1. Introduction
To safeguard the privacy and security of the biometric data belonging to its citizens, the State of Illinois passed the Biometric Information Privacy Act (BIPA) on October 3rd, 2008. BIPA is considered one of the US state's most stringent privacy regulations.
BIPA is one of the foundational privacy laws to address biometric data specifically. It has prompted other states to introduce bills of a similar nature or to include biometric data in their comprehensive data privacy data breach notification or data security laws.
2. Who Needs to Comply with the Law
2.1 Private Entities
BIPA only applies to private entities. A private entity is defined by Section 10 of the BIPA as any individual, partnership, corporation, limited liability company, organization, or other groups, regardless of how it is set up. A private entity does not include a State or local government agency. A private entity does not include any Court of Illinois, a court clerk, or a judge or justice.
2.2 Exceptions
There are certain significant exceptions granted for:
Financial Institutions (Section 25(c))
BIPA does not apply to financial institutions or affiliates of financial institutions governed by Title V of the federal Gramm-Leach-Bliley Act of 1999 and the regulations issued thereunder.
State Contractors (Section 25(e))
BIPA does not apply to contractors, subcontractors, or agents when they are engaged by a State agency or local government unit.
3. Definitions of Key terms
According to Section 10 of BIPA, biometric information is “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.”
Biometric Identifiers are further described in Section 10 as:
- a retina or iris scan,
- fingerprint,
- voiceprint, or
- scan of hand or
- face geometry.
However, it is also important to note what BIPA excludes a lot of information from the definition of biometric information and biometric identifiers, such as:
- Writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color;
- Donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency.
- Biological materials regulated under the Genetic Information Privacy Act;
- Information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996;
- X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
Any personal information that can be used to uniquely identify an individual or an individual's account or property.
Examples of confidential and sensitive information include, but are not limited to:
- Genetic marker,
- Genetic testing information,
- Unique identifier number to locate an account or property,
- Account number,
- PIN,
- Passcode,
- Driver's license number, or
- Social security number.
3.3 Electronic Signature
Any electronic sound, symbol, or procedure that is logically connected to a record and that is carried out or accepted by a person with the intention of signing the record.
3.4 Written Release
Informed written consent, electronic signature, or, in the context of employment, a release executed by an employee as a condition of employment.
4. Obligations for Covered Entities Under BIPA
Under BIPA, covered entities are subject to a variety of obligations that fall into the following categories:
When a covered entity is in possession of biometric data, it is required to create a public-accessible written policy that specifies a retention period and procedures for permanently erasing biometric data and identifiers when either:
- Purpose limitation is met – the original intent behind gathering or obtaining such identifiers or data has been met; or
- The retention period of 3 years has been met – within three years after the person's last contact with the private entity, whichever comes first.
No private entity shall obtain a person's or a customer's biometric identification or biometric information by collection, capture, purchase, receive through trade, or other means, unless:
- Notice is provided
- Written notice of the collection, storage, and use of the customer's or individual's biometric data or identification must be provided to them or their legally authorized representative.
- The notice must also specify the purposes for which the covered entity is gathering, storing, and using the biometric data or identifier and how long it plans to keep it.
- Consent (Written Release) is received
- The covered business must obtain and record a written release from the customer/individual or his/her legally authorized representative before collecting, storing, or using the biometric information or identification.
BIPA prohibits a covered entity from profiting by selling, leasing, trading, or using a person's or customer's biometric information or identifiers.
Any biometric information or identifiers that a person or customer provides to a covered entity cannot be disclosed, redisclosed, or otherwise distributed unless:
- Data Subject Consent
The person or person's legally appointed representative has given their approval to disclose the biometric information or identifier.
- Completion of Financial Transaction
The disclosure of the biometric information or identifier is required to complete a financial transaction authorized/requested by the person or individual or his/her legally authorized representative.
- State of Federal Law Disclosure
State/Federal law or a municipal ordinance requires the disclosure or redisclosure.
- Warrant/Subpoena
A legitimate warrant or subpoena issued by a court with the necessary jurisdiction requires disclosure.
All biometric data and identifiers must be stored, transmitted, and kept confidential by meeting the following two standards of care:
- Reasonable standard
A reasonable standard of care within the covered entity’s industry; and
- Similar to Confidential/Sensitive Information
In a manner similar or more protective to what is provided for other confidential and sensitive information.
6. Penalties for Non-compliance
Covered entities which violate BIPA face the risk of facing the private right of action by affected persons or customers in a State Circuit Court or as a supplemental claim in Federal District Court.
Pursuant to the ruling of the Supreme Court of Illinois in Jorome Tims et al. v. Black Horse Carriers, Inc. [2023 IL 127801], the claims under BIPA are subject to five-year limitation period as prescribed under section 13-205 of the Illinois Code of Civil Procedure (735 ILCS 5/13-205).
Under the Private Right of Action (Section20), an affected victim may recover the following from the covered entity:
- Negligent Violation
Liquidated damages of $1,000 or actual damages, whichever is greater.
- Intentional or Reckless Violation
Liquidated damages of $5,000 or actual damages, whichever is greater.
- Litigation costs
Reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses.
- Other reliefs
Other relief, including an injunction, which the State or Federal Court deems appropriate.
A private entity that repeatedly collects or obtains the same biometric identifier or information from the same person, commits a single violation, granting only one recovery to the aggrieved person.
Moreover, a private entity that repeatedly discloses or rediscloses the same biometric information to the same recipient commits a single violation, granting the aggrieved person one recovery, regardless of the number of times the same biometric information is shared.
7. How an Organization Can Operationalize the Law
BIPA is one of the few laws in the country that grants the owners of biometric data a private right of action. For entities that employ biometric technology, BIPA is a risk in itself. Entities must comply with BIPA if they gather biometric information from Illinois residents for commercial use.
- Examine all procedures for collecting, processing, storing, or transmitting any biometric data governed by BIPA or similar state or municipal laws.
- Ensure your entity has clear written policies outlining the steps for collecting, storing, using, transmitting, and destroying biometric data, including deadlines.
- Broadcast your biometric data policy to employees and stakeholders, including information about how such data will be safeguarded to protect individual privacy rights.
- Obtain consent when collecting, processing, or sharing an individual’s biometric information.
- Conduct risk assessments to ensure the necessary protections are in place.
- Develop a company-wide biometric policy.
- Train employees to ensure compliance with BIPA.
8. How can Securiti Help
As the world experiences a radical shift in the digital landscape, entities must become even more privacy-conscious of their operations and careful guardians of their consumers' data while automating privacy and security processes for speedy action.
Securiti uses the PrivacyOps architecture to provide end-to-end automation for businesses, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Biometric Information Privacy Act (BIPA) and other privacy and security standards worldwide. Examine how it functions. Request a demo right now.