Guide to

Illinois Biometric Information Privacy Act (BIPA)

What are the State of Illinois privacy laws on biometric information?

In the State of Illinois, privacy laws governing biometric information are set out in the Illinois Biometric Information Privacy Act (BIPA). This law regulates how private entities collect, use, store, and share biometric identifiers such as fingerprints, retina or iris scans, voiceprints, and facial geometry, and it gives individuals a private right of action to sue for violations.

What is the Illinois Biometric Information Privacy Act?

The Illinois Biometric Information Privacy Act (BIPA) is the core State of Illinois privacy law governing biometric information. It imposes requirements on businesses that collect or otherwise obtain biometric identifiers and information, including fingerprints, retina or iris scans, voiceprints, and facial geometry scans. Most often, employers collect this data through biometric time clocks to track employees’ hours. The law also allows private individuals to bring suit and recover damages for violations.

What businesses are subject to BIPA?

BIPA covers all private sector employers with employees in the state of Illinois that want to collect biometric information. However, this act does not apply to financial institutions subject to the Gramm-Leach-Bliley Act. Further, this act does not apply to contractors, subcontractors or agents of state or municipal government agencies.

What does BIPA require of covered businesses?

Under this State of Illinois privacy law, covered businesses that collect biometric information must:

  • Develop and disclose written policies for the collection, use, storage, and retention of biometric information, including the specific purpose and length of time data will be used.
  • Request and receive written consent from individuals before obtaining their biometric data.
  • A private entity in possession of biometric information must not disclose or disseminate a person’s biometric information unless:
  • The subject of biometric information consents to the disclosure
  • The disclosure completes a financial transaction requested or authorized by the subject of biometric information
  • The disclosure is required by state or federal law or municipal ordinance
  • The disclosure is required by law enforcement
  • A private entity in possession of biometric information is prohibited from selling, leasing, trading, or otherwise profiting from a person’s biometric information.
  • Maintain safeguards to protect biometric information in an entity’s possession; ensure that protective measures for biometric information are the same or more protective than the manner in which the entity protects other confidential and sensitive information

Who enforces BIPA and what are the penalties for non- compliance?

Any person that is aggrieved by a violation of BIPA has the right of action in a State circuit court or the right to file a supplemental claim in a federal district court against an offending party. The courts decide the outcome. For negligent violations, individuals can recover the greater of $1,000 or their actual losses. For reckless violations, the baseline award increases to $5,000 per violation.

According to the Texas Bar Journal, since July 2017, more than 25 cases have been filed in state and federal courts in Illinois against video game companies, food product manufacturers, gas stations, and even restaurant chains (Wow Bao was sued over its use of facial scans to verify customer orders at self-service kiosks). And as more employers start to use timekeeping systems and security protocols that use biometric identifiers (such as fingerprints or facial scans), the employee/employer relationship will become a burgeoning legal battleground.

Illinois Biometric Privacy Information Act: Frequently Asked Questions

The Illinois Biometric Information Privacy Act (BIPA) sets stringent requirements for businesses and organizations that collect, store, and use biometric data, such as fingerprints, retina or iris scans, voiceprints, and facial recognition data. The key requirements under BIPA include:

  1. Informed consent: Before collecting any biometric data, entities must inform individuals in writing about the purpose and duration of data collection, storage, and usage. They must also obtain written consent from the individual.
  2. Publicly available policy: Entities must develop and make publicly available a written policy that outlines their retention schedule and guidelines for permanently destroying biometric data when the original purpose for collecting it has been satisfied or within three years of the individual’s last interaction with the entity, whichever comes first.
  3. Prohibition on profiting: BIPA prohibits entities from selling, leasing, trading, or otherwise profiting from an individual’s biometric data.
  4. Data security: Organizations are required to implement reasonable security measures to protect biometric data from unauthorized access, and they must handle the data with the same level of care as other sensitive information.

The statute of limitations for bringing a claim under the Illinois Biometric Information Privacy Act (BIPA) can vary depending on the nature of the violation. Generally, the statute of limitations is five years for claims related to unlawful collection, storage, and dissemination of biometric data. However, if the claim involves publication or disclosure of biometric data without consent, a one-year statute of limitations may apply. The uncertainty in these timelines has led to legal debates, but entities are advised to adhere strictly to BIPA’s requirements to mitigate the risk of litigation.

The Illinois Biometric Information Privacy Act (BIPA) prohibits several specific actions related to the handling of biometric data:

  1. Collection without consent: It is illegal to collect, capture, purchase, receive, or otherwise obtain a person’s biometric data without first informing them in writing and obtaining their written consent.
  2. Disclosure without consent: Entities are prohibited from disclosing, redistributing, or otherwise sharing biometric data without obtaining the individual’s consent or unless required by law.
  3. Profiting from biometric data: BIPA strictly prohibits the sale, lease, trade, or profit from an individual’s biometric data.
  4. Failure to implement adequate security measures: The act prohibits the storage of biometric data without implementing reasonable security measures to protect the data from unauthorized access and breaches.

The Illinois Biometric Information Privacy Act (BIPA) applies to private entities, including businesses, organizations, and individuals operating in Illinois, that collect, store, or use biometric data. This includes a wide range of industries such as technology companies, employers, healthcare providers, financial institutions, and retail businesses, among others. BIPA does not apply to state or local government agencies, financial institutions subject to the Gramm-Leach-Bliley Act, or entities covered by the Health Insurance Portability and Accountability Act (HIPAA).

The Illinois biometric privacy law applies to private entities operating in Illinois that collect, store, or use biometric data, but it generally does not apply to state or local government agencies or certain federally regulated financial and healthcare entities.

Under BIPA, the State of Illinois privacy law on biometric information, individuals can seek the following damages for violations:

  • Liquidated damages: $1,000 per negligent violation or $5,000 per intentional or reckless violation.
  • Actual damages: Additional compensation for actual losses, such as costs of security measures, loss of income, or emotional distress.
  • Attorneys’ fees and costs: Recovery of reasonable attorneys’ fees and litigation costs.
  • Injunctive relief: Court orders requiring the entity to destroy improperly collected data or change its practices to comply with BIPA.

A violation of the Illinois Biometric Information Privacy Act (BIPA) occurs when an entity fails to comply with the act’s requirements. This includes, but is not limited to:

  1. Collecting or storing biometric data without proper consent: If an entity collects, captures, or stores biometric data without first informing the individual in writing and obtaining their written consent, it constitutes a violation.
  2. Failing to implement a retention and destruction policy: Not having a publicly available policy that outlines the retention and destruction of biometric data is a violation.
  3. Unauthorized disclosure or sharing of biometric data: Sharing or disclosing biometric data without the individual’s consent, except in cases permitted by law, is a violation.
  4. Profiting from biometric data: Any attempt to sell, lease, trade, or profit from biometric data is a clear violation of BIPA.
  5. Inadequate security measures: Failing to implement reasonable security measures to protect biometric data from unauthorized access and breaches also constitutes a violation.

A biometric data breach under the Illinois Biometric Information Privacy Act (BIPA) can have significant consequences for both the entity responsible and the individuals affected:

  1. Legal action and financial penalties: Affected individuals may file lawsuits against the entity responsible for the breach. The entity could be liable for liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation, plus actual damages, attorneys’ fees, and costs.
  2. Reputational damage: A data breach involving biometric information can severely damage an organization’s reputation, leading to loss of customer trust, potential loss of business, and long-term brand harm.
  3. Injunctive relief: Courts may issue orders requiring the entity to take specific corrective actions, such as enhancing security measures, destroying improperly collected data, or changing business practices.
  4. Increased scrutiny and compliance costs: Organizations may face increased scrutiny from regulators and may need to invest in enhanced security protocols, legal compliance measures, and ongoing monitoring to prevent future breaches.

These consequences underscore the importance of implementing robust security measures and adhering strictly to BIPA’s requirements to protect biometric data and avoid costly legal repercussions.

Hyperproof Makes Compliance Simple

Implement and maintain controls for the BIPA Security Policy

Easily manage BIPA Security Policy compliance with a clear UI that lays out all requirements

Centrally document, organize, and maintain your BIPA compliance efforts

Map controls to multiple regulatory standards

Automate evidence collection requests

Easily assess and prioritize risks

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader