Guide to

Illinois Biometric Information Privacy Act (BIPA)

What is the Illinois Biometric Information Privacy Act?

The Illinois Biometric Information Privacy Act (BIPA) is a law that imposes requirements on businesses that collect or otherwise obtain biometric information, including fingerprints, retina scans, and facial geometric scans. Most often, employers seek to collect this information through biometric time clocks to keep track of employees’ hours. The law allows private individuals to bring suit and recover damages for violations.

What businesses are subject to BIPA?

BIPA covers all private sector employers with employees in the state of Illinois that want to collect biometric information. However, this act does not apply to financial institutions subject to the Gramm-Leach-Bliley Act. Further, this act does not apply to contractors, subcontractors or agents of state or municipal government agencies.

What does BIPA require of covered businesses?

Develop and disclose their policies for usage and retention of biometric information. Such policy must inform the subject of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used.
Request and receive written consent from individuals before obtaining their biometric data.
A private entity in possession of biometric information must not disclose or disseminate a person’s biometric information unless:

The subject of biometric information consents to the disclosure
The disclosure completes a financial transaction requested or authorized by the subject of biometric information
The disclosure is required by state or federal law or municipal ordinance
The disclosure is required by law enforcement

A private entity in possession of biometric information is prohibited from selling, leasing, trading, or otherwise profiting from a person’s biometric information.
Maintain safeguards to protect biometric information in an entity’s possession; ensure that protective measures for biometric information are the same or more protective than the manner in which the entity protects other confidential and sensitive information

Who enforces BIPA and what are the penalties for non- compliance?

Any person that is aggrieved by a violation of BIPA has the right of action in a State circuit court or the right to file a supplemental claim in a federal district court against an offending party. The courts decide the outcome. For negligent violations, individuals can recover the greater of $1,000 or their actual losses. For reckless violations, the baseline award increases to $5,000 per violation.

According to the Texas Bar Journal, since July 2017, more than 25 cases have been filed in state and federal courts in Illinois against video game companies, food product manufacturers, gas stations, and even restaurant chains (Wow Bao was sued over its use of facial scans to verify customer orders at self-service kiosks). And as more employers start to use timekeeping systems and security protocols that use biometric identifiers (such as fingerprints or facial scans), the employee/employer relationship will become a burgeoning legal battleground.

Illinois Biometric Privacy Information Act: Frequently Asked Questions

The Illinois Biometric Information Privacy Act (BIPA) sets stringent requirements for businesses and organizations that collect, store, and use biometric data, such as fingerprints, retina or iris scans, voiceprints, and facial recognition data. The key requirements under BIPA include:

Informed consent: Before collecting any biometric data, entities must inform individuals in writing about the purpose and duration of data collection, storage, and usage. They must also obtain written consent from the individual.
Publicly available policy: Entities must develop and make publicly available a written policy that outlines their retention schedule and guidelines for permanently destroying biometric data when the original purpose for collecting it has been satisfied or within three years of the individual’s last interaction with the entity, whichever comes first.
Prohibition on profiting: BIPA prohibits entities from selling, leasing, trading, or otherwise profiting from an individual’s biometric data.
Data security: Organizations are required to implement reasonable security measures to protect biometric data from unauthorized access, and they must handle the data with the same level of care as other sensitive information.

The statute of limitations for bringing a claim under the Illinois Biometric Information Privacy Act (BIPA) can vary depending on the nature of the violation. Generally, the statute of limitations is five years for claims related to unlawful collection, storage, and dissemination of biometric data. However, if the claim involves publication or disclosure of biometric data without consent, a one-year statute of limitations may apply. The uncertainty in these timelines has led to legal debates, but entities are advised to adhere strictly to BIPA’s requirements to mitigate the risk of litigation.

The Illinois Biometric Information Privacy Act (BIPA) prohibits several specific actions related to the handling of biometric data:

Collection without consent: It is illegal to collect, capture, purchase, receive, or otherwise obtain a person’s biometric data without first informing them in writing and obtaining their written consent.
Disclosure without consent: Entities are prohibited from disclosing, redistributing, or otherwise sharing biometric data without obtaining the individual’s consent or unless required by law.
Profiting from biometric data: BIPA strictly prohibits the sale, lease, trade, or profit from an individual’s biometric data.
Failure to implement adequate security measures: The act prohibits the storage of biometric data without implementing reasonable security measures to protect the data from unauthorized access and breaches.

The Illinois Biometric Information Privacy Act (BIPA) applies to private entities, including businesses, organizations, and individuals operating in Illinois, that collect, store, or use biometric data. This includes a wide range of industries such as technology companies, employers, healthcare providers, financial institutions, and retail businesses, among others. BIPA does not apply to state or local government agencies, financial institutions subject to the Gramm-Leach-Bliley Act, or entities covered by the Health Insurance Portability and Accountability Act (HIPAA).

Under the Illinois Biometric Information Privacy Act (BIPA), individuals who have been subjected to violations can seek the following damages:

Liquidated damages: Individuals can recover liquidated damages of $1,000 per violation if the violation is deemed negligent, or $5,000 per violation if it is found to be intentional or reckless.
Actual damages: Individuals may also recover actual damages, which can include the cost of security measures, loss of income, or emotional distress, in addition to liquidated damages.
Attorneys’ fees and costs: BIPA allows successful plaintiffs to recover reasonable attorneys’ fees and costs.
Injunctive relief: Courts may also grant injunctive relief, requiring the violating entity to take specific actions, such as destroying improperly collected data or modifying their practices to comply with BIPA.

A violation of the Illinois Biometric Information Privacy Act (BIPA) occurs when an entity fails to comply with the act’s requirements. This includes, but is not limited to:

Collecting or storing biometric data without proper consent: If an entity collects, captures, or stores biometric data without first informing the individual in writing and obtaining their written consent, it constitutes a violation.
Failing to implement a retention and destruction policy: Not having a publicly available policy that outlines the retention and destruction of biometric data is a violation.
Unauthorized disclosure or sharing of biometric data: Sharing or disclosing biometric data without the individual’s consent, except in cases permitted by law, is a violation.
Profiting from biometric data: Any attempt to sell, lease, trade, or profit from biometric data is a clear violation of BIPA.
Inadequate security measures: Failing to implement reasonable security measures to protect biometric data from unauthorized access and breaches also constitutes a violation.

A biometric data breach under the Illinois Biometric Information Privacy Act (BIPA) can have significant consequences for both the entity responsible and the individuals affected:

Legal action and financial penalties: Affected individuals may file lawsuits against the entity responsible for the breach. The entity could be liable for liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation, plus actual damages, attorneys’ fees, and costs.
Reputational damage: A data breach involving biometric information can severely damage an organization’s reputation, leading to loss of customer trust, potential loss of business, and long-term brand harm.
Injunctive relief: Courts may issue orders requiring the entity to take specific corrective actions, such as enhancing security measures, destroying improperly collected data, or changing business practices.
Increased scrutiny and compliance costs: Organizations may face increased scrutiny from regulators and may need to invest in enhanced security protocols, legal compliance measures, and ongoing monitoring to prevent future breaches.

These consequences underscore the importance of implementing robust security measures and adhering strictly to BIPA’s requirements to protect biometric data and avoid costly legal repercussions.