Illinois Biometric Information Privacy Act (BIPA)

What is the Illinois Biometric Information Privacy Act?

The Illinois Biometric Information Privacy Act (BIPA) is a law that imposes requirements on businesses that collect or otherwise obtain biometric information, including fingerprints, retina scans, and facial geometric scans. Most often, employers seek to collect this information through biometric time clocks to keep track of employees’ hours. The law allows private individuals to bring suit and recover damages for violations.

What Businesses Are Subject to BIPA?

BIPA covers all private sector employers with employees in the state of Illinois that want to collect biometric information. However, this act does not apply to financial institutions subject to the Gramm-Leach-Bliley Act. Further, this act does not apply to contractors, subcontractors or agents of state or municipal government agencies.

What Does BIPA Require of Covered Businesses?

  • Develop and disclose their policies for usage and retention of biometric information. Such policy must inform the subject of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used.

  • Request and receive written consent from individuals before obtaining their biometric data.

  • A private entity in possession of biometric information must not disclose or disseminate a person’s biometric information unless:

    • The subject of biometric information consents to the disclosure
    • The disclosure completes a financial transaction requested or authorized by the subject of biometric information
    • The disclosure is required by state or federal law or municipal ordinance
    • The disclosure is required by law enforcement

  • A private entity in possession of biometric information is prohibited from selling, leasing, trading, or otherwise profiting from a person’s biometric information.

  • Maintain safeguards to protect biometric information in an entity’s possession; ensure that protective measures for biometric information are the same or more protective than the manner in which the entity protects other confidential and sensitive information

Who Enforces BIPA and What Are the Penalties for Non-Compliance?

Any person that is aggrieved by a violation of BIPA has the right of action in a State circuit court or the right to file a supplemental claim in a federal district court against an offending party. The courts decide the outcome. For negligent violations, individuals can recover the greater of $1,000 or their actual losses. For reckless violations, the baseline award increases to $5,000 per violation.

According to the Texas Bar Journal, since July 2017, more than 25 cases have been filed in state and federal courts in Illinois against video game companies, food product manufacturers, gas stations, and even restaurant chains (Wow Bao was sued over its use of facial scans to verify customer orders at self-service kiosks). And as more employers start to use timekeeping systems and security protocols that use biometric identifiers (such as fingerprints or facial scans), the employee/employer relationship will become a burgeoning legal battleground.

Image

Get the latest from Hyperproof

Stay ahead of the risk and compliance curve. Get the latest regulation updates and analysis, guidance on achieving continuous compliance, and exclusive opportunities. Sign up for Hyperproof's bimonthly newsletter.
Stay in-the-know