Monday, June 20, 2022

Biometric Information Privacy Act:  Part One of a Four-Part Series

The Illinois Biometric Information Privacy Act (“BIPA”) was enacted in 2008 as the nation’s first state biometric information privacy law to address the growing use of biometric data (or “biometrics”) by private businesses, and the risks inherent in their use.  Although personal information had been afforded statutory protections for some time, biometrics warranted special consideration for one reason—unlike a person’s user credentials or the like that can be changed if breached, biometrics can never be changed.  From the individual’s perspective, they are forever.

BIPA is fraught with risk for the uninformed or unprepared, as it provides a private right of action and statutory damages, and therefore quickly became the darling of plaintiff’s class action counsel. Courts are in an ongoing sequence of rulings that interpret various aspects of the Act, leaving the day-to-day—and long term—impact of the statute in a state of flux.  However, some basic principles apply that will likely remain intact, an understanding of which will be useful in any self-assessment for BIPA risk.

To make this more digestible, over the course of four articles, we will be discussing BIPA, its applicability, current and anticipated judicial trends, and action plans for assessing and mitigating your organization’s risks.  As every journey begins with a first step, the first in this Series will discuss the basic elements of BIPA, keeping in mind that the legislature, judiciary or both can effect changes even to these basic tenets.  It is imperative also to keep in mind that certain other states already have statutory protections for biometric data, and may legislatively enhance those protections and the obligations that go with such data.  Going forward, legislatures may act to provide even broader scope of coverage and/or greater legal exposure for violations.



Biometric Identifiers

As currently interpreted by Illinois courts, a “biometric identifier” under BIPA is a set of measurements used to identify a person, while “biometric data” is a conversion of those measurements into a different, usable form.  BIPA itself defines a “biometric identifier” as a:

  •          - Retina or iris scan
  •          - Fingerprint
  •          - Voiceprint
  •          - Facial geometry scan
  •          - Hand scan 


As with most statutes that include a list of “covered” matters, BIPA specifically identifies certain types of data that are excluded from the definition of “biometric identifier” (although possibly protected otherwise, such as under HIPAA), including:

  •          - Writing samples
  •          - Written signatures
  •          - Photographs
  •          - Human biological samples used for valid scientific testing or screening
  •          - Demographic data
  •          - Tattoo descriptions
  •          - Physical descriptions such as height, weight, hair color, or eye color
  •          - Information captured or collected from a patient in a healthcare setting 



Biometrics are likely more widely used than one would expect.  As organizational security systems become more complex and secure, biometric identifiers can be found in a myriad assortment of businesses and applications, such as:

  •          - Time and attendance software for employees to clock in and out of work
  •          - Banking
  •          - Airport security
  •          - Law enforcement and the Department of Homeland Security
  •          - Healthcare
  •          - Mobile phone access
  •          - Building access
  •          - Schools



Because of the inherent uniqueness of an individual’s biometric identifiers, the advantages of using biometric data are many, and include:

  •          - Difficulty in faking or “cloning” biometric data (as opposed to passwords and other user credentials)
  •          - Ease and convenience of use—the individual always has it with them
  •          - Consistency--biometric identifiers are generally unchanging over the course of an individual’s life
  •          - Nontransferability


Five Requirements of BIPA

Once it is determined that your organization handles biometric data, fairly extensive obligations designed to safeguard such data are deemed to apply.  Specifically, BIPA imposes five requirements upon private entities which handle biometric data:

1.  Notification/Destruction.  The notification provision requires that private entities who possess biometric data must develop and make publicly available a written policy that details how long the entity will retain the biometric data and a schedule for the permanent destruction of such biometric data.  The published policy must provide for destruction of biometric data (i) once the initial purpose for collecting the data has been fulfilled, or (ii) within three years of the individual’s last interaction with the private entity, whichever occurs first.

2. Consent.  The consent provision consists of three requirements that must be fulfilled for a private entity to be allowed to handle biometric data of an individual: the entity must (i) inform the individual in writing that their biometric data is being collected; (ii) inform the individual in writing of the purpose of the biometric collection and the length for which the biometric data will be collected, stored, and used; and (iii) receive a written release for the biometric collection that is executed by the individual whose biometric data is being collected.

3. Ban on Profit.  The ban on profit provision prohibits any private entity from selling, leasing, trading, or profiting from an individual’s biometric data. 

4. Ban on Disclosure.  The disclosure ban provision forbids a private entity from the disclosure of an individual’s biometric data except where the individual has consented to the disclosure, or where the disclosure completes a financial transaction that the individual has requested or authorized.  BIPA also allows for disclosure where required by federal, state, or local law or by valid warrant or subpoena.

5. Storage and Security Requirements.  BIPA’s storage and security requirements provision requires that private entities (i) use “the reasonable standard of care within the private entity’s industry” when storing, transmitting, and protecting from disclosure of biometric data in their possession, and (ii)  do so in “a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”



This article provides an overview of the key components of BIPA and its requirements.  Clearly, with BIPA firmly in place and with clear applicability to personal data that has become ubiquitous in everyday life, along with stringent obligations and severe penalties for non-compliance, businesses may unknowingly put themselves at risk of BIPA violations if they do not first undertake to understand BIPA and develop the systems and oversight for proper use of biometric data.  Part II in this Series will examine where risks may arise, and methods for risk mitigation for businesses.