All Terms

Register

What is the Illinois Biomedical Information Privacy Act (“BIPA”)?

April 26, 2022 by David Jarzabek, Esq. CIPP/US

The Illinois legislature passed the Biometric Information Privacy Act (“BIPA”) in 2008 in response to the growing use of biometrics in business and security screening. The legislature passed BIPA in part due to the recognition that Biometrics are unlike other unique identifiers used to access sensitive information. When compromised, other identifiers like email, username, password can all by changed by the user. In contrast, Biometrics are biologically unique to the user and cannot be modified after they have been compromised. As a result, the user is at a heightened risk since they have no recourse, and this form of identifier is potentially permanently compromised.

What are biometrics?

Biometrics can be defined as the statistical analysis of human characteristics (biological data and behavioral characteristics). Common examples of biological data biometrics include the measurement of fingerprints, iris patterns, and facial features. Biometrics related to behavioral characteristics often include typing rhythm, gait, signature, and voice.

BIPA distinguishes two aspects of biometrics: biometric identifier and biometric information.

According to BIPA, "biometric identifier" is identified as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Outside of this single sentence defining what constitutes biometric information in the affirmative, BIPA provides numerous examples of what does not constitute biometric identifier. For example, while signatures are generally considered biometrics outside of Illinois law, BIPA specifically excludes written signatures. BIPA also excludes tattoo descriptions, biometric identifiers regulated under certain federal law, and information captured from a patient in a health care setting. A full list of excluded aspects can be found here.

According to BIPA, biometric information is any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.

What are the Key Elements of BIPA?

  • Only applies to private entities and does not include government entities.

  • Requires informed consent prior to collection. This includes informing an individual in writing that a biometric identifier or biometric information is being collected or stored. Additionally, the individual must be notified of the specific purpose and the duration for which the biometric identifier or biometric information is collected, stored, and used.

  • Limited disclosure, redisclosure or dissemination rights. There are three instances in which biometric identifiers or biometric information may be disclosed. First, when the subject of the biometric identifier or biometric information must consent to any such . Second, when the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information.

  • Mandates protection obligations. A private entity in possession of a biometric identifier or information must store, transmit, and protect from disclosure using the reasonable standard of care within the private entity's industry. This standard must be the same or more protective than the entity uses for other confidential and sensitive information.

  • Mandates retention guidelines. Biometric identifiers and information must be destroyed when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first.

  • Private entities may not sell, lease, trade, or otherwise profit from biometric data.

What ways are biometrics commonly used?

Some businesses utilize time clocks containing biometric devices, devices that facilitate clocking in and out with a fingerprint or other biometric, rather than an I.D. card or pin code. Biometric time clocks may help eliminate time theft and ensure more accurate compliance with attendance policies.

One of the most common forms of biometric use is to secure locations like buildings or the spaces within or items like secure laptops, USB and portable storage devices. This is typically done through fingerprint readers, hand geometry scanners, and facial recognition. Iris and retina scanners are often more expensive and generally justify use only in locations that require a high security clearance.

What Liability may a company face for violating BIPA?

BIPA allows individuals to sue for violations directly. If successful, individuals may recover liquidated damages (damages that have a predetermined amount) of $1,000 for each negligent violation. For each intentional or reckless violation, BIPA provides recovery for successful litigants of liquidated damages of $5,000 or actual damages, whichever is greater.

BIPA is currently makes it unlawful for private companies to use facial recognition technology to identify and track people without their consent. BIPA went largely unnoticed until 2015, when a series of class action lawsuits sparked an avalanche of litigation. This includes a February 2021 settlement in a case involving Facebook for $650 million. If you'd like to read the judge's decision, click here.

How can I minimize my risk from BIPA?

Data minimization is a universal principal to minimize risks associated with privacy and data security. The principle of “data minimization” means that an entity collecting information about users should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. Additionally, the entity should also retain the data only for as long as is necessary to fulfil that purpose. First, this principle minimizes security risk exposure by limiting the amount of data that can be breached or accidentally leaked. Second, this principle minimizes administrative costs by reducing training associated with employees handling and responding to sensitive data. These benefits are offset by the private entity's potential use of data. As a result, private entities should carefully consider their current personal information uses and potential future needs.

Private entities should also regularly review their business processes to ensure that appropriate technical, administrative, and physical controls are in place to protect personal information. Examples of technical controls include security information and event management software and services, encryption, and automated deletion schedules. Private entities should also rigorously monitor administrative controls such as regular training related to private information, escalation procedures, and progressive discipline for employee policy violations. Finally, physical controls include building and computer access to ensure that stored information is securely stored from a employee or outsider accessing storage.

About

All Terms is dedicated to helping all business types generate and maintain privacy compliance. Our tools were developed based on years of legal working assisting businesses with their privacy needs. We know that privacy compliance is a ongoing task. We've leveraged our experience to lower the costs of generating privacy documents by automating the generation process. Our years of experience in the legal field have exposed the limitations of having an attorney or a team of attorneys ensure accurate and continuous compliance. So we've leveraged technology to make sure that you have access to afffordable, continuous, and available tools to maintain compliance.

Begin Privacy Compliance

  1. Create a privacy notice
  2. View your privacy notice
  3. Review your dashboard