures
- Human biological samples used for valid scientific testing or screening
- Demographic data
- Tattoo descriptions
- Physical descriptions such as height, weight, hair color or eye color
Biometrics can also derive from medical data, such as from blood and tissue samples.
Under the BIPA, such data points are not biometric identifiers if certain other laws already regulate their use. These laws include:
- Illinois Anatomical Gift Act
- Genetic Information Privacy Act
- Health Insurance Portability and Accountability Act (HIPAA)
Confidential and Sensitive Information
The BIPA also defines another type of personal information called "confidential and sensitive information."
Confidential and sensitive information is "information that can be used to uniquely identify an individual or an individual's account or property," including (but not limited to):
- Genetic marker
- Genetic testing information
- ID number
- Driver's license number
- Social security number
The BIPA doesn't regulate how you use confidential and sensitive information. This is already covered by other laws and industry standards.
The BIPA requires that you treat biometric information with at least the same degree of care as you treat confidential and sensitive information.
The BIPA defines a "private entity" as any non-public legal entity, including individuals, businesses, and associations.
State and local government entities, courts, and judges are not private entities.
A "written release" is a way of obtaining permission to collect, store, and use biometric information. A written release can take two forms:
- A written statement of informed consent (electronic or physical)
- A release that must be executed by an employee as a condition of employment
Obligations Under the BIPA
Now we're going to look at what you need to do to comply with the BIPA.
Note that where we use the term "individual," this means the person whose biometric information you have collected or wish to collect, or this person's representative.
Storing Biometric Identifiers
Under the BIPA, a biometric identifier must be immediately destroyed following one of these two triggers (whichever occurs first):
- You no longer need the biometric identifier for the purpose for which you collected it
- Three years have passed since the individual's last interaction with your company
You must comply with this rule unless you have a warrant or subpoena instructing you to retain the biometric identifiers.
Creating a Biometric Information Policy
The BIPA requires you to develop a policy that sets out your schedule for storing and destroying biometric information. You must make this policy publicly available (for example via your company's website).
The BIPA only specifies that your policy must disclose your schedule for destroying biometric information. But you could also disclose the other steps you take to comply with the BIPA.
Remember that biometric information is considered personal information under many privacy laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). You may also need to disclose your practices under these laws.
Giving Notice and Obtaining Consent
If you wish to collect an individual's biometric information or biometric identifiers whether by collecting them from the individual directly or receiving them from someone else, you must first take these three steps:
- Inform the individual that you intend to collect, store, and use their biometric information
Inform the individual of:
- The reason for which you are collecting, storing, and using their biometric information, and
- How long you will be collecting, storing and using it
- Obtain a written release from the individual
Sharing Biometric Information
You may not share an individual's biometric information with a third party unless:
- The individual consents to you sharing their biometric information
- You're sharing the individual's biometric information to complete a transaction to which the individual has consented
- Sharing the biometric information is required by law
- You have received a court warrant or subpoena ordering you to share the biometric information
You may not sell biometric information or profit in any way from its disclosure.
Keeping Biometric Information Safe
You must apply a reasonable standard of care when storing, transmitting, and safeguarding biometric information. This standard of care may be relative to acceptable standards within your industry.
When storing, transmitting, and safeguarding biometric information, you must treat it with at least the same standard of care with which you treat confidential and sensitive information.
BIPA Compliance Checklist
It's important to treat people's biometric information with respect. And as we've seen, the Illinois courts are ready to enforce this law against non-compliant companies.
If you collect biometric information from Illinois residents, or you're planning to do so, consider the following questions: