Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

An Overview of Illinois Biometric Information Privacy Act (BIPA)

Published August 30, 2023 / Updated March 10, 2025

Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

1. Introduction

To safeguard the privacy and security of the biometric data belonging to its citizens, the State of Illinois passed the Biometric Information Privacy Act (BIPA) on October 3rd, 2008. BIPA is considered one of the US state's most stringent privacy regulations.

BIPA is one of the foundational privacy laws to address biometric data specifically. It has prompted other states to introduce bills of a similar nature or to include biometric data in their comprehensive data privacy data breach notification or data security laws.

2. Who Needs to Comply with the Law

2.1 Private Entities

BIPA only applies to private entities. A private entity is defined by Section 10 of the BIPA as any individual, partnership, corporation, limited liability company, organization, or other groups, regardless of how it is set up. A private entity does not include a State or local government agency. A private entity does not include any Court of Illinois, a court clerk, or a judge or justice.

2.2 Exceptions

There are certain significant exceptions granted for:

Financial Institutions (Section 25(c))

BIPA does not apply to financial institutions or affiliates of financial institutions governed by Title V of the federal Gramm-Leach-Bliley Act of 1999 and the regulations issued thereunder.

State Contractors (Section 25(e))

BIPA does not apply to contractors, subcontractors, or agents when they are engaged by a State agency or local government unit.

3. Definitions of Key terms

3.1 Biometric Information and Identifiers

According to Section 10 of BIPA, biometric information is “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.”

Biometric Identifiers are further described in Section 10 as:

  • a retina or iris scan,
  • fingerprint,
  • voiceprint, or
  • scan of hand or
  • face geometry.

However, it is also important to note what BIPA excludes a lot of information from the definition of biometric information and biometric identifiers, such as:

  • Writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color;
  • Donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency.
  • Biological materials regulated under the Genetic Information Privacy Act;
  • Information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996;
  • X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.

3.2 Confidential and Sensitive Information

Any personal information that can be used to uniquely identify an individual or an individual's account or property.

Examples of confidential and sensitive information include, but are not limited to:

  • Genetic marker,
  • Genetic testing information,
  • Unique identifier number to locate an account or property,
  • Account number,
  • PIN,
  • Passcode,
  • Driver's license number, or
  • Social security number.

3.3 Electronic Signature

Any electronic sound, symbol, or procedure that is logically connected to a record and that is carried out or accepted by a person with the intention of signing the record.

3.4 Written Release

Informed written consent, electronic signature, or, in the context of employment, a release executed by an employee as a condition of employment.

4. Obligations for Covered Entities Under BIPA

Under BIPA, covered entities are subject to a variety of obligations that fall into the following categories:

1. Written Retention and Destruction Policy of Biometric Information (Section 15(a))

When a covered entity is in possession of biometric data, it is required to create a public-accessible written policy that specifies a retention period and procedures for permanently erasing biometric data and identifiers when either:

  • Purpose limitation is met – the original intent behind gathering or obtaining such identifiers or data has been met; or
  • The retention period of 3 years has been met – within three years after the person's last contact with the private entity, whichever comes first.

2. Restrictions on Obtaining Biometric Information (Section 15(b))

No private entity shall obtain a person's or a customer's biometric identification or biometric information by collection, capture, purchase, receive through trade, or other means, unless:

  • Notice is provided
    • Written notice of the collection, storage, and use of the customer's or individual's biometric data or identification must be provided to them or their legally authorized representative.
    • The notice must also specify the purposes for which the covered entity is gathering, storing, and using the biometric data or identifier and how long it plans to keep it.
  • Consent (Written Release) is received
    • The covered business must obtain and record a written release from the customer/individual or his/her legally authorized representative before collecting, storing, or using the biometric information or identification.

3. Prohibition of profiteering from Biometric Information (Section 15(c))

BIPA prohibits a covered entity from profiting by selling, leasing, trading, or using a person's or customer's biometric information or identifiers.

4. Restrictions on Sharing Biometric Information (Section 15(d))

Any biometric information or identifiers that a person or customer provides to a covered entity cannot be disclosed, redisclosed, or otherwise distributed unless:

  • Data Subject Consent
    The person or person's legally appointed representative has given their approval to disclose the biometric information or identifier.
  • Completion of Financial Transaction
    The disclosure of the biometric information or identifier is required to complete a financial transaction authorized/requested by the person or individual or his/her legally authorized representative.
  • State of Federal Law Disclosure
    State/Federal law or a municipal ordinance requires the disclosure or redisclosure.
  • Warrant/Subpoena
    A legitimate warrant or subpoena issued by a court with the necessary jurisdiction requires disclosure.

5. Safeguarding Biometric Information (Section 15(e))

All biometric data and identifiers must be stored, transmitted, and kept confidential by meeting the following two standards of care:

  • Reasonable standard
    A reasonable standard of care within the covered entity’s industry; and
  • Similar to Confidential/Sensitive Information
    In a manner similar or more protective to what is provided for other confidential and sensitive information.

6. Penalties for Non-compliance

Covered entities which violate BIPA face the risk of facing the private right of action by affected persons or customers in a State Circuit Court or as a supplemental claim in Federal District Court.

Pursuant to the ruling of the Supreme Court of Illinois in Jorome Tims et al. v. Black Horse Carriers, Inc. [2023 IL 127801], the claims under BIPA are subject to five-year limitation period as prescribed under section 13-205 of the Illinois Code of Civil Procedure (735 ILCS 5/13-205).

Under the Private Right of Action (Section20), an affected victim may recover the following from the covered entity:

  • Negligent Violation
    Liquidated damages of $1,000 or actual damages, whichever is greater.
  • Intentional or Reckless Violation
    Liquidated damages of $5,000 or actual damages, whichever is greater.
  • Litigation costs
    Reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses.
  • Other reliefs
    Other relief, including an injunction, which the State or Federal Court deems appropriate.
    A private entity that repeatedly collects or obtains the same biometric identifier or information from the same person, commits a single violation, granting only one recovery to the aggrieved person.
    Moreover, a private entity that repeatedly discloses or rediscloses the same biometric information to the same recipient commits a single violation, granting the aggrieved person one recovery, regardless of the number of times the same biometric information is shared.

7. How an Organization Can Operationalize the Law

BIPA is one of the few laws in the country that grants the owners of biometric data a private right of action. For entities that employ biometric technology, BIPA is a risk in itself. Entities must comply with BIPA if they gather biometric information from Illinois residents for commercial use.

  • Examine all procedures for collecting, processing, storing, or transmitting any biometric data governed by BIPA or similar state or municipal laws.
  • Ensure your entity has clear written policies outlining the steps for collecting, storing, using, transmitting, and destroying biometric data, including deadlines.
  • Broadcast your biometric data policy to employees and stakeholders, including information about how such data will be safeguarded to protect individual privacy rights.
  • Obtain consent when collecting, processing, or sharing an individual’s biometric information.
  • Conduct risk assessments to ensure the necessary protections are in place.
  • Develop a company-wide biometric policy.
  • Train employees to ensure compliance with BIPA.

8. How can Securiti Help

As the world experiences a radical shift in the digital landscape, entities must become even more privacy-conscious of their operations and careful guardians of their consumers' data while automating privacy and security processes for speedy action.

Securiti uses the PrivacyOps architecture to provide end-to-end automation for businesses, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Biometric Information Privacy Act (BIPA) and other privacy and security standards worldwide. Examine how it functions. Request a demo right now.


Frequently Asked Questions (FAQs)

The BIPA law in Illinois refers to the Biometric Information Privacy Act. It regulates the collection and use of biometric information, such as fingerprints and facial scans, by private entities in Illinois.

The biometric and genetic information privacy acts in Illinois include the Biometric Information Privacy Act (BIPA), enacted in 2008, and the Genetic Information Privacy Act (GIPA), enacted in 1998 and meant to protect information about an individual's genetic material.

The Illinois Biometric Information Privacy Act (BIPA), passed on October 3rd, 2008, is a law that aims to protect individuals' biometric information from being collected, stored, or used without their informed consent. It introduces several obligations for covered entities along with a private right of action.

BIPA mandates that private entities establish policies and procedures governing the collection, use, disclosure, and storage of biometric identifiers and biometric data from individuals in Illinois.

Share
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What Is Data Risk Assessment and How to Perform it? View More
What Is Data Risk Assessment and How to Perform it?
Get insights into what is a data risk assessment, its importance and how organizations can conduct data risk assessments.
What is AI Security Posture Management (AI-SPM)? View More
What is AI Security Posture Management (AI-SPM)?
AI SPM stands for AI Security Posture Management. It represents a comprehensive approach to ensure the security and integrity of AI systems throughout the...
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
View More
Key Amendments to Saudi Arabia PDPL Implementing Regulations
Download the infographic to gain insights into the key amendments to the Saudi Arabia PDPL Implementing Regulations. Learn about proposed changes and key takeaways...
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New