BIPA, or the Illinois Biometric Information Privacy Act, is one of the strictest and most controversial US laws, which was passed in 2008. Codified as 740 ILCS/14 and Public Act 095-994 it defines biometric data as sensitive and introduces measures aimed at protecting it from unauthorized collection, storage, and illegal use.
BIPA became the first U.S. state regulation related to biometric data. Texas, Washington, and other states soon followed Illinois and passed similar legislation:
- Michigan, 2017 Bill Text MI H.B. 5019
- New Hampshire, 2017 Bill Text NH H.B. 523 (amended and passed in 2018 as NH H.B. 523)
- Alaska, 2017 Bill Text AK H.B. 72
- Montana, 2017 Bill Text MT H.B. 518 Key BIPA Definitions
Now, let’s move on to the definitions of the principal terms under BIPA.
Key BIPA definitions
BIPA stipulates how “private entities” operating in Illinois must collect, use, and share “biometric information” and “biometric identifiers” (collectively referred to as “biometric data”). It also introduces security requirements and establishes penalties for their breach.
A “private entity” is any individual, partnership, corporation, limited liability company, association, or another organized group.
Exclusions: financial institutions subject to the Gramm-Leach-Bliley Act of 1999, governmental entities and agencies, and contractors to governmental entities or agencies.
“Biometric information” is any information, “regardless of how it is captured, converted, stored, or shared,” based on an individual’s biometric identifier used to identify an individual.
Exclusions: any other data.
A “biometric identifier” is a retina or iris scan, fingerprint, voiceprint, a hand scan, or a facial geometry scan. The law expressly excludes certain data elements from the definition of a “biometric identifier.”
Exclusions: writing samples, photographs, tattoo descriptions, information captured in a healthcare setting or under HIPAA, etc.
Key BIPA provisions
Apart from defining key terms related to biometric data, BIPA contains provisions that companies dealing with biometrics should comply with.
- An informed, authorized consent of an individual should be obtained prior to the collection of biometric data.
- Private entities are not allowed to “disclose, redisclose, or otherwise disseminate” biometric data without the informed authorized consent of its owner unless it’s required by law.
- Private entities can’t profit from the biometric data even if it has been permitted by the data owner.
- Private entities dealing with biometric data are obliged to develop a policy and introduce standards and schedules in relation to the handling, usage, and destruction of biometric data. This policy should be available to the public. No biometric data can be kept for longer than 3 years after the last interaction of the individual with the entity.
- Each BIPA violation may result in recovering actual and liquidated damages to the aggrieved individual.
So, how much will non-compliance with BIPA cost you?
A private right of action enables any aggrieved individual to receive liquidated or actual damages of $1,000. Actual damages for negligent BIPA violations can be up to $5,000, for intentional or reckless violations. This is all without mentioning the attorney’s fees.
Best practices of handling biometric data under BIPA
It’s high time all businesses put in place strong and flexible biometric privacy compliance programs. Below, you’ll find the basic steps you can start with to minimize the risk of receiving a class action suit for purported BIPA violations.
- Make sure that your company collects and stores biometric data, as defined under the Illinois legislation.
- Exclude any excessive data which is not needed to achieve your company’s and your customer’s goals.
- Establish a plan for the collection, storage, accessing, and destruction of biometric data and introduce relevant procedures.
- Amend your incident response form to inform your customers of the possible leak of biometric information.
- Implement security safeguards that cover all areas where this information may be stored – third-party vendors, backup files, devices, etc.
With more and more companies using biometric data to onboard their customers, regulators worldwide have set strict requirements on how this data can be collected and stored.
While laws like BIPA and the CCPA are federal laws that apply to only one state, in the future, the U.S. plans to create a national regulation with severe punishments for non-compliance that could reach $5,000 for a single violation.