10 January 2020
The Illinois Biometric Information Privacy Act (BIPA) regulates how companies collect, store, use, and share biometric information.
In the past few years, several companies have been taken to court for allegedly violating the BIPA. The Illinois courts treat this law very seriously and are prepared to enforce it against non-Illinois companies.
In this article, we will answer some key questions about the BIPA, help you understand how the law works and offer some practical information about how you can comply with it.
The BIPA is a short piece of law with significant implications. It safeguards the rights of Illinois residents, and so it applies to all companies operating in Illinois regardless of where they're based.
Biometric information is data derived from human characteristics. Biometrics involves collecting images or information from a person's unique physical features or behaviors and using them to identify them.
Businesses are increasingly using biometric information in the following contexts:
The BIPA regulates how businesses and other private organizations (of any size) use biometric information.
The BIPA recognises biometrics as among the most sensitive types of personal information. Unlike your credit card number or email address, you can't change biometric information. If your biometric information is compromised, it's compromised forever.
It provides rules about:
Violating the BIPA can leave your company open to private legal claims.
If you negligently violate the BIPA (i.e. through carelessness or ignorance), the injured party can take you to court. They can claim:
Actual damages - Any actual amount of money they have lost due to your actions.
For example, if you misplace their fingerprint data, and someone uses it to gain access to their bank account, you could be liable for any money that gets stolen.
If you intentionally or recklessly violate the BIPA, the injured party can claim:
You may also have to pay legal costs, and comply with any other order that the court deems appropriate.
It's also important to note that the Illinois Supreme Court determined that no actual harm needs to occur for a claim under the BIPA to succeed.
In other words, if you collect, store, or use an individual's biometric information unlawfully, this could be enough for them to sue you. They don't need to show that they have suffered any additional losses.
The BIPA does not affect the following laws:
If you comply with any of these laws, you must still comply with the BIPA, but if the BIPA contradicts with one of the laws above, you should disregard the BIPA.
Illinois residents have brought several high-profile lawsuits against companies alleged to have violated the BIPA.
For example, Illinois residents are bringing a class-action lawsuit against Facebook. The plaintiffs claim that Facebook unlawfully used biometric information in its "Tag Suggestions" feature. Facebook stands to lose billions if the claim succeeds.
Chicago company NorthShore University HealthSystem also faces a legal claim that it violated the BIPA. The company collected fingerprints to track what time workers were "clocking in" allegedly without giving lawful notice of how and why it was using this data.
These cases are an important reminder of how important it is to comply with this law.
Before we look at what you need to do to comply with the BIPA, you need to understand how the BIPA defines certain terms.
The BIPA distinguishes between "biometric information" and "biometric identifiers."
Under the BIPA, "biometric information" is "any information [...] based on an individual's biometric identifiers used to identify an individual."
Under the BIPA, "biometric identifiers" include:
Under the BIPA, biometric identifiers do not include:
Biometrics can also derive from medical data, such as from blood and tissue samples.
Under the BIPA, such data points are not biometric identifiers if certain other laws already regulate their use. These laws include:
The BIPA also defines another type of personal information called "confidential and sensitive information."
Confidential and sensitive information is "information that can be used to uniquely identify an individual or an individual's account or property," including (but not limited to):
The BIPA doesn't regulate how you use confidential and sensitive information. This is already covered by other laws and industry standards.
The BIPA requires that you treat biometric information with at least the same degree of care as you treat confidential and sensitive information.
The BIPA defines a "private entity" as any non-public legal entity, including individuals, businesses, and associations.
State and local government entities, courts, and judges are not private entities.
A "written release" is a way of obtaining permission to collect, store, and use biometric information. A written release can take two forms:
Now we're going to look at what you need to do to comply with the BIPA.
Note that where we use the term "individual," this means the person whose biometric information you have collected or wish to collect, or this person's representative.
Under the BIPA, a biometric identifier must be immediately destroyed following one of these two triggers (whichever occurs first):
You must comply with this rule unless you have a warrant or subpoena instructing you to retain the biometric identifiers.
The BIPA requires you to develop a policy that sets out your schedule for storing and destroying biometric information. You must make this policy publicly available (for example via your company's website).
The BIPA only specifies that your policy must disclose your schedule for destroying biometric information. But you could also disclose the other steps you take to comply with the BIPA.
Remember that biometric information is considered personal information under many privacy laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). You may also need to disclose your practices under these laws.
If you wish to collect an individual's biometric information or biometric identifiers whether by collecting them from the individual directly or receiving them from someone else, you must first take these three steps:
Inform the individual of:
You may not share an individual's biometric information with a third party unless:
You may not sell biometric information or profit in any way from its disclosure.
You must apply a reasonable standard of care when storing, transmitting, and safeguarding biometric information. This standard of care may be relative to acceptable standards within your industry.
When storing, transmitting, and safeguarding biometric information, you must treat it with at least the same standard of care with which you treat confidential and sensitive information.
It's important to treat people's biometric information with respect. And as we've seen, the Illinois courts are ready to enforce this law against non-compliant companies.
If you collect biometric information from Illinois residents, or you're planning to do so, consider the following questions:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.