To safeguard the privacy and security of the biometric data belonging to its citizens, the State of Illinois passed the Biometric Information Privacy Act (BIPA) on October 3rd, 2008. BIPA is considered one of the US state's most stringent privacy regulations.
BIPA is one of the foundational privacy laws to address biometric data specifically. It has prompted other states to introduce bills of a similar nature or to include biometric data in their comprehensive data privacy data breach notification or data security laws.
2. Who Needs to Comply with the Law
2.1 Private Entities
BIPA only applies to private entities. A private entity is defined by Section 10 of the BIPA as any individual, partnership, corporation, limited liability company, organization, or other groups, regardless of how it is set up. A private entity does not include a State or local government agency. A private entity does not include any Court of Illinois, a court clerk, or a judge or justice.
There are certain significant exceptions granted for:
Financial Institutions (Section 25(c))
BIPA does not apply to financial institutions or affiliates of financial institutions governed by Title V of the federal Gramm-Leach-Bliley Act of 1999 and the regulations issued thereunder.
State Contractors (Section 25(e))
BIPA does not apply to contractors, subcontractors, or agents when they are engaged by a State agency or local government unit.
3. Definitions of Key terms
3.1 Biometric Information and Identifiers
According to Section 10 of BIPA, biometric information is “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.”
Biometric Identifiers are further described in Section 10 as:
- a retina or iris scan,
- voiceprint, or
- scan of hand or
- face geometry.
However, it is also important to note what BIPA excludes a lot of information from the definition of biometric information and biometric identifiers, such as:
- Writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color;
- Donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency.
- Biological materials regulated under the Genetic Information Privacy Act;
- Information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996;
- X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
3.2 Confidential and Sensitive Information
Any personal information that can be used to uniquely identify an individual or an individual's account or property.
Examples of confidential and sensitive information include, but are not limited to:
- Genetic marker,
- Genetic testing information,
- Unique identifier number to locate an account or property,
- Account number,
- Driver's license number, or
- Social security number.
3.3 Written Release
Informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.
4. Obligations for Covered Entities Under BIPA
Under BIPA, covered entities are subject to a variety of obligations that fall into the following categories:
1. Written Retention and Destruction Policy of Biometric Information (Section 15(a))
When a covered entity is in possession of biometric data, it is required to create a public-accessible written policy that specifies a retention period and procedures for permanently erasing biometric data and identifiers when either:
- Purpose limitation is met – the original intent behind gathering or obtaining such identifiers or data has been met; or
- The retention period of 3 years has been met – within three years after the person's last contact with the private entity, whichever comes first.
2. Restrictions on Obtaining Biometric Information (Section 15(b))
No private entity shall obtain a person's or a customer's biometric identification or biometric information by collection, capture, purchase, receive through trade, or other means, unless:
- Notice is provided
- Written notice of the collection, storage, and use of the customer's or individual's biometric data or identification must be provided to them or their legally authorized representative.
- The notice must also specify the purposes for which the covered entity is gathering, storing, and using the biometric data or identifier and how long it plans to keep it.
- Consent (Written Release) is received
- The covered business must obtain and record a written release from the customer/individual or his/her legally authorized representative before collecting, storing, or using the biometric information or identification.
3. Prohibition of profiteering from Biometric Information (Section 15(c))
BIPA prohibits a covered entity from profiting by selling, leasing, trading, or using a person's or customer's biometric information or identifiers.
4. Restrictions on Sharing Biometric Information (Section 15(d))
Any biometric information or identifiers that a person or customer provides to a covered entity cannot be disclosed, redisclosed, or otherwise distributed unless:
- Data Subject Consent
The person or person's legally appointed representative has given their approval to disclose the biometric information or identifier.
- Completion of Financial Transaction
The disclosure of the biometric information or identifier is required to complete a financial transaction authorized/requested by the person or individual or his/her legally authorized representative.
- State of Federal Law Disclosure
State/Federal law or a municipal ordinance requires the disclosure or redisclosure.
A legitimate warrant or subpoena issued by a court with the necessary jurisdiction requires disclosure.
5. Safeguarding Biometric Information (Section 15(e))
All biometric data and identifiers must be stored, transmitted, and kept confidential by meeting the following two standards of care:
- Reasonable standardA reasonable standard of care within the covered entity’s industry; and
- Similar to Confidential/Sensitive InformationIn a manner similar or more protective to what is provided for other confidential and sensitive information.
5. Penalties for Non-compliance
Covered entities which violate BIPA face the risk of facing the private right of action by affected persons or customers in a State Circuit Court or as a supplemental claim in Federal District Court.
Under the Private Right of Action (Section20), an affected victim may recover the following from the covered entity:
- Negligent ViolationLiquidated damages of $1,000 or actual damages, whichever is greater.
- Intentional or Reckless ViolationLiquidated damages of $5,000 or actual damages, whichever is greater.
- Litigation costsReasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses.
- Other reliefsOther relief, including an injunction, which the State or Federal Court deems appropriate.
6. How an Organization Can Operationalize the Law
BIPA is one of the few laws in the country that grants the owners of biometric data a private right of action. For entities that employ biometric technology, BIPA is a risk in itself. Entities must comply with BIPA if they gather biometric information from Illinois residents for commercial use.
- Examine all procedures for collecting, processing, storing, or transmitting any biometric data governed by BIPA or similar state or municipal laws.
- Ensure your entity has clear written policies outlining the steps for collecting, storing, using, transmitting, and destroying biometric data, including deadlines.
- Broadcast your biometric data policy to employees and stakeholders, including information about how such data will be safeguarded to protect individual privacy rights.
- Obtain consent when collecting, processing, or sharing an individual’s biometric information.
- Conduct risk assessments to ensure the necessary protections are in place.
- Develop a company-wide biometric policy.
- Train employees to ensure compliance with BIPA.
7. How can Securiti Help
As the world experiences a radical shift in the digital landscape, entities must become even more privacy-conscious of their operations and careful guardians of their consumers' data while automating privacy and security processes for speedy action.
Securiti uses the PrivacyOps architecture to provide end-to-end automation for businesses, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Biometric Information Privacy Act (BIPA) and other privacy and security standards worldwide. Examine how it functions. Request a demo right now.