Risk Insight: Illinois Biometric Information Privacy Act (BIPA)
Senior Compliance Attorney
Over the past decade, the collection and use of biometric data has evolved as technology has continued to advance. While most state laws do not address the collection and use of biometric data, the State of Illinois has regulated the use of biometric data since 2008 through the Biometric Information Privacy Act (BIPA).
A recent decision from the Supreme Court of Illinois in Cothron v. White Castle System, Inc. clarified that a violation of BIPA can occur every time a private entity collects or discloses a biometric identifier or biometric information, not just the first time a private entity collects or discloses a biometric identifier or biometric information.
As result of the decision, private entities collecting or disclosing biometric identifiers or biometric information in violation of BIPA could face damages in the millions of dollars. Private entities in Illinois would be well served to review their obligations under BIPA to mitigate the risk of a potential lawsuit.
Who Must Comply with BIPA?
BIPA applies to all private entities who have operations within the State of Illinois. A private entity is any individual, partnership, corporation, limited liability company, association, or other group, however legally organized. BIPA does not apply to state or local government agencies and financial institutions or an affiliate of a financial institution that is subject to Title V of the Gramm-Leach-Bliley Act of 1999.
What Type of Data Does BIPA Protect?
For a private entity to comply with BIPA, they must first understand what type of biometric data BIPA applies to. BIPA’s requirements apply to biometric identifiers and biometric information both of which have special definitions.
Under BIPA, a biometric identifier is a:
- Retina or iris scan
- Scan of hand or face geometry
Biometric information is any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.
What Does BIPA Require?
BIPA requires that private entities adopt policies and procedures dealing with the retention, destruction, collection, disclosure, and storage of biometric identifiers and biometric information from individuals in Illinois.
Retention and Destruction
A private entity that possesses biometric identifiers or biometric information from individuals in Illinois must develop a written policy which establishes a retention schedule and guidelines for the permanent destruction of biometric identifiers and information. Biometric identifier or biometric information must be destroyed when the initial purpose for collecting or obtaining the identifier or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.
This policy must be available to the public. Unless under a court order not to, a private entity must comply with their established retention schedule and destruction guidelines.
Private entities that collect, capture, purchase, receive through trade, or otherwise obtain a person’s or customer’s biometric identifiers or biometric information in Illinois must:
- Inform the person/customer in writing that a biometric identifier or biometric information is being collected or stored;
- Inform the person/customer in writing of the specific purpose and length of term for which the biometric identifier or biometric information is being collected, stored, and used; and
- Receive a written release from the person/customer who is the subject of the biometric identifier or biometric information.
A private entity may not sell, lease, trade, or otherwise profit from a person’s or customer’s biometric identifier or biometric information collected in Illinois.
Private entities may not disclose, re-disclose, or otherwise disseminate a person’s or customer’s biometric identifier or biometric information collected in Illinois unless
- the subject of the biometric identifier or biometric information consents;
- the disclosure or disclosure of biometric identifier or biometric information completes a financial transaction that is requested or authorized by the subject of the biometric identifier or biometric information;
- the disclosure or re-disclosure is required by law; or
- the disclosure is required pursuant to a valid warrant or subpoena.
A private entity that possesses biometric identifiers or biometric information must store, transmit, and protect biometric identifiers or biometric information from disclosure using the reasonable standard of care within the entity’s industry. A private entity must also store, transmit, and protect biometric identifiers or biometric information from disclosure in a manner that is the same or more protective than how it stores, transmits, and protects other personal information that can be used to uniquely identify an individual or an individual’s account or property.
Consequences for Non-Compliance
Private entities that fail to comply with the requirements of BIPA are potentially at risk for thousands of dollars of damages for each violation of the law if they are sued. Damages included:
- $1,000, or actual damages, whichever is greater, for negligent violations;
- $5,000, or actual damages, whichever is greater, for intentional or reckless violations;
- Reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and
- Any other relief deemed appropriate by state or federal court.
Organizations in the State of Illinois who are required to comply with BIPA would be well served to review their current policies and procedures. Ensuring compliance with the law for the retention, destruction, collection, disclosure, and storage of biometric information and biometric identifiers will be key to avoiding unnecessary financial liabilities.
Please reach out to your M3 account executive with any questions.
This information should not be construed as legal advice. In all cases, employers should consult with their own legal counsel.