BIPA, or the Illinois Biometric Information Privacy Act, is one of the strictest and most controversial US laws, which was passed in 2008. Codified as 740 ILCS/14 and Public Act 095-994 it defines biometric data as sensitive and introduces measures aimed at protecting it from unauthorized collection, storage, and illegal use.
BIPA became the first U.S. state regulation related to biometric data. Texas, Washington, and other states soon followed Illinois and passed similar legislation:
Now, let’s move on to the definitions of the principal terms under BIPA.
BIPA stipulates how “private entities” operating in Illinois must collect, use, and share “biometric information” and “biometric identifiers” (collectively referred to as “biometric data”). It also introduces security requirements and establishes penalties for their breach.
A “private entity” is any individual, partnership, corporation, limited liability company, association, or another organized group.
Exclusions: financial institutions subject to the Gramm-Leach-Bliley Act of 1999, governmental entities and agencies, and contractors to governmental entities or agencies.
“Biometric information” is any information, “regardless of how it is captured, converted, stored, or shared,” based on an individual’s biometric identifier used to identify an individual.
Exclusions: any other data.
A “biometric identifier” is a retina or iris scan, fingerprint, voiceprint, a hand scan, or a facial geometry scan. The law expressly excludes certain data elements from the definition of a “biometric identifier.”
Exclusions: writing samples, photographs, tattoo descriptions, information captured in a healthcare setting or under HIPAA, etc.
Apart from defining key terms related to biometric data, BIPA contains provisions that companies dealing with biometrics should comply with.
So, how much will non-compliance with BIPA cost you?
A private right of action enables any aggrieved individual to receive liquidated or actual damages of $1,000. Actual damages for negligent BIPA violations can be up to $5,000, for intentional or reckless violations. This is all without mentioning the attorney’s fees.
It’s high time all businesses put in place strong and flexible biometric privacy compliance programs. Below, you’ll find the basic steps you can start with to minimize the risk of receiving a class action suit for purported BIPA violations.
With more and more companies using biometric data to onboard their customers, regulators worldwide have set strict requirements on how this data can be collected and stored.
While laws like BIPA and the CCPA are federal laws that apply to only one state, in the future, the U.S. plans to create a national regulation with severe punishments for non-compliance that could reach $5,000 for a single violation.