IDC Names Securiti a Worldwide Leader in Data PrivacyView
To safeguard the privacy and security of the biometric data belonging to its citizens, the State of Illinois passed the Biometric Information Privacy Act (BIPA) on October 3rd, 2008. BIPA is considered one of the US state's most stringent privacy regulations.
BIPA is one of the foundational privacy laws to address biometric data specifically. It has prompted other states to introduce bills of a similar nature or to include biometric data in their comprehensive data privacy data breach notification or data security laws.
BIPA only applies to private entities. A private entity is defined by Section 10 of the BIPA as any individual, partnership, corporation, limited liability company, organization, or other groups, regardless of how it is set up. A private entity does not include a State or local government agency. A private entity does not include any Court of Illinois, a court clerk, or a judge or justice.
There are certain significant exceptions granted for:
BIPA does not apply to financial institutions or affiliates of financial institutions governed by Title V of the federal Gramm-Leach-Bliley Act of 1999 and the regulations issued thereunder.
BIPA does not apply to contractors, subcontractors, or agents when they are engaged by a State agency or local government unit.
According to Section 10 of BIPA, biometric information is “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.”
Biometric Identifiers are further described in Section 10 as:
However, it is also important to note what BIPA excludes a lot of information from the definition of biometric information and biometric identifiers, such as:
Any personal information that can be used to uniquely identify an individual or an individual's account or property.
Examples of confidential and sensitive information include, but are not limited to:
Informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.
Under BIPA, covered entities are subject to a variety of obligations that fall into the following categories:
When a covered entity is in possession of biometric data, it is required to create a public-accessible written policy that specifies a retention period and procedures for permanently erasing biometric data and identifiers when either:
No private entity shall obtain a person's or a customer's biometric identification or biometric information by collection, capture, purchase, receive through trade, or other means, unless:
BIPA prohibits a covered entity from profiting by selling, leasing, trading, or using a person's or customer's biometric information or identifiers.
Any biometric information or identifiers that a person or customer provides to a covered entity cannot be disclosed, redisclosed, or otherwise distributed unless:
All biometric data and identifiers must be stored, transmitted, and kept confidential by meeting the following two standards of care:
Covered entities which violate BIPA face the risk of facing the private right of action by affected persons or customers in a State Circuit Court or as a supplemental claim in Federal District Court.
Pursuant to the ruling of the Supreme Court of Illinois in Jorome Tims et al. v. Black Horse Carriers, Inc. [2023 IL 127801], the claims under BIPA are subject to five-year limitation period as prescribed under section 13-205 of the Illinois Code of Civil Procedure (735 ILCS 5/13-205).
Under the Private Right of Action (Section20), an affected victim may recover the following from the covered entity:
BIPA is one of the few laws in the country that grants the owners of biometric data a private right of action. For entities that employ biometric technology, BIPA is a risk in itself. Entities must comply with BIPA if they gather biometric information from Illinois residents for commercial use.
As the world experiences a radical shift in the digital landscape, entities must become even more privacy-conscious of their operations and careful guardians of their consumers' data while automating privacy and security processes for speedy action.
Securiti uses the PrivacyOps architecture to provide end-to-end automation for businesses, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Biometric Information Privacy Act (BIPA) and other privacy and security standards worldwide. Examine how it functions. Request a demo right now.
The BIPA law in Illinois refers to the Biometric Information Privacy Act. It regulates the collection and use of biometric information, such as fingerprints and facial scans, by private entities in Illinois.
The biometric and genetic information privacy acts in Illinois include the Biometric Information Privacy Act (BIPA), enacted in 2008, and the Genetic Information Privacy Act (GIPA), enacted in 1998 and meant to protect information about an individual's genetic material.
The Illinois Biometric Information Privacy Act (BIPA), passed on October 3rd, 2008, is a law that aims to protect individuals' biometric information from being collected, stored, or used without their informed consent. It introduces several obligations for covered entities along with a private right of action.
BIPA mandates that private entities establish policies and procedures governing the collection, use, disclosure, and storage of biometric identifiers and biometric data from individuals in Illinois.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128